“No sophisticated botnets are trying to go undetected forever,” Tiffany said. “They infect new machines as fast as the old machines are being caught, which is why there is no macroeconomic change.”
Fresh infections do the most damage because they home in on high-CPM media and highly targeted buys. Display buys with CPMs higher than $10 had a 39% greater bot rate on average, according to the study, while video with CPMs in excess of $15 had 173% more bots than video buys with lower CPMs.
Programmatic buys didn’t fare all that much better, with programmatic display and video ads seeing 14% and 73% more bots, respectively. On the flip side, direct display ads saw around 14% less bot traffic, while direct video ads saw 59% less.
The study also called out sourced traffic as a hotbed of bots, which it even uncovered in private marketplace deals. Third-party traffic acquisition generally saw three times as many bots as organic traffic.
“By sheer impression volume, there was just a hell of a lot of fraudulent traffic found in programmatic buys,” Tiffany said.
So, what’s the deal?
Opacity in the supply chain is less of an issue than what Tiffany referred to as “a fundamental weakness about how the entire ecosystem thinks about exploiting and interacting with audience.”
In other words, in programmatic, brands rely on identifiers such as cookies and device IDs to create audiences, but there’s no way to trust that there isn’t malware on a person’s computer.
“Apparently, it didn’t occur to enough people that you can’t always trust the device on the other end of a connection, which means your targeting data can become polluted,” Tiffany said. “We might even be talking about third-party purchase data or browsing history, but it all relies on a fundamental identifier which is also being used by the cybercriminals. It’s sort of a problem since this whole world is becoming the economic engine for the entire Internet.”
But rather than villainizing programmatic, Liodice said the report’s findings are more of a reflection of marketers not being fully comfortable with programmatic methods but forging ahead anyway, caught up as they are in the “euphoria” of being able to automate highly targeted buys.
“We just have to approach it with more intelligence and cautiousness,” Liodice said. “When I talk to marketers about programmatic, it’s very clear to me that they don’t fully understand it. And if they’re not prepared, how can we expect them to ask the right questions and get the right data, reporting and analytics to allow them to become savvier?”
But there are some advertisers starting to make a dent in bot fraud – or at least making a concerted effort. Of the 35 brands that participated in the previous study, 28 returned for take two, and nine saw an improvement in their overall fraud rates.
Digging deeper, though, the study found that it was actually the brands with high fraud rates last year (10% or more) that saw the most improvement, while the brands given a relatively clean bill of health last year (5% or less) saw higher rates this year.
“When participants were told in the first study that they had lower fraud than the average, that was widely accepted as good news – but it was also taken as validation that whatever they were doing was working,” Tiffany said. “But more often that not, it just turned out they hadn’t been victimized during the time we were running the study. The other guys took it as a wake-up call and changed their behavior.”
So, what can advertisers do to protect themselves? The study suggests getting better educated on all the various members of the programmatic supply chain, requiring partners to follow anti-fraud guidelines and eating a healthy diet of unsourced traffic.
On the last point, the report goes so far as to advise buyers to consider including language in their insertion orders declaring that they won’t pay for nonhuman traffic.
It’s a valid request – but it’s also one that seems to put the onus on the publisher completely for handling the fraud problem.
“Where does the responsibility lie and who is accountable? It’s a tough one, and I don’t believe that the ANA and the IAB are on the same page about it because of that reason,” Liodice said. “It’s something we need to address.”
The ANA/White Ops report measured digital ad fraud collected from 10 billion impressions across 1,300 campaigns deployed by 49 ANA member brands, including ABInBev, Colgate-Palmolive, ConAgra Foods, Denny’s, Ford, General Mills, Johnson & Johnson, Kellogg’s and Wendy’s, all of which were returning participants from last year’s study.
Mobile wasn’t a part of the traffic examined by White Ops because the report claimed that “botnets are not currently a serious threat in the mobile ecosystem,” although it expects that to change as mobile spend increases.