Dr Augustine Fou on cybercrime and making you smarter online

• Make sure your agency uses an allow-list or direct publisher IDs. When buying remnant ads through exchanges, make sure to use genuine publisher IDs to guarantee the site you are bidding for is the legitimate site (not someone else pretending to be it).

• There are algorithms to protect you from bots – but they’re not super reliable. Google has some checks and balances in place to protect you from bots, but the bad guys can tune the algorithm and get around these defences quite easily. 

• Fraud detection companies are failing to do thorough detection. Companies have something called IVT (invalid traffic). If a company reports 1% IVT everyone assumes that the other 99% is fine. If all this traffic and clicks are not generating any incremental sales, then it’s not digital marketing.

• If you do ads on Facebook, turn off FAN (Facebook Audience Network). The Facebook Audience Network is all the external sites and mobile apps that use its technology to run ads. They have the motive and the means to juice their own revenue using bots and other forms of fraud. 

• Use lookback windows! Lookback windows allow marketers or their agencies to measure the direct connections between marketing and sales.

Alex: For those business owners and marketers in Australia who aren’t familiar, can you give us a really brief overview of how you’ve come to be in this position in the industry?

Augustine: Sure. I’m a digital marketer of 25 years. I started my career here in New York with McKinsey & Company. By early 1996, I saw the potential impact of the internet. Back then, when we talk about the internet, it really meant websites with web pages. And in the early days we didn’t even have images, right? It was just hyperlinks and text, but I could see the potential impact and how the internet could actually change entire industries. Fast forward to 25 years later and we can actually see how dramatic those impacts have been. So I started out as a digital marker. I left McKinsey in 1996 and got into the trenches (so to speak) and have witnessed the entire arc of the evolution of digital marketing from the very earliest days of banner ads on Yahoo to now, you know, programmatic advertising, where everything is placed in milliseconds using algorithms.

So I’m a digital marketer, but in recent years, I’ve had to focus on the problem of ad fraud. And that problem really started in earnest when we saw the rise of programmatic exchanges. So just like with Wall Street, where they bring together buyers and sellers of shares of stock, programmatic exchanges bring together buyers and sellers of ad impressions. So basically, it’s like a real-time auction. We actually saw the amount of fraud rise dramatically because the buyers (meaning the advertisers) are no longer buying their ads directly from the publishers, the sellers of the ad space. They’re now buying from the exchanges. And these exchanges can have hundreds of thousands of sites and some have millions of tiny websites no one’s ever heard of.

So when you’re now placing a bunch of dollars with an exchange you’re saying, “try to get me as many ad impressions as possible”. It could create the opportunity where if the exchange has a bunch of fake sites or fraudulent sites, then money flows to those fake sites without the buyer knowing, and these fake sites obviously have no humans visiting. So they use 100% bought traffic. Because of the rise of exchange, we’ve also seen the rise of ad fraud…and it’s gotten worse over the last seven years. That’s why I’m focused on that problem, to not only educate marketers of the problem of ad fraud, but also give them some tools that I developed myself to have the right analytics, to see where the fraud is coming from, and then take action.

Alex: Are programmatic platforms driving traffic that isn’t been seen by humans the main issue? Or is it websites that they claim they are bidding to that isn’t really happening?

Augustine: You have to think of fraud as a multi-layered issue. The first layer would be fake sites that have no humans visiting. But they make it look like these celebrity sites or these recipe sites or whatever, as everything is template generated. Because they don’t have any humans, because humans don’t even know they exist, they’re definitely not visiting the site. Common sense will tell you that you can’t get a whole bunch of humans to go to a particular site when you tell them to. Just as it worked that way in real life, botnets are widely available. There are many traffic resellers, so you can say, “I need exactly 100 million page views on my site by tomorrow.” And then the botnet will faithfully deliver that.

So basically it becomes a very simple arbitrage play, right? The fake site owner, meaning the fraudster knows that they can buy traffic for $1 CPMs and they can make $10 CPMs on selling the ads. So they’re basically pocketing $9 in pure profit from the comfort of their own home. That’s why a lot of fraudsters are getting into ad fraud. But that’s the fake side part of it.

