What is considered fraud? Fraud - what is it? A new type of fraud in the field of information technology. Don't target suspicious OS versions

Now Sberbank has another feature - the fight against FRODS (fictitious sales). The management suddenly saw the light. And the witch hunt began, that is, MPs and consultants. The only trouble is that office managers taught employees fictitious sales, regional managers taught managers, regional managers were taught by office network managers. The deputy retail managers knew everything perfectly well and this situation suited them quite well. Of course, ants fill their pockets. Now these unfortunate leaders are pretending that they were not in the know. Many Turkish banks have already replaced up to 50% of their staff of managers and consultants, and in some places office managers have suffered. They removed those who could drag the leaders along with them. That's all! And those who demanded more and more sales to be issued to the mountain sit quietly in their places.

Front offices in Sberbank have been transformed into FROD offices for two years now. And not only in terms of sales. Work with the OMS is also falsified. They cut the 2nd line, it seems there is nowhere else to go. But it turns out that there is still potential for reduction. Another wave of layoffs is coming in the 3rd quarter. The bonus for line 2 employees depends on the fulfillment of the standard for the queues. So they try as hard as they can. In one office, clients are kept near a receptionist, in another, several people are called to the windows. Otherwise, offices fall so far into red tactics on peak days that they are then unable to reach the standard by the end of the month. As a result, employee bonuses, already small, become even smaller. Do you think management, namely deputy retail managers, are not aware? Everyone knows perfectly well that if these FRODs are opened, they will wash their hands. Now they are issuing commands to comply with tactical standards at any cost (these are real verbal orders that operational managers of a group of offices give to deputy heads of offices, citing the fact that they themselves received such orders from above), and then amnesia sets in.

Regulators give consultants the task of selling mobile applications and then they teach you how to falsify. Like, don’t bother downloading the application to the client’s phone, activate it under the client’s login on your tablet. Just don’t do too much, no more than 10 pieces a day. At the end of the month, the numbers are not shabby; in such offices there are more than 100 connections per consultant. None of the managers see? Everyone is just happy with this situation. And then the consultants, in some cases office managers, will be to blame. And would-be managers don’t care about risks... But they like to talk about risk culture. Is it difficult to check how many mobile applications are activated from the ID addresses of consultants’ tablets?

With autotranslations there are also complete frauds. A client came to make a one-time transfer, they connected him to automatic transfer, and even gave him advice, like later you will cancel the SMS. They connect everyone, they don’t even look at the fact that the client’s card is someone else’s (mom, dad, husband, wife, etc.). And these fraudsters receive praise, cups, not to mention bonuses, and set them up as an example to others. In one office there are 100 mobile applications and 100 automatic transfers per consultant, and in another it’s good if there are 20 each. Instead of checking the “super-efficient” people for fraud, they will persecute honest workers. Gentlemen, dig not where there is little, but where there is a lot. Load unloadings are transparent. Choose “super-effective” ones and check. There will be a lot of work to do. Only the ants will start firing, and not those who demand a workload higher than the target audience, and come up with promotions like “Start with yourself.” Why did consultants suddenly start using automatic transfers for themselves and their colleagues? Is it because the regmen forced me, and even asked for a report? And now the regmen have lost their memory.

ISU is just a song! What they do in offices to avoid chronic deviations. Otherwise, the head of the sales department will come and begin not to work out the MIS, but to mock the office manager. But that's a completely different story...

Mr. Gref should start from the top...

He talked about the types of mobile fraud and methods to combat them.

Everyone who works with advertising in applications faces the problem of fraud. If you think you don’t encounter it, you do, you just don’t know about it. The article will help you learn to identify and distinguish between 4 types of fraud that are relevant today.

By 2020, $250 billion will be spent on advertising in mobile apps.

The volume of fraud is only growing and is already approaching 16-17 billion dollars, which advertisers lose annually. To understand how to avoid fraud with such rapid growth, let’s look at the 4 most relevant types.

Installs Hijacking

At Installs Hijacking malware, which resides on the device of the user installing the application, detects the download of the application and attempts to intercept the installation, which rightfully belongs to another source. The way to combat this type of fraud is to track the distribution of time from click to install.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

At the beginning of the chart there are extremes where a huge number of installations occur in a short period of time, which does not correspond to human behavior. Using this tracking, we evaluate and filter out this kind of behavior.

