While topline numbers released last month by the Association of National Advertisers (ANA) and cybersecurity company White Ops declare the “war on fraud is winnable,” the battle with bot fraud continues to escalate on mobile.
Bot fraud—perpetrated by automated software agents capable of interacting with content, advertising and offers in a human-like way—is prevalent and pernicious. What’s worse, the emergence of “crime-as-a-service” is making it easier to wage bot attacks because the tools to do so are sold as a package. The outcome is a model that breaks down the barriers to entry and boosts bang for the buck—a sinister combination that spells massive opportunity for cybercriminals who are shifting tactics and platforms from online to mobile.
The latest cybercrime research from ThreatMetrix, a LexisNexis Risk Solutions company providing business security solutions, reveals that companies were hit by 3 billion automated bot attacks in the last six months of 2018. Drawing from internal data spanning 17 billion transactions (processed from July 1, 2018, through December 31, 2018), the ThreatMetrix Cybercrime Report 2H 2018 observes 189 million bot attacks originated from mobile devices. That’s up 12% compared to the previous six months. This terrifying trend will probably gain momentum. “Fraudsters always go where the money is, and with a continual volume shift to mobile, it is likely that mobile attacks will similarly continue to rise,” the report concludes.
Combatting the in-app bots
A massive battle is looming on mobile. To make matters worse, bot fraud on mobile is also becoming more sophisticated. ThreatMetrix observes fraud perpetrators are moving from high-velocity attacks that were a dead giveaway to “low and slow attacks that mimic legitimate customer behavior to slip just under the velocity radar, making them harder to detect.”
It’s an industry blindspot that Adjust, a mobile measurement and anti-fraud company whose customers include NBCUniversal, Procter & Gamble, Pinterest and Tencent Games, wants to correct. Adjust made its major move at the start of the year, acquiring Unbotify, a company that detects bots by focusing on the data that bots can’t fake, such as pressure on the screen and the motion of the device. It’s a strategic play for Adjust, and one sure to get a boost thanks to a capital injection of $227 million in new funding—led by Eurazeo Growth, Highland Europe, Morgan Stanley Alternative Investment Partners and Sofina—that brings Adjust’s total funding to $250 million.
The aim, Adjust CEO Christian Henschel tells me in an interview, is to beef up Adjust’s arsenal of anti-fraud and cybersecurity offerings to make app marketing simpler, smarter and more secure. “The ability of Unbotify to distinguish between humans and bots is a fit with Adjust’s next-generation in-app fraud protection tools and its wider ambitions to provide a holistic platform helping marketers safeguard their brand and their revenues,” he says.
Focusing on what bots can’t fake
Each day Adjust rejects around one million fraudulent activities, Henschel explains. “This fraud is only the tip of the iceberg in a market where ad fraud is ever-evolving and forecast to grow to $50 billion by 2025” he explains. (Ad fraud currently costs companies billions, and estimates vary wildly, ranging somewhere between $6.5 billion and $19 billion in the U.S. alone.) Adjust, which has a long record in ad fraud, is now ready to tackle bot fraud. “The most problematic type of fraud is initiated by bots,” Henschel says. “But, fortunately, bot behavior can be a dead giveaway—if you know how to look.”
The place to start is the data: Mobile yields mountains of it around how humans browse, tap, swipe and interact. The outcome is an interesting and intricate breadcrumb trail that his company has mined to expose bot fraud outright, Yaron Oliker, CEO and co-founder of Unbotify, tells me in an interview. In practice, Unbotify identifies human-only activity like device movement and how fingers interact with the screen. It’s a rich and revealing data set delivered by a multitude of sensors embedded in all smartphones that Unbotify combines with a deep understanding of human behavior patterns and patent-pending tech to model normal (human) user behavior and detect anomalies in real time.
“We’ve learned what humans do on mobile, and this natural flow is our data point,” Oliker explains. The company’s technology provides a lens through which brands and businesses can view and validate activity and, more importantly, make a call based on the actions that are hardest for bots to spoof. To date, the bespoke bot‑detection solution is used by some of the biggest Fortune 500 companies in the e-commerce, social, search and gaming verticals across the U.S. and Europe.
Bots besiege finance and commerce
While mobile may make up less than half of bot attack volume, ThreatMetrix reports it dominated attacks in verticals such as finance, where fraudsters increasingly employ mobile bots and brute force to crack account logins and infiltrate user accounts.
To complicate matters, the bot problem has been fueled by a record number of data breaches (a whopping 14,717, 618,286 records stolen as of June 2019). Bots test stolen credentials—so more successful breaches lead to higher volumes of bot traffic. What’s worse, fraudsters are also banding together to deploy bots to do more damage than ever before.
But commerce stands out as the vertical where the action—and danger—is. During the second half of 2018, more than 2.1 billion bot attacks (that’s more than two-thirds of activity observed in the ThreatMetrix report) were directed at merchants. And retailers aren’t just under siege by a wave of bot attacks: they must address the customer requirement for a low-friction shopping experience along with the business imperative to battle bot fraud.
Apparel is a popular target because goods are easy to resell, and attempts to buy in bulk are part of the “new normal” in a society that loves bargains and adores limited-edition items. Sneaker bots that swoop up large quantities of new release models are a prime example of how fraudsters are sabotaging commerce—and, in the process, the customer experience. “If one person buys up 40% of the product just to resell it, it’s not a good customer experience for anyone,” Chris Bossola, founder and CEO of clothing and lifestyle store Need Supply Co., recently told Glossy, a destination covering how technology is transforming the fashion, luxury and beauty industries. Moreover, he added, “it’s not helpful for us since those people are not reliable customers who provide long-term value.”
Bots dirty the data
Bots pose serious problems for every business with an online presence, everywhere on the planet. Attacks around the clock are wreaking havoc on websites and apps—and they pave the way for malicious activities that include web scraping, personal and financial data harvesting, digital ad fraud, spam and transaction fraud.
But the damage caused by bot fraud doesn’t stop there. Bot activity also degrades the user experience, which can discourage consumers and, ultimately, drive churn. Bots compete with humans, buying up limited items, scalping high-demand event and concert tickets and defying gameplay rules to beat players (stealing money and fun).
What’s more, marketers can misread bot activity for human activity in their apps, spending money and effort to re-engage and retarget bots as part of larger strategies to boost longer-term loyalty and retention. In this scenario, well-meant efforts and campaigns to win back users are doomed to failure because the users were never human to begin with.
Fortunately for app marketers, the capabilities that solve for ad fraud can also help win the war against mobile app fraud. It’s all about fighting smarter with data to sniff out bots, so that both ad fraud and app fraud can be nipped in the bud—and at scale. That clears a pathway to ensure that marketers can focus campaigns and comprehensive strategies on building long-term relationships with humans, not bots.
This article first appeared on Forbes