When you talk about whitelisting certain domains, you might actually think you’re whitelisting The New York Times or The Wall Street Journal or these mainstream publishers, but then there’s a problem of fake sites pretending to be those mainstream sites. Very simply, if you have a fake site like 123.com, and you put that domain in the bid request, nobody’s gonna bid on that because it’s obviously fake. So if they have a fake site that no one recognises, they always pretend to be some other legitimate site because then they can attract bids from the advertisers. If they say it’s The New York Times, they’ll get bids. If they say it’s a fake site, they won’t. So, in that sense, even whitelists, you have to be careful about right. It doesn’t solve the fraud problem completely.

Alex: Is that across all programmatic platforms or just cheap programmatic media buying?

Augustine: It is across everything. As you know, Google is by far the largest (and yes, they have some checks and balances in place), but you can surmise that the bad guys are adept at avoiding their detection. It’s basically a fight of algorithms. One algorithm versus the other algorithm. Typically, the good guys are always at a disadvantage.

For example, when a bot stops making money, the bot makers tune the algorithm so that they can get around those defences, and start making money again. For the good guys, the fraud detection companies, they’re large corporations now. If they want to make a change to the algorithm, they have to test it in test environments and get it approved. Six months later, they push it into production. So the bad guys always have the advantage. This even applies to the largest networks like Google.

Alex: How commonly is fake traffic being purchased by mainstream media sites?

Augustine: It’s more widespread than anyone’s willing to admit. The reason that’s a big problem is that the current crop fraud detection companies will fail to detect fake traffic. They have a euphemism called IVT, invalid traffic. So if that figure is somewhere under 1%, everyone thinks it’s legitimate, right? When it’s actually not. It’s not that the traffic is actually legitimate or humans, it’s simply that the fraud detection companies have failed to detect anything wrong. Even the largest media owners are interested in traffic because that’s a way to juice their own revenues. So if they don’t know better, I’m gonna give them the benefit of the doubt.

Legitimate publishers always have the problem of their audiences not really growing fast enough. While some of them will hold the line and say, “we’re gonna not buy traffic”, you can imagine it is so tempting to start buying traffic because you could up your revenue at will, right? There are unlimited bots out there ready to load your web pages or use your mobile app. The problem with fraud is that right now is that it isn’t being recognised as fraud. Let’s just use round numbers. If they report 1%, everyone jumps to the conclusion that the other 99% is fine. But what they’re missing is that they never said it was human traffic, they just failed to detect it was invalid traffic.

More marketers should really look into it, right? If all of this traffic and clicks are not generating any incremental sales, then you should ask what it is, because it’s not actual digital marketing.

Alex: Can we talk about Facebook for a second? There’s a lot of complaints about the inconsistencies around pricing for Facebook ads, and the inconsistencies around Facebook reporting. Do you believe this is occurring due to market monopoly, or a lack of regulation around pricing and metrics?

Augustine: I think a lot of people have heard of the Facebook issues. The lack of transparency around metrics, the errors in their metrics, the lack of transparency about pricing. All of those are just standard problems that every ad tech company would have. Google will have the same kinds of things. I don’t necessarily think that those were nefarious, or that Facebook set out to deliberately falsify or cheat.

While there are common errors in the metrics, it’s not necessarily due to fraud. And that’s because I break Facebook into two parts. First, the part that runs on Facebook itself. Think about the ads that run on Facebook, Instagram and WhatsApp. In those cases, Facebook makes the money from the ad revenue, right? So, the fraud bots that I study are not gonna be generating a ton of impressions, because the bots are not making money.

However, Facebook also has what they call Facebook Audience Network (FAN). This is all the sites and mobile apps outside of Facebook that uses its technology to run ads. They have the motive and the means to juice their own revenue using bots and other forms of fraud. So to me, the stuff that runs on Facebook itself is much lower in fraud, but the stuff that runs on FAN is rampant with fraud. The same parallel exists for Google, too. The ads that run on Google itself are gonna be much lower in fraud because the fraud bots have no motive to cause a lot of ad impressions. Whereas the stuff that runs on Google search partners (again, all the sites outside of Google) can be rampant in fraud. So, yes, the metrics that could be better, more transparent and things like that. But regarding fraud, you really have to think of it in two parts for each of those wall gardens.

