The basics: types of fraud
that start it all

FraudScore Approach

Fraud is a type of “crime” in any possible scenario. A marketer starts to dig his own pit when fraud is not detected. He invests more money on fraudulent channels that show great statistics, he gets unreliable sky-rocketing results and invests more funds on these channels. It’s a vicious circle of advertising and it needs to be broken.

Fighting fraud requires understanding and recognizing various types of fraud. This particular article is designed to give a quick overview of the types of fraud that are most common in the industry.

Click Spam

Definition and how it works

The fraudster tries to execute clicks for users who are completely unaware. The user might be organic to the app or an ad - but the fraudster uses different means to catch the last-action and get all the credit. The main method is to infect the device of a real user and get the click that provides real organic conversions.

How might the “infection” get to a real user’s device? Imagine, the user opens a mobile web page or an app and here is what might happen:

  1. Imitate the engagement - a fraudster can imitate user engagement by sending impressions-as-clicks. So it will look like the user viewed an ad and executed a click.
  2. An old trick - a simple real redirect of the user to the app-store page even if he hasn’t clicked on the ad of this particular application. This method uses promotional tracking links and is highly negative for the user as he directly observes that he is being redirected.
  3. Infected apps - various launchers, battery savers, screencasting apps, memory cleaners - these are the types of apps that are most likely to infect the user’s device and shall generate clicks whenever they want. They operate in the background and the user is never aware of that.
  4. Invisible threat or pixel stuffing - happens when a fraudster places various advertising links in the pixel in the background of mobile web page. These links shall be processed without showing any signs to the users. To illustrate - the most common case of pixel stuffing is mobile web pages where the user watches video content.

Standard symptoms

Low Conversion Rates or a long-tail for TTI graphs. Usually, a real user opens the app within the first 30 minutes to 1 hour post install. Of course, there are always exceptions to each and every case and source (and that’s why we suggest that you use FraudScore).

The problem that it causes

Click spam is a type of fraud when a fraudster is actually using real users to get credit. So if an advertiser invests in a source, observes a spiral effectiveness, impressive metrics - he shall invest more. But when it gets to the point where the budget is spent or being relocated from other sources (that in the end might appear to be fraud-free) but no profit comes of the source, then the advertiser begins to see the losses caused by click spamming.

2. Fake installs

Definition and how it works

Fake install - a completely fraudulent install by a fabricated user. This is one of the most costly types of fraud because it spreads damage to all the possible parties – advertiser, network, developer, and publisher.
The fraudster uses data centers and specific software to simulate real devices. The main idea of such simulation is to create a brand-new “device” with its brand-new ID, OS version, name just for the ad to be clicked on. Then, the scenario is simple – “the device” just simulates a user-like behavior – click the ad, download the app, start the app after the install.

Standard symptoms

Always check the price that you get for the traffic with other providers on the market. If the price is lower than the average numbers on the market - chances are you are not getting what are paying for.
And if you got into trouble, then you’ll need to take a look at:

  • post-install-activity
  • sometimes, at the pattern - if the majority or a significant group of your users follow the same scenarios and start the app in 5, 10, 17 days post install (e.g.) then they are likely to be fake

The problem that it causes

The main issue that this particular fraud type causes is when the advertiser pays for installs and if he ends up paying for those that are fake - he simply pays for nothing. The same with the network - if the installs that the network might get are fake and there are no actual users of the installed app, then its reliability falls to the bottom.
And it’s worth mentioning that some fraudsters have evolved in their activity up to the level when they attempt to emulate the post-install activity of “the user” – e.g. start the app on the 10th or 17th day after install.

3. Click Injection

Definition and how it usually works

Only Android-devices are prone to click injection, a more complex type of click spamming. A fraudster needs to have his own malware in the mobile app or even his own app to get access to a real user’s device. After such infected app is installed it might get access to so-called “installs broadcasts’’ – specific signals that are being sent by all new applications on the device. And if the malware gets access to these signals, all the subsequent installs of apps from the user’s phone shall be assigned to the fraudster.
Moreover, not all the apps have paid marketing campaigns, so the malware has to check for those that do. So basically, click injection requires a pretty complex approach but the treat is tempting so this type of fraud is consistently detected by FraudScore.

Standard symptoms

Abnormalities in very low TTI, very high CR - these are the general symptoms of click injection. Since 2017, Google tries to provide developers and advertisers with more reliable data on apps and installs so that suspicious activity might be caught. But fraudsters are aware of that and the click injection schemes are becoming more sophisticated. So it’s hard to tell whether you are at risk of click injection just by looking at the symptoms sans fraud-detection tools.

The problem that it causes

The money of advertiser is spent on nothing. For instance, a developer buys traffic and the metrics show which GEO gives the most effective ads. Developer decides to invest more in the region. But in reality it turns out to be injected clicks traffic and basically the advertiser’s budget goes to the dogs. Injected clicks are also a problem for the network – because if the traffic is infected, the advertiser shall switch to another partner.

4. SDK Spoofing

Definition and how it usually works

The main principle is to imitate an install without a real one and to fake user engagement. But fraudsters are using real devices – so no real users, no real clicks and installs, but perfectly legitimate devices that exist and are being normally used by users.
A fraudster has his own app (again, battery savers, memory cleaners, etc) installed on the user’s device or they might have access to any other app that is popular and might be infected. By getting access to a real device, fraudsters collect the device data, break the SSL encryption between tracking SDK and servers and then they start a series of test installs.
So they make several attempts to find the install combination and URL setup to imitate more and more installs. They simply need to find out which activities in the app are being tracked and they start experimenting with the dynamic part of the URL. If the fraudster detects the scheme, he can simply repeat it as many times as he can before the SDK version will be updated and the fraudster’s scheme won’t work.

Standard symptoms

As we’ve already mentioned - the fraudsters break SSL encryption between tracking SDK and backend servers, so if the SDK is updated - the fraudulent activity shall stop. In our opinion, SDK spoofing is one of the most complicated types of fraud because it uses real devices’ data and fraudsters no longer need to constantly generate new parameters. We at FraudScore advice to check if SDK version of the installed apps match the latest release you’ve made.

The problem that it causes

There is no real install, no real activity in the app, in the ad or on mobile web-page, then there is no real user engagement. So the budget is being spent on nothing. A network might get pretty reliable metrics for app installs and might even show good results and user acquisition, but the results and further statistics shall show that this traffic is not to be trusted.

5. Device farms

Definition and how it usually works

One of the most famous fraud types and is pretty easy to understand – the devices are real, people who click and install are real too. But no profit comes from such installs – because the only purpose of the device farm is to get money for the initial install or click and never proceed with retention or purchases. People are hired to sit the whole day in front of dozens or even hundreds of devices and to repeat the same actions that they are all being told to do to get the clicks.

Standard symptoms

Sometimes, just looking at the retention rate, it’s obvious that there is a device farm that generates this cluster of installs. But the problem is, that not all the apps have organic high retention rates or time to start the app. So only a thorough analysis might help here.
We also advice to take a look at IPs - some are well known to be unreliable, some try to mask and use VPN or proxy - but a well-developed fraud detection platform shall trace such activity anyway and detect those installs that are being made via suspicious IPs.

The problem that it causes

These are real devices, who are in fact real users, but are of no good to the advertiser or the network. Such activity in only targeted to get the CPA budget of the campaign. And no future user engagement shall ever be provided to the advertiser.
So again - be aware that if you invest in mobile ads you would need to make sure that the traffic you get is examined by a fraud detection platform, like ours for instance.

To conclude:

This particular article gives a short overview on several types of fraud that every company working with advertising is facing. The diversity of fraud types is vast. Just to illustrate, we’ve gathered and analyzed data for all the traffic that we’ve processed in August-November, 2018, and made a diagram for the distribution of types of fraud by seven main reasons:

These fraud reasons demonstrate the diverse approach to fraudsters’ dodgery. Every category of reasons has its specific symptoms that we at FraudScore analyze and use as a source to detect fraudulent activities. We take a specific approach in order to analyze the symptoms and detect various combinations that contribute to systematic understanding and fighting fraud. If you want to learn more about how thorough and detailed our approach to traffic analysis might get, just follow the link to take a look.

We at FraudScore have set our goal - we fully take on the responsibility to detect and fight fraud that causes damage to our respectful customers. We are constantly interacting with clients and providing them with solid service and high fraud-detection expertise. We share our experience and it’s our firm belief that fighting fraud does not only require raw statistics and metrics, but it also requires knowledge and constant education.

Ad fraud is a problem and the industry has finally shifted towards recognition of its gravity. Everybody is affected: a network loses trust in publishers because of fake installs, a marketer keeps spending funds on those channels that are not truly effective, etc. It might really become a vicious cycle unless fraud is detected and banned.

  • I recommend to use FraudScore anti fraud solution. It really helps to avoid unnecessary risks and to cut off the fraud at the very beginning. Well done, guys!
    Olga Saburova, Account Manager at MobioNetwork
  • There are lots of manuals about earning money over the internet. Most of them are about making fraudulent mobile installs. As soon as new “manual” comes out we see peaks of low quality traffic. But as soon as we began using FraudScore service we cut managers who were working on checking traffic quality two times. Using their convenient report with set of filters, you can generate different type of reports showing you the traffic quality in different contexts. This helped us to find lots of cheaters and poor quality affiliates.
    Nickolay, CEO at
  • FraudScore’s fraud monitoring system is particularly useful in this regard as it allows daily check on affiliates conversions and indicates the level of fraud detected for each conversion. The fact that the system not only monitors normal desktop traffic, but, also tracks and accurately reports on mobile traffic in relation to Emulators, VPN’s, Bot farms and IP pattern recognition allows us to make informed decisions when reviewing assigned affiliate caps and encouraging more traffic.
    Darren Williamson, Managing Director at CAN
  • FraudScore has easy to handle and fast APIs which permitted us to integrate fraud analysis findings into our own dashboards. Their own interface is very intuitive and offers infinite possibilities in terms of filtering and digging into data. FraudScore team is very receptive to users feedback and continuously introduces improvements to their product.
    Luis Barrague, COO at Headway Digital, Spain
  • For more than two years of working with mobile traffic we have been tried a lot of anti-fraud services offered by the market. Therefore we can confidently say that the truly worthwhile solution is the FraudScore. Strong technologies, convenient interface and the most effective support – it’s all about FraudScore. Since we started collaboration with this service the volume of fraud traffic in Zorka.Network has been almost reduced to zero.
    Oleg Gorelik, Affiliate Director at Zorka.Network
  • Fraudscore has been our first line of defense against measuring questionable traffic. As the mobile digital advertising landscape continually expands, it becomes complex as it relates to user attribution measurement. The need for precise data has never been more important to the success of our business and our clients marketing efforts. FraudScore’s engineers made integration seamless and user friendly. The user interface allows us to interpret the data correctly and in real-time to make the right decisions as it relates to protecting our clients brand integrity. I highly recommend their services.
    Moufid Al-Joundi, Curate Mobile
  • FraudScore has easy to handle APIs which permitted us to integrate fraud analysis findings into our own dashboards. Their own interface is very intuitive and offers infinite possibilities in terms of filtering and digging into data. FraudScore team is very receptive to users feedback and continuously introduces improvements to their product.
    Luis Barrague, HeadWay Digital
  • At Brisk Ads we take drastic measures to combat fraud, and with the help of FraudScore we are able to detect and eliminate any suspicious traffic. With the in-depth reports provided, we are able to identify any questionable sources; making sure that our clients only pay for legit and profitable users.
    Omar Mostafa, Brisk Ads
Fill out myonline form

Other ways to
get in touch:

You can either book a meeting with one of our business development guys to get a personalized walk through the FraudScore platform.

Want to get a quote for your approx. monthly traffic? Click “Get a quote” and we’ll prepare a special offer for you!

And of course e-mails are always welcome )

Fill out myonline form