Click Flood

Сlick Flood - malware “intercepts” organic installs by “flooding” the tracking system with a large number of clicks. Apps with good organic traffic are more susceptible to this type of scam.

To understand the method of combating Click Flood, let’s pay attention to the following set of KPIs.

1. CTIT - time distribution from click to install.
2. Conversion rate.
3. Engagement.
4. Multichannel index.

Let's look at several traffic sources and how they behave based on the KPIs in the table below. There is a source "A" and a source "B". We evaluate them according to 4 KPIs.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

CTIT. The normal distribution of a click to install takes about 40 seconds, about 70% of installations are completed in the first hour and 95% in the first 24 hours. Accordingly, we monitor this indicator.

Conversion rate. Obviously, with a large number of clicks, the conversion is small. Abnormally low values ​​or those that are lower than expected are checked for fraud.

Engagement. When installed from an organic source, engagement remains at the organic level. This results in a user who behaves well and classily: pays, reaches certain levels, and so on. The level is determined individually: you configure your own understanding of loyal users.

Multichannel index- the ratio of the number of auxiliary clicks of the first source to the number of last clicks. Tracking platforms track last-click attribution. This means that if an app install had multiple clicks on an ad, the last one is considered the converting click and gets credit for the install. With Click Flood, the fraudster sends a huge number of clicks, which clog the conversion funnel and sometimes end up in the bottom, so tracking the multi-channel attribution funnel is extremely important.

Let's look at an example of an AppsFlyer cross-channel attribution report:

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

To describe the methodology, an event is taken - installation. We show the 3 previous clicks and how they relate to each other. For every install on that traffic source, the multi-channel attribution funnel is filled with the same source or specific publisher. This raises questions and prompts certain thoughts. In a normal situation, there will be no clear pattern in the distribution of auxiliary installations throughout the funnel. If you suspect Click Flood, then the difference between these installations is either the same, or it is very close to the installation time - literally a few seconds. Accordingly, it was a burst of clicks, some of which were on target, while all were located close to each other.

Click hijacking

Another type of fraud that can be combated using the multichannel index and multichannel attribution is Click Hijacking. The mechanics are similar to Install Hijacking, but here the malicious application detects a real click and sends a report about the fake click from a competing network, thus intercepting the click and the installation itself.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

In the graph above you can see how the time is distributed from the penultimate to the last click. In the Appsflyer model, there is the last click that converts, and the first contributor is the previous click in the funnel. Accordingly, a pattern is visible in multichannel attribution: the penultimate click is unnaturally close to the last. You can immediately cut off such a jump and work with this data with suspicion of Click Hijacking.

Installs Fraud

The last type of fraud on the list is related to installations - Installs Fraud. Modeling all sorts of distributions is a cool thing, but you always need to have multiple layers of protection. To test any hypotheses, you need to have information from different sources. AppsFlyer decided to use its own data to combat this type of fraud.

The project lasted about six months. All devices from the database were taken. On this moment The Appsflyer database includes about 98% of all devices in circulation. The goal of the project was to understand what account each ID has in the system, from the point of view of an anti-fraud solution. Scoring based on 1.4 trillion mobile interactions

Using big data processing algorithms, everyone mobile device assigned a certain rating. The rating scale is similar to the rating of securities: fraudulent devices receive a rating of “C”, suspicious ones “B”, real ones - “A”, “AA” or “AAA”, new ones - “N”, LAT (Limit Ad Tracking) - “X” "

After scoring, the question remained of what to do with the new devices.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

Using aggregated data, it became clear that some traffic sources were receiving an abnormally large number of new devices, which turned out to be not the latest Samsung models or iPhone, and old devices from 2012-2013 with outdated software versions. This indicates device emulation with subsequent resetting of the advertising identifier. In this case, the fictitious device performs the necessary actions for the advertising offer, after which it resets the idfa/gaid and begins a new round of installations. Effective method catching emulated devices is to use large databases, like AppsFlyer. Analyzing 98% of the devices in circulation, each new device is a kind of flag that makes you think that the grid cannot provide 100% of new users. There is a standard circulation of new devices in nature - approximately 5-10%, but absolutely not 100% or even 50%.