Alex: Do you see the main issue here as being inexperienced marketers cutting corners, or the areas of practice largely built out to mislead companies who don’t understand SEO or traffic buying?

Augustine: Well, traffic buying is never a good thing because you’re basically normalising fraud. Because again, there’s not a whole bunch of humans sitting around with nothing to do, but to click on your ads or whatever. So the problem is inexperience and laziness on the part of the marketers, right?

Programmatic is kind of like playing a video game. Marketers set up some things, they get some metrics back and if your score increases, you win. They’re basically looking at the number of impressions, the number of clicks, the click-through rates, and anything higher is better…but that’s not necessarily the case.

Let me summarise what I think markers are addicted to right now regarding programmatic. They’re addicted to large quantities, low prices and high click-through rates. The large quantities are created due to bot activity because human audiences are finite, right? They don’t keep multiplying every year, but botnets can generate infinite ad impressions. The second is low prices. Because the fake sites have plagiarised all the content (if they have any content at all) they have no cost of creating it, unlike legitimate publishers. So even at a $1 CPM, they’re still highly profitable. Therefore, they can afford to sell ads at very low prices, whereas legitimate publishers cannot. 

High click-through rates are due to bots because bots click on ads. Ask yourself, when was the last time you deliberately clicked on an ad? So the high click-through rates make it appear that the campaigns are performing really well because marketers want bigger numbers. So, unfortunately, because of bot activity, programmatic campaigns look better than traditional campaigns. On top of that, the bad guys are able to optimise algorithms that send more money to fake sites and take money away from legitimate publishers. 

Alex: How do you then balance the need for regular ongoing impressions to make sure that the programmatic campaign you’re running is legitimate?

Augustine: There are two aspects there. One is branding awareness and the other is performance. So I’ll, I’ll kind of skip over the performance side, but I’ll say that performance marketers always assume that they’re immune to fraud, but they’re not…but that’s a whole other conversation. Regarding the brand awareness advertisers, they’re running impressions because they need a background amount of impressions. If those ads are not being seen by humans, there won’t be any awareness at all.

So, what they need to do is get detailed placement reports to see where their ads ran. A lot of the larger advertisers are simply getting monthly spreadsheets (or dashboards) that tell them how much they’ve bought, what they paid and how many clicks they received. That’s not good enough, because you get the total quantity and an average clickthrough rate. As I’ve said previously, fraud hides easily in the averages.

But if you get detailed reports (i.e. domain-level placement reports), you can start to see where your ads are going, and you can easily spot the strange domain names that have carried your ad. Once you start getting that level of detail, you’ll start asking questions. You don’t need any specialised analytics or technology. If your reports are detailed enough, you’ll start seeing the strangeness and your gut and common sense will tell you something’s wrong.

Alex: We run programmatic campaigns for clients. We whitelist domains and we export the Excel spreadsheet directly from the programmatic platform that has the domain names and the clicks and the impressions for that specific domain. Is that the best practice from a CMO perspective, or is there more that can be done?

Augustine: There’s more that can be done. Let me put it this way: It’s the best practice right now. Let me articulate a scenario, going back to the domain spoofing issue. So a fake site will always need to pretend to be a legitimate site in order to get bids. But if they pretend to be The New York Times, the fake impressions will be co-mingled with the real impressions in that spreadsheet. You won’t be able to tell what’s fake and what’s real. So what we need to do is after the bid is won and the ad is placed, we need to re-verify. We need to detect where the ad actually ended up.

So in the bid request, if it said it was The New York Times, but we later detect that the ad actually ran on brightbart.com or some other fake site, we know we got ripped off. So that is why we need to have analytics in place so you can see if the domain level place reports are accurate. Domain-level place reports don’t assume that everything is accurate because, at the time of the bid request, the bad guys won’t be telling the truth. You just need to make sure the ads actually ran on the domain that they said it was.

Alex: Just say, you are a CMO and you have a budget. Where’s the safest place that you would put your money at the moment?

