It’s always informative to look up definitions, like for the words “wire fraud, protection racket, and racketeering” Read the first section slowly, and think of what it reminds you of.
Wire fraud – “The crime of wire fraud occurs when someone voluntarily and intentionally uses an interstate communications device (internet) as a part of any scheme to defraud another of property, or anything else of value. Wire fraud is a federal crime involving schemes to defraud. A scheme to defraud is a plan a person employs that uses a statement, promise, misrepresentation, deception, or any other kind of falsehood designed to deprive a victim of something of value.” Source: https://www.criminaldefenselawyer.com/resources/wire-fraud.htm
Racketeering – “Racketeering is a type of organized crime in which the perpetrators set up a coercive, fraudulent, extortionary, or otherwise illegal coordinated scheme or operation (a racket) to repeatedly or consistently collect a profit.” Source: Wikipedia
Protection racket – “A scheme of organized crime that generally guarantees protection outside the sanction of the law to another entity or individual. Due to the frequent implication that the racketeers may contribute to harming the target upon failure to pay, the protection racket is generally considered a form of extortion. In some instances, the main potential threat to the target may be caused by the same group that offers to solve it in return for payment, but that fact may sometimes be concealed in order to ensure continual patronage by the coerced party.”
“Protection rackets tend to form in markets in which the law enforcement cannot be counted on to provide legal protection, because of incompetence (as in weak, corrupt, or failed states), [and/or] illegality (when the targeted entity is involved in black markets). Protection racketeers or mafia groups operate mostly in the black market, providing buyers and sellers the security they need for smooth transactions; but empirical data suggests that mafia groups are able to offer private protection to corporations and individuals in legal markets when the state fails to offer sufficient and efficient protection.” Source: Wikipedia
What did the above bring to mind? Right — ad tech, digital advertising, fraud detection, and trade associations.
Some perps were caught, most remain in operation
Newsweek was caught falsifying viewability measurements of their digital ads (BuzzfeedNews, March 2018). The owners of Newsweek and IBTimes, IBT Media, later plead guilty to a fraud scheme and money laundering — they “fraudulently obtained loans for computer equipment used to keep their media operations afloat.” (New York Times, February 2020). The following screen shot shows Newsweek was TAG “certified against fraud” expiring March 1, 2020, which means they paid for certification the prior year 2019. It is unclear whether IBTimes and/or Newsweek were TAG certified in 2018 when they were caught red-handed.
Outcome Health (also known as ContextMedia Health LLC) settled with the Department of Justice, agreed to pay a $70 million fine, and “admitted in resolution documents that from 2012 to 2017, former executives and employees of the company perpetrated a scheme to defraud its clients—most of which were pharmaceutical companies—by selling advertising inventory that it did not have.” Source: https://www.justice.gov/opa/pr/outcome-health-agrees-pay-70-million-resolve-fraud-investigation The company repeatedly “overbilled its clients, by fraudulently misrepresenting both the quality and quantity of its advertising services and concealing those misrepresentations from auditors. For five years, Outcome executives and employees during that time also inflated patient engagement metrics regarding how frequently patients engaged with Outcome’s devices. Furthermore, an executive at the time altered a number of studies presented to clients to make it appear that the campaigns were more effective than they actually were, Outcome admitted.”
Phunware (NASDAQ:PHUN) falsely billed Uber for app installations they did not generate. “As Reed Smith confirmed in discovery, most of the Uber app installations that Phunware claimed to have delivered were generated by a fraudulent process known as “click flooding,” which reports a higher number of clicks than those occurring. Much of the ad traffic Phunware brought for Uber also came through auto-redirects, which automatically took visitors to an app store, whether the user clicked on the ad or not. Two former Phunware employees had conducted an internal investigation discovering that Phunware had falsely billed Uber for ad clicks they did not deliver. A culture of fraud continued. For example, in an email sent on Oct. 31, 2016, a Phunware employees wrote: “Guys it’s… time to spin some more BS to Uber to keep the lights on.” Phunware attempted to cover this up as well by falsifying reports, which made it appear as if the ads were placed on legitimate sites.” Source: https://www.reedsmith.com/en/news/2021/01/reed-smith-wins-multimillion-dollar-advertising-fraud-suit-for-uber
The “king of ad fraud” Aleksy Zhukov was convicted by a federal jury of four charges – including wire fraud and money laundering – as part of the so-called Methbot scheme. [The scheme] created fake sites, and programmed computers in data centers in the U.S. to create fake users that appeared to be viewing the ads. The scheme spoofed more than 6,000 real domains, leased more than 650,000 IP addresses to make it appear that end users were coming from actual internet service providers, and simulated the activity of human users by using fake mouse movements, faked scrolling, starting and stopping a video player midway, and falsely appearing to be signed into Facebook.” However, what is not known widely is that the digital advertising companies upstream from Zhukov paid him for the traffic that they represented to clients as real. The real perps remain at large and continue the same fraud schemes, but purchase traffic from other providers. These companies threw Zhukov under the bus and made themselves appear to be the victim, while all along they were the actual perpetrators.