If you filter by campaign, you can see that some companies offer more new devices, while others offer less.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

Having broken down the sub-publishers, you can see that they are the same. This means that there is one or more suspicious sub-publishers who mix fictitious traffic into different campaigns, into different traffic sources. Thus, by tracking activity, you can catch the fraudster.

Fraud is a disease, but there is a cure for it

Fraud is a disease of mobile application advertising, but many vaccines have already been developed against it. Using the solutions described in the article, you will be able to detect the 4 most popular types of mobile fraud. Don’t skimp on fighting fraud, learn to see it. Constantly look for solutions and contact qualified companies that will help you with this.

If you find a typo, highlight it and press Ctrl + Enter! To contact us you can use .

Fraud is considered one of the most dangerous crimes against property. There are several articles in criminal law dedicated to it.

The general offense is provided for in Article 159 of the Criminal Code of the Russian Federation. The norm establishes penalties for illegal actions with physical objects or property rights. Article 159 of the Criminal Code of the Russian Federation provides for qualified and especially qualified squads. In Art. 159.6 establishes punishment for acts in the field of computer information. Meanwhile, recently it has become widespread new typefraud - fraud. The Criminal Code does not provide for liability for it.

Definition

The word fraud translated from English means “fraud”. Its essence lies in unauthorized actions, unauthorized use of services and resources in communication networks. Simply put, this type of information technology fraud y.

The methods of committing a crime are different. Currently, more than 50 different methods of theft in communication networks are known.

Analyzing cases that have taken place in practice, we can say: what is fraud? a crime for which it is very difficult to prosecute.

Classification

An attempt to identify types of fraud was made in 1999 by F. Gosset and M. Hyland. They were able to identify 6 main types:

1. Subscription fraud - contract fraud. It represents the deliberate indication of incorrect data when concluding a contract or the subscriber’s failure to fulfill payment terms. In this case, the subscriber does not initially plan to fulfill his obligations under the contract or certain moment refuses to comply with them.
2. Stolen fraud - using a lost or stolen phone.
3. Access fraud. The translation of the word access is “access”. Accordingly, the crime consists of unlawful use of services by reprogramming telephone identification and serial numbers.
4. Hacking fraud - hacker fraud. It constitutes a security breach computer network in order to remove security tools or change the system configuration for unauthorized use.
5. Technical fraud - technical fraud. It involves the illegal production of payment telephone cards with fake subscriber identifiers, payment marks, and numbers. This type also includes intra-corporate fraud. In this case, the attacker has the opportunity to use communication services at a low price by gaining illegal access to corporate network. Counts, what is fraud? the most dangerous act, since it is quite difficult to identify it.
6. Procedural fraud - procedural fraud. Its essence is illegal interference in business processes, for example, billing, in order to reduce the amount of payment for services.

Later this classification was significantly simplified; All methods were combined into 4 groups: procedural, hacking, contract, technical fraud.

Main types

It is necessary to understand what is fraud? a crime whose source can be anywhere. In this regard, the question becomes particularly relevant. In accordance with this, the following three types of fraud are distinguished:

• internal;
• camera;
• subscriber

Let's look at their main features.

Subscriber fraud

The most common actions are:

• Simulation of signaling using special devices that allow you to make long-distance/international calls, including from payphones.
• Physical connection to the line.
• Creation of an illegal communication point through a hacked PBX.
• Carding - emulation of telephone cards or illegal actions with prepaid cards (for example, replenishment by fraud).
• Deliberate refusal to pay telephone conversations. This option is possible if services are provided on credit. As a rule, operators become victims of attackers mobile communications, providing roaming services when information is transmitted between operators with a delay.
• Cloning handsets, SIM cards. Cell scammers get the opportunity to make calls in any direction for free, and the invoice will be sent to the owner of the cloned SIM card.
• Using the telephone as a calling point. Such actions are carried out in places where there are connections: at airports, train stations, etc. The essence of the fraud is as follows: using a found/stolen passport, SIM cards are purchased, the tariffs for which provide for the possibility of debt formation. For a small fee, those interested are invited to call. This continues until the number is blocked for the resulting debt. Of course, no one is going to pay it off.

