Fraud isn't just a security problem, it's a marketing problem too

Marketers lose billions of dollars to fraud every year, and advertising fraud is often viewed as a cost of doing business. But it shouldn’t be the case, said a recent report by Forrester. According to Forrester, some of the key areas of fraud taking place in any organisation include: 

• Ad fraud and malvertising, which attack marketers’ paid media efforts: Bots power a significant range and volume of fraud in this category: generating fraudulent impressions to boost traffic numbers; faking clicks and conversion actions to steal performance marketing dollars; and spoofing ads in premium media environments to snag big-ticket cost per mile (CPM) campaigns. But nonbot-driven malicious advertising creates real problems as well. Malvertising, which attacks legitimate websites by presenting ads that appear normal but actually execute malicious activity, can hurt publishers and harm consumer experience.

• E-commerce fraud, which derails sales to consumers: Checkout abuse is a type of e-commerce fraud in which bots leverage automation to purchase desired items faster than their human counterparts and then resell that inventory for a profit.Spin fraud, meanwhile, is a type of influence fraud that preys on users’ tendencies to be influenced by their peers — bots play a preferred song or other piece of media on streaming services, generating fraudulent revenue for the artist, pushing the song or media up in perceived popularity, and influencing real customers to give it a try.

• Credential stuffing and card fraud, which helps attackers take over user accounts. In credential stuffing attacks, bots rapidly attempt to log in to a site with previously compromised credentials, hoping that users’ tendencies to reuse passwords will result in a successful login and account takeover. Once a credential stuffing attack has compromised an account, attackers have access to gift card balances, saved credit cards, and rewards points. Card fraud is similar — bots repeatedly enter potential gift card codes at checkout in hopes that some tie back to cards with available balances to steal. 

• Web recon attacks, which identify and exploit security weaknesses. Applications remain a common entry point for attack as attackers exploit vulnerabilities in open source libraries and weaknesses in proprietary code. Web recon attacks use automation to search websites for exploitable flaws — by deploying web recon bots at scale, attackers can more efficiently discover where an application will be most susceptible to an attack. Once they have collected this information, attackers will leverage it to mount a more targeted attack on the organisation.

Marketing fraud impacts everyone in an organisation. When bots commit ad fraud, ad campaigns go to waste. This results in skewed analytics where marketing teams measure the effectiveness of campaign initiatives by looking at metrics.

When bots flood campaigns, a good number of site visits and new accounts will be fake, telling an inaccurate picture of campaign performance. This will prompt marketing teams to make false assumptions and subpar optimisation decisions. Meanwhile, poor customer experience also emerges when organisations are victimised by malvertising risk – it results in poor user experience as site visitors grapple with a range of unexpected problems, including forced redirects to surreptitious malware installation, said the report.

Ultimately, these poor experience can lead to negative sentiments and hurt brand trust. Nonetheless, the real damage emerges when customers that lose accounts due to credential stuffing not only lose access to the account; attackers may steal gift card balances and use credit cards saved to the account.

Organisation will lose time and money helping customers recover their accounts, refunding card balances, and writing off lost inventory. And that’s before considering the costs of angry customers taking their business elsewhere or sharing their bad experiences publicly.

Working with security teams

Today, ad frauds take on new forms and attacks through emerging paid media environments such as connected TV (CTV). Moreover, marketing fraud is a profitable criminal enterprise with profits feeding back into the criminal syndicate, allowing it to develop. 

Meanwhile, security and risk (S&R) professionals have contended with identity and payment fraud for years, and the techniques that fraudsters employ will look very familiar, even as the applications are highly varied.  The real problem that is facing organisations is that marketers and S&R pros can’t appreciate the full damage of fraud because they tackle it from within their respective silos. One bot management and anti-ad-fraud vendor estimated that

90% of the time, the security teams are not engaged in ad fraud discussions with their eCommerce and digital advertising teams.

The study added that organisational disfunction and silos help these fraudsters to proliferate. “Their aim is to exploit weaknesses wherever they exist, and silos are fertile ground for vulnerabilities,” said the report.

The study details that organisations must learn to discuss fraud as an ROI improvement story rather than simply focusing on the negative impacts. For the marketing team, this is a story with myriad benefits to the business, including improved conversion rates and being more effective with marketing spend. For other stakeholders, highlight lower fraud write-offs, less time spent remediating security incidents, and higher customer retention.

Understandably, the security and marketing teams will be driven by different numbers and goals.

For example, the security leader will be looking at attacks prevented, detection times, and blocked malicious requests, while the marketing team will likely care about reach and frequency, lead volume and conversion, and customer spend per transaction. Organisations need to make room to have ongoing collaboration on how to balance the needs of each group relative to their respective KPIs’ value and importance. These need to be acknowledged upfront and stakeholders need to bring their perspectives and proposed KPIs into the decision-making. Organisations must identify shared KPIs such as bot defense rates.

Lastly, companies must develop an RACI model to clarify roles and expectations. The marketing, security, fraud, and customer experience teams all have a stake in this fight — clarify roles early on to help mitigate visceral reactions to other teams playing in your sandbox. This means actively assigning ultimate accountability within the organisation, being clear about who’s tactically responsible for what in the day-today, and making sure all relevant parties are kept informed on a regular basis.

The RACI model (responsible, accountable, consulted, informed) must describe role assignment for technology (such as bot management), buying decisions, technology operations, policy development, exception handling, and incident response, said the report.