Mobile Fraud Overview: Prevention and Detection : Helpdesk

Mobile Fraud Overview: Prevention and Detection

Common Types of Mobile Fraud & Best Practices

   Click Injection/Ad Injection:

Fraud where the affiliate injects their tracking link to fire off a tracking click right before the user completes their conversion.  This lets them hijack the  credit for sending that conversion. 

Best Practice: Typically this type of fraud will show up in your MTTI Report as conversions with <15 Sec MTTI, so make sure to regularly check your reporting. It should be nearly impossible for a real user to click an ad, install the app, and then open it within 15 seconds from that initial click; therefore, MTTI under <15 Seconds can be almost always considered to be fraudulent.  You can also set up an Alert to notify you whenever there is any conversion under 15 Seconds MTTI for catching any time this fraud pops up. 

   Click Spamming/Click Flooding:

Fraud where the affiliate fires their click tracking link every time a user sees their Ad, even though the user didn't actually click on the ad.  This allows them to cover a massive group of users with their tracking link. Most mobile campaigns are set up with an attribution window for click-through conversions that gives affiliates credit for driving the conversion up to 7 days after the click.  If they track enough users, they will start taking credit for the advertiser's natural (organic) conversions of users that were already highly motivated and planning to sign up without advertising. 

Best Practice:  Regularly check your MTTI report, and check on any offers that are consistently seeing more than 30% of your conversions coming in >24 hours MTTI in your report. This case doesn't necessarily mean your publisher is doing fraud, but it's recommended to work with your publishers to optimize those placements.  

Keep in mind that while 7-Day Click-Through Attribution is the standard, some Advertisers have 30-Day Click-Through Attribution.  If   the advertiser's attribution window is longer, then you'll see more conversions coming in after 24 hours from the initial click.

   Proxy Traffic:

Fraud where the user's IP is spoofed, so it shows as coming from a different IP source than the users actual source.  This is often used for bot traffic and other types of click farm fraud - groups of bots or people that fake their location and then perform fraud conversions.

Best Practice:  When setting up Offers, under the Targeting tab > Make sure that Block Proxy Traffic is enabled.

   Duplicate Conversions:

This happens when an advertiser fires back a second conversion from the same click ID. The default setting is for Everflow to "reject" those duplicate conversions, so it won't pay out to the affiliate on those conversions. You can change this setting on the Attribution page within the offer. 

Best Practice:  During Offer Setup, under ATTRIBUTION > Duplicate Conversions make sure that setting is toggled to red. Under TRACKING & CONTROLS > Enable Enable Duplicate Click Filter.  The Duplicate Conversions will keep you safe from paying your affiliates twice, and the Duplicate Click Filter will keep your advertisers safe from receiving the second click as well.

   Bot Traffic:

Fake traffic that simulates a user completing the base conversion on the offer. SDK Spoofing is the more advanced form of this fraud, where they are also injecting artificial events into the reporting dashboard.

Best Practice:  Make sure your Affiliates are passing their Placement IDs on clicks (Ex: &sub2=[Affiliate Placement ID].)  Use the Analytics reports to keep a close eye on the quality of installs by Placement ID.  Work with your affiliates to deactivate low quality sources, so your budgets go to your higher quality sources  

   SDK Spoofing:

SDK Spoofing is where the fraud source uses bots to send fake data that creates a simulation of real traffic: faked clicks, conversions, and events.  This can create scary situations, where the tracking partner's MMP (Mobile Measurement Partner) shows traffic as driving high quality installs with a lot of events, but when they check their internal non-MMP reporting numbers, they see none of the events showing up inside the MMP dashboard. 

Best Practice:  The best way to defend yourself is by implementing the Verification Tokens feature. Spoofing works by simulating a user's actions, but the fraudster doesn't have access to the security token, so they won't be able to easily imitate it. Learn more about how to set up Verification Tokens - Click Here

   Incentivized Traffic:

Incentivized traffic is fraud whenever the Advertiser doesn't allow this promotion method.  For Incent, the user is receiving a reward in exchange for taking an action, such as downloading an app, or completing an Event conversion.  Typically Incent traffic delivers much lower user quality than standard promotion methods.

Best Practice: Same as bot traffic, keep a close eye on the quality of your affiliate's sources. If you see any unnaturally high conversion rates, investigate those sources with your publisher and make sure the high rates aren't due to incentives.

Further Prevention Strategies

Set targeting restrictions

While setting up new offers, make sure to set up targeting restrictions under the 'Targeting' tab. Example: For a US offer reached iOS users, set United States & IOS included.  This will make it so that any traffic that isn't from a US source or iOS source will automatically be marked as invalid (and then sent to either your Fail Traffic links, or a dead page if you haven't enabled Fail Traffic).

Recommended: State clearly in your Offers Name any major requirements around required parameters or location Targeting.  Include in the Description part of your offer with clear instructions about types of promotions that are approved and restricted. 

Any traffic that is blocked by your targeting restrictions can be easily viewed in the Offer Report by clicking the Invalid Clicks highlighted in blue, which will give you a breakdown for the types of invalid clicks. You can click on any of the invalid types to see a further breakdown of those clicks.

Require Offer Approval

Put sensitive offer’s visibility on the “Require Approval” setting, this will allow you to see exactly which affiliate/publisher/partner would like to run a specific offer. Click Here to find out how to set this up.

Manually Approve conversions

You can actually set the offer to not allow conversions to come through to the affiliate/publisher/partner until you have manually approved them. Click here to see how to do that. 

*IMPORTANT* If you wait to approve conversions manually for a long time, the affiliate/publisher/partner will see a lot of delay in when the conversions post, which could cause them to stop running traffic for the offer. 

Detection Tactics

Referring URLs

To see Referring URLs, go to Reporting - Conversions > Run Report > Click on Columns > Make sure 'Referrer' is selected > You should now see Referrer on the far right of the report > Sort by Referrer to see any conversions that detected a Referrer URL.  Placements show up as referrer urls when there is another tracking platform re-directing the click right before it reaches Everflow's tracking. Referrer URLs often mean one of two things: 1) the Affiliate is using an extra domain for their own internal tracking usage. 2) The affiliate is rebrokering your offers through another affiliate platform.

Sub IDs

You can use Sub IDs when generating the tracking URL for different affiliates/publishers/partners in order to have them pass you back data about the campaign. This can be anything from blind site IDs to actual site names. You can use this to run reports on the data they are sending you. 

IP Addresses

You can look at the IP addresses of the conversions in order to determine where the conversions are coming from. If you see a lot of conversions coming from the same IP it would indicate that the conversions might be fraudulent. You can run that report here:

https://help.everflow.io/support/solutions/articles/22000220250-conversion-report

Spikes in KPIs

 If you notice a spike in any of the KPIs it might signal fraud traffic. You can actually set notifications to send to the dashboard or to your email if you want to stay on top of this. You can do that here:

https://help.everflow.io/support/solutions/articles/22000219439-manage-alerts

Use the MTTI report

You can use the MTTI report to see the time in-between the click and install. If you see a large amount of installs coming in either super quickly or super late it could signal fraudulent traffic. Find out more here:

https://help.everflow.io/support/solutions/articles/22000225315-new-mtti-functionality
https://help.everflow.io/support/solutions/articles/22000225975-mtti-report

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.