Operator fraud

Often it is expressed in the organization of very intricate schemes associated with the exchange of traffic on networks. Some of the most common illegal actions include the following:

• Intentional distortion of information. In such cases, an unscrupulous operator configures the switch so that calls can be diverted through another unsuspecting operator.
• Multiple call returns. As a rule, such “cycling” occurs when there are differences in the tariffs of operators when transferring calls between them. An unscrupulous operator returns the call to the outgoing network, but through a third party. As a result, the call returns again to the unscrupulous operator, who can send it again along the same chain.
• "Touchdown" of traffic. This type of fraud is also called "tunneling". It occurs when an unscrupulous operator transmits its traffic to the network via VoIP. An IP telephony gateway is used for this.
• Traffic diversion. In this case, several schemes are created that provide for the illegal provision of services at reduced prices. For example, 2 unscrupulous operators enter into an agreement to generate additional income. However, one of them does not have a license to provide communication services. In the terms of the agreement, the parties stipulate that an entity that does not have permission will use the partner’s network as a transit network to pass and infuse its traffic into the network of a third party - the victim operator.

Internal fraud

It involves actions by communications company employees related to traffic theft. An employee, for example, can take advantage of his official position to make illegal profits. In this case, the motive of his actions is self-interest. It also happens that an employee deliberately causes damage to the company, for example, due to a conflict with management.

Internal fraud can be committed by:

• Hiding some information on switching devices. The equipment can be configured so that for some routes information about the services provided will not be recorded or will be entered into an unused port. Actions of this kind are extremely difficult to detect, even when analyzing data from the billing network, since it does not receive primary information about connections.
• Hiding part of the data on billing network equipment.

This is a fairly specific fraud scheme. It is associated with online shopping.

Customers place an order and pay for it, usually by bank transfer from a card or account. They then initiate a chargeback, claiming that the payment instrument or account information has been stolen. As a result, the funds are returned, and the purchased product remains with the attacker.

Practical difficulties

As practice shows, attackers use several fraud methods at once. After all, in essence? These are people who are well versed in information technology.

In order not to be caught, they develop various schemes, which are often almost impossible to unravel. This is achieved precisely by using several illegal models simultaneously. In this case, some method can be used to send law enforcement agencies on a false trail. Fraud monitoring often does not help either.

Today, most experts come to the same conclusion that it is impossible to compile an exhaustive list of all types of telecommunications fraud. This is understandable. First of all, technology does not stand still: it is constantly evolving. Secondly, it is necessary to take into account the specifics of this area of ​​criminal activity. Telecommunications fraud is closely related to the sale of specific services by certain telecom operators. Accordingly, in addition to general difficulties, each company will have its own specific problems.

General principles of wrestling

Any operator should have an understanding of existing types telecommunications fraud. The classification helps to organize activities aimed at combating crime.

The most common division of fraud into functional areas is considered:

• roaming;
• transit;
• SMS fraud;
• VoIP fraud;
• PRS-fraud.

However, the classification does not make it easier for the operator to solve the problem of providing protection against fraud. For example, transit fraud involves the implementation of a huge number of fraudulent schemes. Despite the fact that they are all, to one degree or another, related to the provision of one service - traffic transit, they are identified using completely different tools and methods.

Alternative classification

Given the complexity of the problem, when planning activities to fraud monitoring Operators should use a typology of fraudulent schemes in accordance with the methods of their detection and identification. This classification is presented in the form of a limited list of fraud classes. The operator can classify any emerging fraud scheme, including a previously unaccounted for one, into any class depending on the method used to uncover it.

The starting point for such a division will be the idea of ​​any model as a combination of 2 components.

The first element is the “pre-fraud state”. It assumes a certain situation, a combination of conditions that have arisen in the system settings, in business processes, favorable for the implementation of a fraudulent scheme.

For example, there is such a model as “phantom subscribers”. These subjects received access to services, but were not registered in the billing system. This phenomenon is called the “pre-fraud state” - desynchronization of data between network elements and accounting systems. This, of course, is not fraud yet. But in the presence of this desynchronization, it may well be realized.

The second element is the “fraud event”, i.e. the action for which the scheme is organized.

If we continue to consider “phantom subscribers”, the action will be considered an SMS, call, traffic transit, data transfer made by one of such subscribers. Due to the fact that it is not in the billing system, services will not be paid for.

Fraud and GSM

Technical telecommunications fraud poses many problems.

