Marketeers are looking forward to the day when India will have 50 million broadband (minimum access speed of 256 kilobits per second) Internet users against the seven million today. Pundits believe this will be the tipping point of scale for e-commerce, and brand sales linked to online search and display ads will then truly take off. But while online sales may swell with this magic number, fraud related to online ad revenue will also soar.
Advertisers first bought ads on cost per thousand impressions basis, where they paid ad vendors a small fee for each user who presumably saw an ad. Problem is, advertisers were often paying ad networks (which then paid publishers) for ads that users were not likely to notice, click on or purchase from. Many advertisers then started paying on the basis of cost per click, with fees due only if a user clicked on an ad. This payment metric was also easy to inflate through canny software, and this column has earlier discussed how click fraud is rampant.
Also Read Marion Arathoon’s earlier columns
In contrast, cost per action, or CPA, advertising charges an advertiser only if a user makes a purchase or performs a required action on an advertiser’s site. As e-commerce gains momentum here, more advertisers will pay ad fees based on the purchase action of users who click on a purchase link. But if you think that we’ve finally hit upon a fraud-proof system, think again.
Ben Edelman, assistant professor at Harvard Business School, whose current research includes analysing methods and effects of spyware, told participants at a recent International Advertising Association seminar on digital advertising in Mumbai that CPA fraud is thriving.
He tells me that as the Indian advertising market gets more sophisticated, CPA fraud will become more prevalent. Indian advertisers would be well served by understanding this problem in advance so that they can structure their policies and procedures accordingly, he says.
The potential losses for sellers or advertisers won’t be small change. “For the merchants I work with, it is typical to find that 5-10% of CPA spending is fraud,” says Edelman, who has also served as consultant and testifying expert for clients such as the City of Los Angeles and Wells Fargo and Co., among others. By rooting out fraud, they aspire to save that amount. Also, once news gets around that a particular advertiser can be duped easily, more fraudsters target it, says Edelman, citing how VistaPrint Ltd was cheated by rogue marketing partners.
Edelman, who has uncovered hundreds of bogus CPA affiliates, outlines three levels of CPA attack:
• If a merchant was known to pay commissions instantly, say the same day an order is placed, co-conspirators could make purchases through an attacker’s CPA link. They would then return the merchandise for a full refund, thus yielding instant payment to the attacker, who keeps the commissions even after the return.
• In a more sophisticated scheme, an attacker designs a Web page or banner ad to invoke CPA links automatically, without requiring a user to initiate any action to click the link. If the user later happens to make a purchase from the corresponding merchant, the attacker gets a commission. As to the Web’s largest merchants—Amazon.com Inc., eBay Inc., among others—these stuffed cookies can quickly yield high commission payouts (to CPA affiliates), since many users make purchases from top merchants even without any advertising encouragement. EBay considers such fraud serious enough to merit federal litigation, as in its August suit against Digital Point Solutions, Inc. and others, he says. “In that litigation, eBay claims defendants forced the placement of eBay tracking cookies into users’ computers, thereby claiming commissions from eBay without providing a bona fide marketing service or promoting eBay in any way at all.”
• In an especially complicated CPA scheme, an attacker first puts tracking software on a user’s computer—spyware —which then monitors a user’s browsing pattern and invokes CPA links to maximize payouts. For example, if an attacker notices that a user is browsing for laptops at Dell Inc.’s website, the attacker might then open a CPA link to Dell so that if a user makes a purchase from Dell, the attacker gets a 2% commission. After all, where better to find a Dell customer than a user already examining new Dells?
To Dell, things look good: By all indications, a user clicked a CPA link and made a purchase. What Dell doesn’t realize is that the user never actually clicked the link: Instead, spyware opened the link, and Dell fails to consider that the user would have purchased the laptop anyway, meaning that the 2% commission payout is entirely unnecessary and completely wasted, says Edelman.
Finally, should online merchants holds their agencies and CPA networks responsible for rogue marketing affiliates? Online experts believe that while agencies should screen affiliates, it is the CPA network that ultimately knows its marketing sub-contractors best and should be held accountable for such frauds.
Marion Arathoon is Mint’s advertising editor. Your feedback is welcome at firstname.lastname@example.org