Common Types of Fraud & Best Practices

Click Injection/Ad Injection

Click Spamming/Click Flooding

Proxy Traffic

Bot Traffic

SDK Spoofing

Incentivized Traffic

Duplicate Conversions

Fraud Prevention Strategies

Fraud Detection Strategies

What is it?

The fraudster injects their tracking link to fire from a tracking click right before the user completes their conversion, ultimately hijacking the credit for that conversion.

Best Practice:

This type of fraud will typically show up in the Click-to-Conversion Time Report as conversions <15 seconds, so make sure to regularly check your reporting. It should be nearly impossible for a real user to click an ad, install the app, and open it within 15 seconds from that initial click. Therefore, click-to-conversion times under 15 seconds are almost always suspicious. You can also set up an Alert to notify you whenever this indication appears.

What is it?

The fraudster fires their click tracking link every time a user sees their ad even though the user didn't actually click on the ad. If they track enough users, they will start hijacking credit for conversions, including those from organic users.

Best Practice:

Regularly check your Click to Conversion Time report and check on any offers that are consistently seeing more than 30% of your conversions coming in after 24 hours. This case doesn't necessarily mean there is fraud present, but it's worth checking with your publishers to optimize those placements.

Keep in mind that while 7-day click-through attribution is the standard, some advertisers have 30-day click-through attribution. If the advertiser's attribution window is longer, then you'll see more conversions coming in after 24 hours from the initial click.

What is it?

User IP is spoofed to fake a location. Often used with bot traffic or click farms.

Best Practice:

In the Targeting section of an Offer, make sure that Block Proxy Traffic is enabled.

What is it?

Fake traffic that simulates a user completing a conversion. SDK Spoofing is a more advanced form of this type of fraud.

Best Practice:

Make sure your affiliates are passing placement IDs on clicks (ex. &sub2=[Affiliate Placement ID] and keep a close eye on the quality of installs by Placement ID. Work with your affiliates to optimize so that your budgets are spent on your highest quality sources.

What is it?

Uses bots to send fake data that creates a simulation of real traffic including faked clicks, conversions and events. This can appear as high quality traffic based on event activity, but data does not match from the MMP to the advertiser.

Best Practice:

Implement the Verification Tokens feature - the fraudster doesn't have access to the security token, so they won't be able to easily imitate it.

What is it?

Incentivized traffic is often considered fraud if the Advertiser doesn't allow this promotion method which typically yields a lower user quality than standard promotional methods as the user receives a reward in exchange for taking an action, such as downloading an app.

Best Practice:

Same as bot traffic, keep a close eye on the quality of your affiliate's sources. If you see any unnaturally high conversion rates, investigate those sources with your publisher and make sure the high rates aren't due to incentives.

What is it?

This happens when an advertiser fires a second conversion from the same click ID. By default, Everflow rejects duplicate conversions so as not to pay the affiliate for them. You can change this setting on the Attribution page within the offer.

Best Practice

In the Revenue & Payout section of an Offer, make sure that the setting to allow duplicate conversions is disabled. In the Tracking & Controls section of an Offer, make sure that the setting to enable duplicate clicks is disabled. Disabling duplicate conversions will keep you from paying your affiliates twice, and disabling duplicate clicks will prevent your advertisers from receiving the second click.

Be sure to set targeting restrictions based on the users you want to reach. For example, you can target users in the US, using an iOS device so that other users will not be allowed to convert.

It is recommended to clearly state any major restrictions or required parameters in the Offer Name. Include clear instructions about types of promotions that are approved and restricted in the Description section of your offers.

Please note that any traffic that is blocked by your targeting restrictions is considered invalid. This traffic can be viewed in the Offer Report by clicking the number of Invalid Clicks, which will give you a breakdown for the types of invalid clicks. You can click on any of the invalid types to see a further breakdown of those clicks.

Use Require Approval as the Visibility setting for sensitive offers so that you have to give permission to the affiliate.

You can prevent conversions from being automatically approved for the affiliate until you have manually done so. This can be set in the Revenue & Payout section of an Offer. Please note that the longer you wait to approve conversions manually, the longer the delay is for your affiliate between their click and "conversion" time.

Everflow is integrated with several 3rd party fraud detection partners including 24metrics, IPQualityScore, Forensiq and Anura.

To see Referring URLs, go to Reporting - Conversions and run the report. Click Columns and be sure to include Referrer. Placements show up with referrer URLs when there is another tracking platform re-directing the click right before it reaches Everflow's tracking. Referrer URLs often mean either the affiliate is using an extra domain for their own internal tracking usage, or the affiliate is re-brokering your offers through another platform.

You can use Sub IDs when generating the tracking URL for different affiliates in order to have them pass you back data about the campaign to include on reports. This can be anything from blind site IDs to actual site names.

You can look at the IP addresses of the conversions in order to determine where the conversions are coming from. If you see a lot of conversions coming from the same IP, it could indicate that conversions might be fraudulent.

If you notice a spike in any of the KPIs, it might indicate fraudulent traffic. You can set Alerts from the portal to help stay on top of this. For more information about setting up Alerts - [Click Here]

You can use the Click-to-Conversion Time Report to see the length of time between the click and conversion. If you see a large number of installs on either end of the spectrum, it could indicate fraudulent traffic.