Why are there so few cases of ad fraud prosecuted to completion over the last 10 years? For starters, most parties up and down the supply chain didn’t want to hear about the fraud, so they could continue making money. For example, if an ad exchange looked more closely and found 30 – 50% of their impressions came from bot activity, do you think they would voluntarily reduce their own revenues by 30 – 50% to do the right thing? Of course not. Similarly, marketers found themselves in a place where there were enormous numbers of digital ads to buy, very low prices which their agencies called “cost efficiency” and the appearance of high performance (lots of clicks). Everyone wanted to believe that digital marketing was working swimmingly and they were “digitally transformed” by spending most of their budgets in digital. But Why Does Digital Marketing Appear to Perform So Well and Fraud Appear So Low? For the last 10 years, the “scale, cost efficiency, and performance” were manufactured by bot activity. No one wanted to admit it and virtually none of the fraud detection tech caught it.
It’s fraud protection, not fraud detection
One is left to wonder, then, if any of the black box fraud detection tech actually works? They certainly charge a lot of money. Since the two largest fraud detection firms are public; we can see their financials in public filings. DV and IAS each made $100 million in revenue in the Dec 2021 quarter. That annualizes to $400 million each. What are advertisers, agencies, ad exchanges, publishers, and others paying $800 million for every year?
I’ve written that black box fraud detection sucks; they don’t catch most of the fraud because most fraud is not IVT (invalid traffic) any more. Bots also don’t come from Russia any more (they come from data centers in Ashburn, Virginia). Luckily, these so-called fraud verification companies also published numbers every quarter showing how little of the fraud they catch. Below is the rate of ad fraud IAS reported in the latest H1 2021 Media Quality Report. Keep in mind that when IAS and DV report single-digit IVT to you, that is all they can catch. Don’t assume the other 99% is fine. Bots are highly skilled at blocking their detection tags to avoid being caught. So you should think of the other 99% as the “blind spot” of these fraud detection vendors’ tech. That’s a pretty large blind spot, no?
An astute media company executive recently quipped about the costliness of fraud protection, “I have never understood why anyone would spend 5% of the budget to eliminate 1% of fraudulent activity.” It’s at that moment you realize that “fraud detection” is really just “fraud protection.” The failures of fraud detection are well known (See: “False Positives, False Negatives, and a Whole Lotta BaData“) so why do companies continue to pay for it? For protection — otherwise known as CTB (“check the box”) or CYA (“cover your ass”). If the client asks whether we have fraud detection, we can say yes, that box is checked. If someone catches us red-handed for fraud, we can blame someone else — “they said there was low IVT, we didn’t know. Oops.”
But it’s way way worse than this. Over the last decade, I have reviewed more than a dozen cases where the fraud protection vendor extorted publishers, ad networks, SSPs, etc. and locked them into 2 – 3 year contracts. The threats ranged from “we’ll lower your rank in the index if you don’t pay for our service” or “we’ll tell buyers you have high IVT and they won’t buy from you” (when the publisher signed up for their service, the IVT numbers magically went down to sub 1%) or “we buy 100% fraud free; you have to use one of these MRC accredited vendors or we won’t buy from you” and many others. Sure sounds a lot like racketeering, right? I am not law enforcement; so if you have witnessed this, been exposed to this, or been a victim of this kind of extortion for years, please contact the authorities and let them know. There are laws against racketeering, even if there aren’t laws against ad fraud.
A protection racket for the protection racket?
Have you ever seen an industry where there’s a protection racket for the protection racket? Well, there’s a first for everything. Who protects the protection racket? The trade associations and certification bodies they create. I have wondered out loud before — Industry Associations Have Misled You on a 20-Year Wild Goose Chase — whether it was utter incompetence that led the ANA’s certification body to send out press releases saying that fraud in TAG channels was sub-1%. TAG (Trustworthy Accountability Group) was created in 2015 by the Association of National Advertisers (ANA), American Association of Advertising Agencies (4A’s), and the Interactive Advertising Bureau (IAB); and GroupM is on its board. GroupM (the agency) told every vendor they had to be TAG certified in order to get media dollars from them. Hmm. ANA asked Marc Pritchard, Chief Brand Officer of P&G, to insist on TAG certification by publicly saying so on stage in 2016 at the ANA annual conference. But why? Does TAG certification actually work? Considering all that is entailed is self-attested paperwork and payment of fees, the efficacy of such certification is certainly questionable. It would be easy for fraudsters to just say they had the practices in place and were using fraud protection tech. You should question it. I did [6], and others have too [7], [8]. Be sure to note the quote above and the other feedback seen on reddit/adops.