First of all, instead of a controlled and legal connection, mailings are carried out from an unknown device. The situation is complicated by the fact that the content of messages cannot be moderated (checked).

Secondly, in addition to losses from unpaid mailings, the operator’s direct costs for network expansion increase due to the increased load on devices due to illegal signaling traffic.

Another problem is difficulties in mutual settlements between operators. Of course, no one wants to pay for pirated traffic.

This problem has become alarming. To overcome this situation, the GSM Association has developed several documents. They explain the concept of SMS fraud and provide recommendations on the main methods for detecting it.

Experts cite untimely updating of the phone OS as one of the reasons for the spread of SMS fraud. Statistics show that a large number of users do not want to buy new phone until the device being used fails. Because of this, more than half of the devices use old software, which, in turn, has gaps. They are used by scammers to implement their schemes. Meanwhile, modern versions also have their vulnerabilities.

You can fix the problem by updating the system to latest version and running an application that detects vulnerabilities.

It must be remembered that attackers do not separate mobile and fixed-line communications. Fraud schemes can be implemented in any vulnerable network. Fraudsters study the features of both connections, identify similar gaps and penetrate them. Of course, the threat cannot be completely excluded. However, it is quite possible to eliminate the most obvious vulnerabilities.

Anti-fraud systems in domestic companies have been gaining increasing popularity over the past few years. In the light

To ensure the security of financial transactions for individuals RBS services, in particular online banking, use restrictions or limits on transactions, the second line of defense included in the complex of fraud monitoring solutions:

• limiting the number of purchases on one bank card or by one user for a certain period of time;
• limitation on the maximum amount of a one-time purchase per card or by one user in a certain period of time;
• limit on the number of bank cards used by one user in a certain period of time;
• limit on the number of users using one card;
• accounting of purchase history by bank cards and by users (so-called “black” or “white” lists)

Let's look at an illustrative case to understand how the anti-fraud system works.

First of all, a transaction (financial transaction) undergoes a primary analysis based on factors, for example those described above. Further, based on the analysis, it is assigned “ label" , which characterizes the way the transaction is processed. There are three types of tags:

• "Green" flags transactions with a low likelihood of a fraudulent transaction.

• "Yellow" The flag indicates transactions in which there is a higher than average chance of a fraudulent transaction and will require additional attention to process the payment.

• "Red" Transactions that are most likely to be fraudulent are flagged and will require documentation of the cardholder's authenticity.

The simplest protection settings are used, which any merchant can set, such as pick protection CVV and card numbers; parameter analysis cards by bank, owner, product type, country of issue and geography of use; buyer identification by purchase history; retrospective analysis shopping; detection of suspicious transactions by fingerprints of the equipment used; domain and IP address verification etc.

WITH "green" transactions everything is as simple as possible: for example, the payer makes a payment from Russia, using a card issued by a Russian bank. The payment amount does not exceed the average store receipt. The monitoring system assigns transactions "green" label. Next, the transaction is sent for authorization using 3-D Secure . And if the card is not subscribed to the one-time password service or the issuing bank does not yet support this service, a request for authorization of this transaction will be sent to the processing center of the paying bank in the usual way - directly.

The average level of risk of fraud determines another way to check the legitimacy of the payment. Yellow color mark assigned to transactions with average and above average levels of risk of fraudulent transactions. For example, in a Russian online store, a purchase is paid for with a bank card issued in Russia, but the size of the average check is noticeably higher than the average “for a hospital.” So, if the payer cannot use this method of payment authorization, then his bank card will be automatically sent for online validation or manual verification.

"Red" mark the fraud monitoring system automatically assigns transactions with high level risk of fraudulent transactions. For example, payment in a Russian online store is made with a card issued in the USA, and the payer is located in Spain.
Problems with using anti-fraud systems

According to the portal www.banki.ru , the most popular type of scam with bank cards- this is the so-called "friendly fraud" . How does the FF mechanism work? The cardholder makes a purchase online and then requires the bank to chargeback - refund of funds to the card due to failure to provide the service. And, if the store cannot prove the unfoundedness of the payer’s claims, the bank must reimburse the card owner the required amount. And the “costs” fall, naturally, on the online store. Thus, online stores may suffer from hackers who illegally penetrate the site’s system, their own employees who unauthorizedly use the company’s databases, unscrupulous customers who provide incorrect payment information for the purpose of non-payment, or who initiate a refund after the goods have been shipped or the service has been provided.

Therefore, it becomes very important to collect evidence and technical details to prove the fact. fraud . Accordingly, if there was a preliminary conspiracy between the employees of the online store and the bank, then most likely any investigation attempts will not be successful. Resist human factors Anti-fraud systems have not yet learned.

Just like any other service, the system fraud monitoring have their own "production costs". Thus, declining payments can lead to the loss of customers, and therefore profits. Without proper configuration, filters may not allow transactions that are significant for an online store, which will certainly not please customers. Therefore, when choosing a payment service provider, you should pay attention to the declared conversion into successful payments. For example, the conversion rate to successful payments after "manual" settings PayOnline electronic payment systems range from 93-96% - and this is a very good indicator for the market. Lack of solutions Verified by Visa And MasterCard SecureCode The problem is that, at the current time, not all banks are able to process incoming requests correctly and conveniently for the cardholder, which may lead to the inability to confirm the intention to complete a transaction, i.e. in other words, it reduces conversion.

Other unpleasant, but important point that will have to be encountered when implementing the system fraud monitoring on the side of the online store, will become user data protection , both personal and payment. It will be necessary to undergo certification of compliance with the requirements of the standard PCI DSS , and also take into account restrictions on data storage and processing regulated by federal law.

And some infographics on the topic of fraud in Russia

1) Unrealistically short time between clicks and targeted actions

Standard Internet connection speed allows you to download the application in 30 seconds. In this case, installations from one channel can take 2-10 seconds. Such traffic can be considered fraudulent.

2) Obviously patterned user behavior after clicking on an ad

Real users spend different amounts of time deciding to download an app and browsing internal pages. They will have different speed Internet connections and different purposes for entering the application/website.

A channel that consistently shows the same sequence of user actions or equal intervals between clicks is most likely to cause fraud.

3) Different geo clicks and settings for the same user

Any device connected to the Internet has an IP address. It contains information about the region you are in. If the user is sitting across Mobile Internet, The IP address comes from the mobile provider. If the user connects to the Internet via Wi-Fi, the IP comes from the Internet connection point.

Clicking in one region and downloading an application in another is almost impossible.

4) Abnormally many clicks from one IP/ID

This is the first sign that you are receiving traffic from a bot farm. Although such indicators may also indicate work real people. For example, if fraudsters reset the advertising identifiers of the devices from which they are fraudulent, and perform installations and targeted actions again.

5) Too little or too much click-to-install conversion

If the conversion from clicks to installs is below 0.3% with a large flow of traffic, most likely fraudsters are clicking on ads.

A conversion above 30% is also a sign of fraud. These values ​​are realistic for search campaigns. In other cases, there is a high probability that the installations are not real. The same goes for unrealistically high or negligible CTRs and

eCPM. If their values ​​for a particular channel differ too much from the average, you can add the source to the list of fraudulent ones.

6) Suspicious activity at night

Typically, users within the same geo are more active in the morning, afternoon or evening. And programs that generate fraud can work 24 hours a day. Many clicks and installs at night, similar in number to organic indicators at other times of the day, raise suspicion. A source with such traffic needs additional checks.

As a rule, most actual installations occur within the first hour after a click. By the second hour, the number of installations drops sharply. In fraud campaigns, due to the specifics of how programs work, the installation curve is much more even.

8) Lack of basic events

If you monitor the hello screen or app opening and see that these actions do not occur after installation, you are most likely faced with fraud.

Fraudsters can imitate a report on the completion of a targeted action in the analytics system. Then you will see a report about the installation and the necessary in-app activity, while required for real users steps will be skipped.

An extremely low Retention Rate and the removal of the application immediately after installation indicates motivated traffic: scammers download the application and immediately delete it. A rare but possible case: the application was downloaded by a real user, but did not want/forgot to use it.

Types of Fraud

Spoofing SDK

SDK spoofing is a type of fraud in which fraudsters control the transmission of messages between the application SDK and the server that receives the information.

The original messages are changed to ones that are more beneficial to the advertiser. For example, a report on the display of a banner is a signal about downloading an application. So you see new installations that weren't actually there.

