Bought Traffic = Bot Traffic

If a site is a cheater, they will use every trick in the book to make more money and cover it up.

Site owners are always tempted to increase their own revenues by buying traffic. After all, if traffic costs $3 CPMs and ads are sold at $10 CPMs, the site pockets $7 CPMs worth of profit margin. Arbitrage makes up a large portion of all programmatic ads sold. And the more advanced perpetrators have other tricks to multiply their revenue and cover up the shadiness.

Note in the example below, this site is buying traffic and the bots are tuned to come during weekdays and waking hours. This is better tuned than years ago when the bots could be easily picked out because they came at all hours of the day, including the overnight hours when humans are sleeping. Also, some advertisers are smart enough now to turn off overnight hours and not bid on any ads then, since the proportion of bots to humans in those wee hours is far higher bots.

Why stop at just buying traffic? A site that is going to cheat might as well maximize their revenues by doing other shady things. In the screen shot below, the same site runs very few ads (left) or stuffs the page full of ads (right). The left screen shot is how the page appears if you access the bare url directly — like when human reviewers check the site for fraudulent activity. The right screen shot is how the page looks when specially crafted query strings are passed in the url. A dozen ads can be seen on the page, and who knows how many more are stuffed into 1x1 pixels or pop-unders.

Research by @deepsee.io - https://deepsee.io/blog/2-tales-one-site-how-arbitrage-sites-manipulate-metrics

When the on-page shenanigans are combined with bought traffic, oops bot traffic, you can see how truly scalable the fraud is, and how profitable. All of that bought traffic is bot traffic. That is because there aren’t a while bunch of humans sitting around with nothing to do but to go to your website when you tell them to. (Yes, I realize there are incentivized viewing schemes too, where real humans are told they will get points for watching ads and clicking on them.)

For comparison, a publisher that does not buy traffic, has good content and therefore real human audiences looks like the following. Dark blue means humans.

A final scenario to consider. A good publisher does not buy traffic, but still has unwanted bots hit their pages — typically to scrape content. When the site sees these kinds of bots (top portion of the slide below), they can filter them. That means they detect these bots and NOT make the ad calls when they see them. The on-site measurement tag shows the bots hitting the page. The in-ad measurement (bottom portion of slide below) shows the successful filtering of these bots. This can be done by the publisher or by using the FouAnalytics decisioning container.

So What?

As a buyer of programmatic ads, be sure to get detailed placement reports that show you which sites and apps carried your ads. Note that you may still need FouAnalytics to truly tell where the ads are run because fraudulent domains show up in the placement reports as the domain they spoofed — i.e. the bad domain is comingled with the good domain. In FouAnalytics, we detect which domain or app the ad was finally loaded on so you can check for yourself.

Also, check for on-page shenanigans like stacked ads, pixel stuffing, off-page ads, popunders, etc. These are the things that other IVT detection tech don’t look for and therefore severely under-report the rate of fraud. If the site is going to buy traffic, they will likely also do other shady things, because they are a fraudster. What fraudster will deliberately make less money? Right, none. They will all try to make as much money as they can. You’re the only one who can detect it and reduce it — that is if you care about such things. I have seen too many big advertisers turn a blind eye to ad fraud because they want to buy the large quantities at low CPM prices.

You decide if you want to buy ads from cheaters and fraudsters. Once you can see the fraud, you can simply add those domains and apps to your block lists. Better yet, run your campaigns with an allow-list. That will reduce the work you need to do to continuously add to your block lists as fraudsters rotate the sites they use to make money.

Further reading: Marketers, Be Prepared For Severe Pushback When You Do This