Feature 1

Click Fraud: Risks and Controls

Understanding the risk and control issues associated with different online advertising models can help auditors deter fraud and ensure that organizations get their ad's worth.

Eli Rohn, Ph.D., CISA, CNA

Online advertising is big business. All you have to do is open any commercial Web site to witness the sheer volume of ads that are available for your viewing, and clicking, pleasure. While some may find these ads a bit bothersome ― especially if you have to close several pop-up ads announcing the latest online survey or fashion trend ― Internet advertising is here to stay. In fact, online advertising exceeded US $15 billion in 2006, while revenue generated from Internet advertising during the first nine months in 2007 totaled US $15.2 billion ― a 26 percent increase from the previous year, according to research by PricewaterhouseCoopers LLP.

However, while Internet advertising increasingly plays a major role in companywide marketing and sales efforts, the risks stemming from online advertising fraud increase as well. As part of their work, internal auditors can help senior managers learn about the risks and control issues associated with the online advertising models in use today and provide recommendations that will help organizations enhance the security of their Internet advertising efforts.

BUSINESS MODELS AND RISKS

To date, two business models are widely used in Internet advertising activities: cost-per-thousand impressions (CPM) and pay-per-click (PPC). In the CPM model, the advertiser pays the ad server for exposure of their message (i.e., impression) whether the ad is clicked on or not, while in the PPC model, the ad serving company pushes ads multiple times at its discretion to different publishers for display and the advertiser only pays if the ad is clicked on.

Regardless of the business model the organization chooses, the advertiser selects a set of keywords, decides on a bid price for each keyword, allocates a daily budget, and associates an ad with each keyword. When a consumer searches for one or more of the selected keywords, search engines then display the ads associated with the highest bids for that keyword on the search results page.

In addition, the ad publisher may rely heavily on affiliations with third parties that, in turn, may have relations with their own third parties to publish ads. Because each one of these business models poses several fraud risks, it is important for internal auditors to understand what these risks are. Following is a discussion of these risks. (Note: The information below focuses on risk to advertisers only. Risks relating to ad brokers and ad publishers are omitted from this discussion.)

Known CPM Risks

There are three risks to organizations using the CPM business model for their online ads:

• Risk 1. Advertisers using CPM have no way of knowing or assuring that their ad was displayed a thousand times.
• Risk 2. The CPM ad may have been placed outside the agreed-upon context. For example, even if AerialOperations.com signed a contract to have its impressions placed only on queries or Web sites associated with New York City tourism, the company has no way of validating that its impressions were displayed in that context.
• Risk 3. Since a CPM publisher's income is directly related to its Web sites' traffic, there is an incentive for fraudulent publishers to inflate the number of impressions their Web sites generate. Older fraud detection techniques depend on detecting uncommon patterns and spikes in traffic. However, fraudulent publishers circumvent this type of detection by developing inflated traffic patterns that resemble real traffic and by replicating traffic across multiple mirror sites (i.e., duplicates of an original site that are hosted on different servers). Artificial traffic inflation also is achieved by collusion among brokers and publishers, which is a growing trend according to information published by the ClickFraudNetwork.

Known PPC Risks

The most common risks to organizations using the PPC business model that auditors need to be aware of include:

• Risk 1. Companies using the PPC model have no control over the number of times their ads will be shown because this depends on the broker's and publisher's ad-serving algorithms, which in turn depend on space availability on the target Web page, relevance of the ad to the search, and other attributes. Therefore, an ill-designed ad campaign using the PPC model may result in the display of few ads or none at all. Two primary factors in the design of a PPC campaign that an advertiser can control are the proper selection of keywords associated with the ad and the amount an advertiser is willing to pay per click.
• Risk 2. If an ad was clicked on, the advertiser has no way of knowing whether or not the click was legitimate (e.g., done by a person who has genuine interest in the product or service). All other clicks are considered fraudulent. According to an October 2006 Washington Post article, the fraudster might be motivated to inflate PPC revenue or motivated to deplete a competitor's advertisement budget, thus damaging the competitor's ad campaign. Fraudulent clicks can be placed by an individual or dedicated clicking software. The latter is sometimes achieved by viruses running on an unsuspecting victim's computer who might not know that the computer is infected.

CONTROLS FOR ONLINE ADVERTISEMENT RISKS

Approaches based on a centralized control mechanism (e.g., a single monitoring software running on an advertiser's computer) cannot be applied directly to the aforementioned CPM risks due to the distributed nature of online advertisement models. Furthermore, preventive controls might be hard to implement due to user anonymity and an inability to know a clicker's intentions. Therefore, commercially available risk mitigation methods use detective controls. Following is a description of how auditors can address each of the risks described earlier.

Controls for CPM Risk 1
Advertisers have no way of assuring their ad was displayed a thousand times.

This risk can be addressed by providing audit rights to the advertiser for the purpose of conducting a forensic review of the advertiser's ad-server logs. Doing so will give the advertiser's auditors rights to obtain a copy of the logs for examination. Effective forensic reviews must include the advertiser's own Internet server traffic log; lack of good correlation between the two logs is an indicator for problems. For example, the broker's ad-server log could show that 500 ads were served last Friday between 8:00 a.m. and 12:00 p.m., while the advertiser's log may show no referrals coming from the ad during that time period.