Augustine: The safest place would be direct from the publishers. You would go to The New York Times, you would go to The Wall Street Journal or any consumer publication that you’ve heard of, and try to buy direct from them. Now I understand that most of them don’t necessarily want to direct sell ads, but there’s a way to buy it. Programmatically, for example, you can use a deal ID. Ask that publisher what exchange they sell through, their deal ID and just buy that specific deal ID. You’re basically shortening the supply path, creating as few hops as possible. The reason for this approach is that every time another ad tech company touches that impression, they’re extracting profits for themselves, right? It’s their job to make money too.

You want to minimise the supply path. So, buy as direct as possible. And you’ve heard me say before that technology is not a bad thing, right? It’s the way people are committing fraud, right? Think of a hammer. It can be used to build a house or to murder someone. The tool is not the evil thing. The buyer just needs to buy as direct as possible from the good publishers and avoid as much of the programmatic, kind of long-tail as possible because those long-tail websites simply don’t have enough humans. Therefore, the way they generate revenue is by buying bot traffic.

Alex: Would you invest a lot in Facebook and Google at the moment?

Augustine: If I do Facebook ads, I would make sure to turn off FAN. I can tell you that Facebook ads work well. I’ve had a client for five years. Facebook display ads (for awareness) have usually worked between ten and thirty times better than display ads elsewhere. The reason for that is Facebook actually has real information on their customers, and most users are logged in all day long. It’s different to users visiting a website. Users don’t necessarily log in when they’re just reading a piece of news or reading a recipe. Facebook and Google both have the advantage of these logged-in users, they actually know their users really well. For example, Google has years of data that the person has (kind of) volunteered, their surfing history, their search history, everything. Facebook also has a bunch of, you know, volunteer data given to them by their users. In those environments, if you turn off FAN and do display ads on Facebook (on Google, if you turn off display network and search partners and make sure your ads run on Google.com), then those are great ways of using those two walled gardens as part of your digital marketing mix.

Alex: If you were a client and you were selecting an agency to run a campaign for you, what is the first thing you would ask them to ensure they’re committed to best practice?

Augustine: I ask marketers and agencies if they use lookback windows. Now that’s kind of a question out of left field, but it tells if the marketer or their agency is actually truly measuring for incrementality. If they don’t know what a lookback window is (or if they’re not using it) then I know that they’re not studying or measuring incrementality; which basically tells you if your digital marketing drove any sales that wouldn’t have happened anyway. I see a lot of digital marketing where the sales are happening, and the digital marketing is taking place at the same time. It is not that digital marketing causes the sales, they have nothing to do with each other.

Unfortunately for the larger advertisers, especially the food and beverage type companies, they’ll say, “oh, it’s, we’re just doing branding.” They don’t have to measure for sales, but because of that, they end up chasing large quantities at the lowest prices. As a result, they’re the most affected by ad fraud.

So, there are a few questions I would ask to tell whether they know what they’re doing and you know, obviously there’s a bunch of simple best practices. So for example, if they don’t even ask for domain-level place reports, then clearly they’re not even doing their job. If they already do that, then I can ask them, what their process is for cleaning the campaign while it’s still running. If they don’t have a process then clearly they’re probably just buying the fraud detection reports that appear at the end of the campaign, those that identify the 1% fraud that we’ve already discussed. So, there are many things I could ask to tell whether they know what they’re doing.

Alex: Where should my audience go to find more about you or the tools that you can help them with?

Augustine: If they follow me on LinkedIn, just Google my name, Augustin Fou, I’m on Twitter and I post a lot of charts based on my own research. I’ve done this for 10 years, so everything is based on real campaigns, but you’ll notice that I don’t mention any names, good or bad.

I write on the phenomenon of ad fraud so that people can understand how it occurs. From there, they can start to look for some of these telltale signs in their own campaigns. They don’t even need to use my tech. They can actually just look at their own Google analytics answer questions like “Why am I getting traffic in the overnight hours when humans are supposed to be asleep?”. So some, you know, common sense type things that they know where to look, and what to look for. They’ll actually be able to solve a lot of the fraud themselves. What I’m trying to do is educate them on how to do that, so that they can be part of the solution.

Alex: Thank you so much.