Just yesterday (March 18, 2022), TAG sent out another press release saying fraud is down to 0.37%. Yay for them. But not for you. Why? Read on.
Well, you see, last week it was revealed that Gannett had provided incorrect information to advertisers for 9 months, and no one noticed. More specifically, bid requests that originated from local newspaper sites like seacoastonline.com were mis-declared to be from usatoday.com a national newspaper which commands far higher CPMs. The domain declared in the bid request was not the correct domain. This was a case of human error, and Gannett has since corrected the error. But what about all the other cases where fraudsters deliberately “mis-declare” (i.e. falsify) the domain in the bid request to commit wire fraud? If none of the ad exchanges caught the Gannett error, none of the media agencies noticed anything, none of the fraud detection companies alerted clients to the error, and none of the ad buyers got any money back or even asked for more details about it, who is minding this store? This “elephant in the room” was just exposed. The fraud detection tech companies, the ad exchanges, the media agencies “certified against fraud” by TAG didn’t see it or do anything to help.
CampaignUS: Billions of ads misdirected, and no one noticed
One “elephant in the room” was exposed this week; a whole herd of “elephants in the room” is about to be exposed
It took two researchers outside of digital advertising [1], [2] to look at the data to “notice” the mismatch between the domain passed in the bid request and the domain where it came from. Both researchers did this on their own time and their own dime. They didn’t get paid for it and they are not making any revenue from any parties in digital advertising. Something so simple, yet the fraud detection companies making $100 million in revenue every quarter either didn’t catch it or didn’t report it. They were all certified against fraud by TAG. We now have public blog posts and statements from these fraud protection companies [3], [4], [5] saying they caught it, it wasn’t a big deal, or their clients were fully protected from the Gannett mess-up. In fact, they all appear to say that the domain mismatch rates were less than 2%. Hmm. How did they all coordinate their PR messages so well? No one knows.
What I have observed over the years is a pattern of anti-competitive behavior from the Association of National Advertisers and specifically their certification provider, TAG and its CEO Mike Zaneis. I’ve documented all of this over the years, with screen shots of his public tweets — Bully Mike Tries to Shut Me Up. Why?
TAG certification provides “air cover” for fraudsters to continue to operate in broad daylight. It also further facilitates the fraud that comes from inside the house.
And this pattern of behavior continues even after the Gannett incident. “Several major SSPs, including Magnite, Pubmatic, and TripleLift were observed serving ads when a mis-labeled ad-bid request was submitted. Human, Pixalate, Oracle Moat, and Integral Ad Science received data about the bid URL mislabeled on Gannett Media websites. Google’s DV360, Xandr, Adobe, Conversant, The Trade Desk and MediaMath and others were observed serving impressions with inaccurate bid URLs.” Source: Mediapost, March 9, 2022. ALL of the following companies are currently “Certified Against Fraud” by TAG. Their current certification runs out March 1, 2023. Mike Zaneis, CEO of TAG tried to use the excuse that Gannett was not TAG certified. Sorry, that’s not going to work. See below and look up additional companies that are certified but failed to detect the simple domain mismatch or report it to clients. This failure means they are missing other things like ad fraud, if the tech worked or if anyone looked at the data collected. https://www.tagtoday.net/tagregistry/
So What?
If you were coerced into paying for protection, stand up and contact the authorities. There appears to be protection for the protection racket, in the form of self-attested certifications, given out after payment is received. Patterns of behavior consistent with racketeering have also been observed for a long time where victims were coerced into paying for fraud protection, and only those protection services that were certified by a group formed by the trade association. Time to rise up and refuse to be victimized any more, by the ad fraud, the racketeering, and the protection racket of the protection racket.
Please don’t be part of the reason that ad fraud, wire fraud, and these other forms of crime continue. If you see ad fraud and wire fraud, report it. Wire fraud is a federal offense. If you need more evidence, you can gather it with FouAnalytics on your site and in your ad impressions. It will be clear whether the vendors “used a statement, promise, misrepresentation, deception, or any other kind of falsehood designed to deprive a victim (you) of something of value,” your money. You are welcome to use FouAnalytics for free. I will show you how to use it; I do not charge for it. I only charge a few select advertisers annual subscriptions to use the analytics platform to monitor and manage their own digital campaigns. Much of the money that was used to pay for certification and fraud protection can be re-deployed for better analytics and details that are understandable and actionable.
Don’t wait; it will get increasingly embarrassing as more elephants in the room, a literal herd, get exposed. You can be part of the movement that turns this around and accelerates the real digital transformation to real, good digital marketing. I will help you.
Discussion about this post