According to Jupiter Research's click rate estimate, advertisers should expect a 2 percent click rate. In the example above, this should translate into a registration of 10 entries in the advertiser's Web server log. Because publishers are paid by the traffic they drive to advertisers, this creates an incentive for fraudulent publishers to inflate the number of impressions they generate. Such inflation can be achieved by the publisher mirroring its Web site multiple times using different domain names (i.e., URLs) and then driving traffic through those Web sites, which are seldom visited by real users. Therefore, conducting a forensic audit of the ad server log's data could reveal that the bulk of the ads were served to known mirror Web sites.

Controls for CPM Risk 2
The CPM ad may have been placed outside the agreed-upon context.

To address this risk, auditors can use a slightly different forensic analysis than the one mentioned for CPM risk 1. Using the broker's ad server logs, the auditor can concentrate on the top three to five sites that published the majority of the impressions to reveal the nature of and relevance to the ad. Searching the site on a reputable search engine may give an indication of whether the Web site uses cloaking (i.e., a technique in which the content presented to the search engine spider differs from the one presented to the users' browser). If cloaking is used, auditors need to investigate the Web site further to determine if it is part of a fraud scheme or if it is used for legitimate purposes, such as serving content in the language of the user's geographical location.

Controls for CPM Risk 3
There is an incentive for fraudulent publishers to inflate the number of impressions their Web sites generate.

When addressing CPM risk 3, auditors can use sophisticated server log analysis techniques that detect a variety of fraud attacks. Recently published theoretical approaches use an algorithm named Similarity-Seeker to discover two fraudster coalitions and to detect coalitions of arbitrary sizes (for more information on Similarity-Seeker, read "DETECTIVES: DETEcting Coalition hiT Inflation attacks in adVertising nEtworks Streams," PDF, 285 KB, and "On Hit Inflation Techniques and Detection in Streams of Web Advertising Networks"). Auditors can recommend that organizations outsource this control activity to a research university or a commercial company that has highly trained personnel and proprietary software until software packages are available that can accomplish this task.

Controls for PPC Risks 1 and 2
Companies using the PPC model have no control over the number of times their ads will be shown (risk 1); if an ad was clicked on, the advertiser has no way of knowing whether or not the click was legitimate (risk 2).

In terms of PPC risk 1, auditors can recommend for organizations to ensure that the advertiser has and follows a well-designed procedure to select, analyze, and test keywords prior to launching an ad campaign. To this end, researchers have developed algorithms that adaptively identify keywords to bid on based on historical performance, along with their potential profit-per-cost ratio. Such knowledge can be incorporated in the aforementioned process. (For more information on these algorithms, read "An Adaptive Algorithm for Selecting Profitable Keywords for Search-Based Advertising Services," PDF, 755 KB.) Finally, for PPC risk 2, auditors can use some of the techniques mentioned for CPM risk 3, including sophisticated analysis of Web traffic logs.

Whatever business model an advertiser engages in, auditors could recommend that the organization becomes a member of the Click Fraud Network, which monitors online advertising campaigns for click fraud, free of charge. For-profit companies claiming ads-related "honesty" services have been established in recent years as well, including Click Tracks, Open Tracker, and Valid Click. However, auditors need to thoroughly research the services provided by each of these and similar companies before recommending their use.

WHERE TO BEGIN

Internet advertising is a growing, although risky, business. Because technological innovations in advertisement placement continue to take place, it is important that internal auditors stay ahead of the game by learning about the risk and control issues posed by these new technologies. For example, clickable ads that result in an ad-server controlled dialog with the user (e.g., live chat or interaction with software agents equipped with some artificial intelligence) pose different risks (e.g., not redirecting the user to the advertiser's Web) and require the use of innovative controls to minimize mistakes, abuse, and fraud.

In addition, auditors can help convey to management the residual risk Internet advertising poses. For instance, auditors may take an active, consultative role in the planning phase of an Internet advertising strategy and point out risks and appropriate controls for implementation. Naturally, auditors should not participate in the implementation of recommended controls.

Furthermore, auditors should recommend that companies having little or no experience with Internet advertising conduct a pre-campaign audit of the entire plan to ensure that the plan takes into account known risks and includes controls around these risks. For example:

• Does the plan include legal provisions that grant access to the broker's ad server logs?
• Is the advertiser's log enabled and configured adequately to capture the data needed to conduct a post campaign analysis?
• Does the advertiser have the necessary software and knowledgeable employees to carry out such an analysis or audit?

Finally, substantially funded advertising campaigns should be followed by a post-campaign audit to verify that the company got what it paid for and that the controls surrounding Internet advertisement operate effectively. Questions to answer during the post-campaign audit include:

• Did the broker provide reports accounting for ads served and related data, including, but not limited to, the number of impressions served, the publisher's URL, the number of clicks where applicable, and the click's Internet protocol (IP) address?
• Did the advertiser generate a report of referrals resulting from the ad campaign, using their Web site logs?
• Did the advertiser compare its own report to that provided by the broker? If so, are the two reports in agreement?
• Did the advertiser conduct a URL or IP analysis to ensure that highly responsive publishers (e.g., those generating the most referrals or clicks) seem to represent legitimate and independent Web sites?

Once the internal auditor performs any of the audit reviews described earlier (i.e., the forensic review, the pre-campaign audit, and the post-campaign audit), results should become part of the organization's audit records. This will enable the organization to use previous audit findings when planning and carrying out its next online advertising campaign.

_________________________________

Site Search: