Domain and Page Spoofing Remains Easy and Rampant

Brian Johnson Image

Q and A with Ntooitive’s Chief Digital Officer Brian Johnson: In the Aftermath of Gannett Advertisers Hit byDomain Spoofing, How Can the Industry Change to Better Protect Against Ad Fraud?

For nine months, Gannett Co. unintentionally misrepresented billions of ad placements to their advertising clients. While the mistake is currently being rectified, the marketing and advertising world are reeling in the aftermath.

State of Digital Publishing sat down with Ntooitive’s Chief Digital Officer, Brian Johnson, for a temperature check on how these mistakes came to be and what the industry can do to protect against failings like these in the future.

Click here to read the full article.

When you heard the news, what was your reaction to Gannett providing inaccurate information for nine months?

As someone who’s more on the technical side of ad delivery, the Gannett story was not as  surprising to me as it was to many members of the general public.

For those in the ad tech world who were surprised, it seemed as though they were operating under a false sense of security. There was a previously held belief that header bidding, the programmatic practice by which advertisers could bid on ad inventory in real-time, would protect from a majority of our ad problems. This has since been proven false. Within the Wall Street Journal article, it becomes obvious, that whether it be mistakes or ill intent, there are still vulnerabilities in the system.

Becausethe details of this storyhave made national news, ad tech companies, marketers, and publishersare now feeling compelled to step up to discussindustry-wide changes that need to occur from an industry and technical perspective.

Sears, Nike, Adidas, Ford, State Farm, Starbucks, Ford, Semrush, Kia, General Motors, Facebook, Marriott, and many others were among the major brands that purchased ad space labeled incorrectly. What questions should brands – large and small – be asking their advertisers and ad tech companies to ensure their paid media investments aren’t flawed?

Regardless of size, advertisingagencies need to employ an always watchful eye. They need to have a very good understanding of where blind spots are and where the brunt of the risk resides.

For example, with those larger companies, their blind spots will almost always emanate from their broader targeting metrics.

Once risk is articulated, advertisers can hone in on which budgets to follow, track the KPIs, and curate those app and site lists as closely as possible.

Gannett said in afollow-up statement, “This human error was immediately rectified when the Company independently discovered the issue. The data parameter issue was caused due to a caching error when the Company implemented changes to how data is passed from the publisher to the ad exchanges.”  Despite the rise of automation in digital, the human tough remains critical in transactions. We’ll never be able to remove that – but it is important to call out the skillsets needed on both sides of programmatic and direct sales when talking about ways to improve the advertising universe.

Many of the ad tech vendors involved with the spoofing were “Certified Against Fraud” by third parties. What’s the point of ad verification tech if it doesn’t catch when the site URL (which Gannett correctly listed despite the other incorrect data) doesn’t sync with other signals in the same header bidding file?

I would challenge us to reframe the way we look at ad fraud certifications. They are not a continuously expanding safety net, instead, they are a snapshot of a moment in time. A certification means that the certified were fighting fraud to the best of their ability at that precise moment. While the certificate may have been accurate on that specific day, the market has since evolved past that snapshot. Why? The financial incentives can be quite lucrative.

Fraud, in the ad tech industry, is often an ever evolving game of cat and mouse. The fraudsters have much to gain from committing fraud, and the ad tech companies have much to gain from quelling it. The actions of each side feeds into the other, evolving with each new development. Thus, in a back-and-forth cycle, the players adapt, the playing field changes, and the game continues.

If programmatic advertising relies on a lot of data being self-reported by those selling the ads, what changes could have been made to have prevented this “human error” from happening?

Any proposed changes must come from broadening our understanding of ad fraud. We have to be realistic in understanding what the financial incentives are on both sides of the fraud equation.

On the side of monitoring fraud, the incentive is to do the best to limit fraud under an acceptable time frame. It’s a cold hard fact in our industry that, when purchasing at scale, advertisers are not keen on paying more. Advertisers want efficiency, which often entails automation.

This lowered financial incentive stands in stark contrast to the fraudsters, who have a highly lucrative incentive to commit fraud. Ad fraud is a billion dollar industry: as of 2020, the average fraudster makes 5 to 20 million a year taking advantage of programmatic vulnerabilities.

Thus, when we take these two sides into account, there is an uneven playing field within the world of ad fraud. We have monitors with lower financial incentives fighting fraudsters with incredibly high financial incentives.

Although this can feel disheartening, understanding the dichotomy allows us to have a more pragmatic view of the industry, and tailor solutions for better mitigation strategies.

A new report shows losses owing to digital advertising fraud are set to reach a whopping $68 billion globally this year, rising from $59 billion in 2021. Is “domain spoofing” — when ad inventory is misrepresented as being from a different site — a new trend the industry should be very worried about?

Domain spoofing is one of the most common types of ad fraud out there. For those who thought header bidding would eradicate fraud by allowing advertisers to bid on ads in real time, I would say that domain spoofing in this instance, at this magnitude, is probably both a surprise and a disappointment.

Yet, it’s important to remember that it all goes back to the evolution of the marketplace for fraud. There will always be new ways to circumvent fraud mitigation, which is why mitigation strategies must be constantly evolving to keep up.

What industry changes or adoptions would you recommend to ensure an end to this?

I think it’s fair to say that there has been a collective dream among many advertisers and publishers to craft a marketplace where they are more closely connected through fewer middlemen.

Thankfully, we’re seeinga market that is shifting towards this reality. We can see this in newer genres like streaming audio or connected television occurring in private marketplace (PMP) deals, getting the advertising dollar closer to the publisher, while simultaneously juggling scale and large volumes.

Another change that many would like to see rectified is the declining prices for publishers who rely on display ads. Advertisers have to understand that publishers need more resources for what’s expected, whereas publishers also need to reframe expectations in a post-2005 display rate.

Advertisers and publishers also need to be having pragmatic, and honest evaluations. They both need to be asking: what is the inventory worth? Can we find the right fit from an advertiser who is selling something that makes sense at a profitable cost per acquisition for that inventory?

What is Ntooitive doing to mitigate risk against fraud?

Our goal is to never allow the scale of a purchase overtake the bounds of our ability to oversee that purchase. This is accomplished through enacting an ever-watchful eye on any campaign, regardless of size. Our campaign managers have an incredibly close pulse on cost per acquisition (KPI performance) of every campaign. Through tracking performance, they are able to pinpoint when something is amiss and can flag items that are behaving unusually.

Remember, the promises of technology are often blind to the ambition of someone looking to commit fraud. Thus, human eyes still have a lot of value. Having tenured, well-trained campaign managers looking and guiding that helm is the best way to ensure that your dollars are being spent well.

Do you think some of the responsibility should be shouldered by the likes of the inventory supplier and the marketplaces? Should some of the onus be on them? What can they be doing differently or better?

Again, we have to look at incentives in a market that is neither altruistic nor charitable. Right now, the market relies mostly on the supply-side platform (SSP) method which connects publishers to different ad exchanges. SSPs, as middlemen, are in a prime location where accountability and financial incentives don’t necessarily relate to ad fraud protection.

In contrast, there is the private marketplace (PMP), where publishers and advertisers conduct a direct deal with each other. Concerning ad fraud mitigation, the financial incentive of a PMP is to provide quality, as long as the negotiation is grounded in KPIs and return on ad spend.

It’s clear that our current infrastructure with supply side vendors and ad tech vendors will have to change. This sentiment, although difficult, has been floated throughout the industry for some time now. This has been slow to adoption probably due to the fact that, once you remove the middlemen, what remains are honest, nuanced, and pragmatic conversations at scale. I do not say this lightly. I recognize that this is not something that will be accomplished with easy solutions; nor am I saying that we have all of the right answers right now.

In asking these questions today, we can move ourselves closer to a better solution for tomorrow.

Yielding progressive results with
agile methodology

  • Audit Analysis
    and Discovery
    1 - 2 weeks
  • Proposal
    of Strategy
    1 - 2 weeks
  • Onboarding and
    4 weeks onwards
  • Testing and
    Proof of Concept
    1-3 weeks
  • Launch
    Pre-Go Live Test
    2 weeks
  • Analyze and Optimize

Take the next step