Click spam

A type of spam in which scammers insert banners so that users do not see them and click on them without knowing it. For example, you click on the play button on a free online movie theater website and are taken to a third-party site. Or you play a game inside the application and each tap on the screen counts as a click on banners that you don’t even see. These clicks count as ad clicks

Signs that you have become a victim of this type of fraud:

• Organic install volumes have dropped sharply;
• paid users behave the same way as those who came from organic installs.

Click injection

In some classifications it is identified as a subtype of click spam. The user installs an application with malicious code. Typically, these are fake copies of popular applications or applications in the “tools” category. The fraud source tag is assigned to the infected device.

When a user (even long after the code has been deployed) downloads the right application, the install will be counted as coming from a click on the ad, because it will have a corresponding label in the analytics.

Only smartphones with operating system Android.

Typically, this type of attack is indicated by a very short (>2 seconds) time period between click and installation.

Bot traffic

Fraudsters create farms where they collect large numbers of smartphones. The devices are connected to a program that simulates the actions of real users on them: clicking on advertisements, installing an application, watching videos, etc. There is another option for organizing a farm: instead of many devices, a program is used that creates virtual copies of devices with constantly updated IDs. The program still simulates the actions of real users, but on the server.

To avoid detection, scammers change IP addresses and route traffic through TOR or VPN.

Most likely your installations are fake:

• if they are immediately followed by deleting the application;
• if the analytics contains many clicks/installs from one IP address.

Incentivized traffic

There are special sites where users are paid for performing certain actions: clicks, installations, in-app actions, etc. Such traffic is called motivated because users perform targeted actions for a certain reward. Usually this is real small money or in-game currency. On average, up to 200 rubles per targeted action.

Sometimes users are prompted to perform actions offline. For example, a motivated user can leave a request to view an apartment in a new building and even go for a viewing.

Traffic is most likely motivated if:

• the retention rate from one channel is consistently low;
• users delete the application immediately after downloading or download and do not log in;
• users who download apps for a reward are often sent scripts based on activity in the app. Download, click on certain buttons, delete after three days. Therefore, in analytics there can be many many installations with the same behavior model.

How to protect yourself from fraud

1) Update your SDKs

In new versions, protection systems against fraudulent traffic are also updated.

2) Discuss risks with contractors

At the beginning of work, discuss with your contractors how payment and further work will happen if you discover fraud. Write down in the contract what you will do in such cases. For example, you can stipulate which traffic, based on indicators in analytics, will be considered fraud and will not be paid for.

3) Remove contractors with fraudulent traffic

If you or your anti-fraud system has detected fraudulent traffic that comes in large quantities from one of the contractors, apply penalties to this company. If this happens repeatedly, then it’s easier to disable the channel that supplies low-quality traffic.

4) Don't target suspicious OS versions

Do not target advertising to devices with outdated or not yet released OS. As a rule, bot farms purchase old smartphones that only support older versions of the OS. This way you will cut off a small percentage of real users, but you will avoid fraud attacks.

5) Follow the analytics

Analysis of conversions by IP, device-info, time between click and conversion, user life after installing the application, conversions via VPN or proxy can reveal fraud.

6) Use services with built-in antifraud

Mobile trackers and analytics systems have their own anti-fraud solutions: Adjust, Appsflyer, Fraudlogix

All of these programs cost money. To evaluate the feasibility of investing in an anti-fraud solution, you can test trial version. If during the trial period the system detects fraudulent traffic in an amount that covers its cost, then it is worth renewing the subscription.

CPI networks are associated with a large number of small traffic providers, which makes them a favorable area for scammers. It is also an important and large channel. The budgets allocated for it are decent, which means losses from fraud can be significant.

When detecting fraud from a CPI network, you need to look at sub-sources and disable those from which the fraud comes. If the total volume of fraud from the network does not fall below 10%, despite constant work to disable suspicious sub-sources, you can try to figure out the reason. Perhaps transfer the budget to a more reliable source.

An anti-fraud tool saves a lot of time, replacing the need for manual processing of large amounts of data. Serves as a mediator, giving his guarantees in controversial situations with partners. And, of course, it saves the budget by helping to weed out fraud.

I tested several large services and did not find any noticeable advantages over others in any of them. A more effective solution, in my opinion, can only be the development of an internal solution.

Stanislav Izmailov, marketing manager at BlaBlaCar