Fraud Detection Summary
Monitor how many app-installs of your campaigns are subject to fraud at the macro level. Meanwhile, you can also identify how many fraudulent app-installs are provided from specific publishers as well as their specific types.
With Interceptd, you’ll easily track the number of in-app events provided on the sub-publisher level. Customize your Key Performance Indicators to define and track specific events.
Automatic Publisher Blocking
Instead of rejecting individual installs, Interceptd automatically blacklists publishers and blocks all of their clicks to prevent further fraudulent traffic before a fraudulent install occurs.
Interceptd’s proprietary fraud detection alarms identify suspicious patterns from publishers right down to the click, install and IP address.
Real-Time Fraud Prevention
Interceptd offers seventeen custom fraud detection alarms to identify fraudulent activity prior to the click reaching the Google Play or Apple App stores. We redirect clicks and install postbacks blocking fraudulent installs and activity.
Interceptd’s proprietary technology keeps fraudulent installs out and allows high-quality users in. You can discover a renewed confidence in your app-install marketing campaigns thanks to our deterministic and probabilistic fraud detections algorithms.
Automated sub-publisher blacklisting based on fraud detection alarms; click-to-install and install-to-event rates.
Campaign Health Check
An easy-to-access feature allowing to ensure your campaign tracking URL is redirecting to the desired location. Interceptd automatically blocks traffic from erroneous campaign-targeting parameters so you may audit each ad network for accuracy.
Campaign Budget Control
‘End date is reached’ and ‘Budget is reached’ alarms will block your campaign’s traffic automatically when the campaign hits the end date or the budget reaches zero.
Personalize your notifications through email or Slack.
A ‘Daily cap is reached’ alarm blocks your campaign’s traffic automatically when the campaign reaches its daily cap. Personalize your notifications through email or Slack.
High Conversion Speed is a parameter blocking sub-publishers who provide a large quantity of app-installs over a small window of time. This prevents your daily cap from being wasted on fraudulent sources.
Interceptd provides one easy-to-use interface to manage campaigns and start your fraud detection. Our campaign dashboard allows for budget caps and monitors controls while auto-generating tracking URLs with ease.
Click To Install Optimization
Interceptd helps users customize and optimize campaigns based on their performance KPIs by blocking sources based on Click-to-Install and Install-to-Event conversion rates.
You can blacklist low-quality sub-publishers based on custom rules assigned to each campaign and publisher.
With Interceptd, every campaign and its sources can have different rulesets, which can be customized without relying on pre-determined global fraud and campaign rules.
Rule-Based Traffic Verification
Interceptd allows each fraud type to continue being used as an alarm, or it can actively block publishers. Additionally, you may optimize your campaigns based on the desired CTI rates and track the performance of each publisher with regards to the pre-set Install-to-Event rates.
Easy Deduction Process
Interceptd does not post-back rejected app-installs so you do not face a long, painful reporting deduction process. You can also filter sub-publishers based on their quality for an easier deduction process.
Supply partners gain access to view campaign-level rejected installs and fraud reports. The Interceptd Revenue Report makes communicating campaign summaries with your supply partners easy.
Using Interceptd, you can send automated emails to partners notifying them of blacklisted publishers and share Campaign data, Detailed reports include KPI rules, Reasons of Blocks, and Historical Performance.
Through incoming partner management features, ad sources will not have to run campaigns blind without feedback, which wastes time and money and triggers long deduction and confirmation processes.
Fraud Types and Alarms
Click spamming is an attribution fraud where a network simulates the number of fake clicks from real devices in hopes of getting the attribution of an organic install. Most of the installs have long click-to-install times. Since the installs are actually organic, ad budget is wasted on highly engaged legitimate users which would be acquired organically.
Click injection is an attribution fraud which abuses broadcast feature of Android OS. It occurs when a fraudulent app on a device listens to other app installs and creates fake clicks while the install is in progress. It results in claiming the attribution of organic install (someone else’s install) by providing the last click. It can be detected by checking the click timestamp with Google Play referrer times (store landing, install begin and install finish timestamps) and generally click-to-install times are short.
CTIT Anomaly alarm checks if a sub-publisher’s installs create a distribution with very short click-to-install times. When this alarm is triggered, it might point towards click injection, or fake clicks & installs such as SDK Spoofing or bot traffic.
Missing Install Referral Time
Install Referrer Time is provided by Google for Android campaigns and they include information about landing time to Play Store page, Install begin time and Install finish time. Not all attribution tools are capable of providing these three timestamps; however, if your app has an SDK which is capable of collecting this information, not having this information in high percentages indicates fraudulent activity, including SDK Spoofing and bot traffic.
High Conversion Speed
High Conversion Speed occurs when fraudsters provide a high number of clicks and convert them into fake installs with a sudden burst. It generally results from SDK Spoofing or bot traffic, or it can also happen when your ad is placed on a well-known offer wall. Since the installs are fake, in-app activity is almost non-existent. Trying to decrease suspicion, clicks may be provided over a longer time.
Device farms use real or simulated devices and they click on ads and convert them into installs; then reset the devices to start over. They may provide as many clicks or installs as they want; however, using a limited number of device to provide high volume leaves a distinctive pattern behind.
IP Mismatch vs CTIT
IP mismatch occurs when click IPs and install IPs do not match with each other. While this can be normal for users who are mobile or the time between click and first app open is prolonged; fake installs can be detected by cross-checking time patterns and mismatched IPs. In clean traffic, a certain pattern with click to install time and IP mismatch ratio should emerge for a publisher.
Assuming every legitimate click should have a different IP, fraud-free traffic should have a homogeneous IP distribution. Even though fraudsters switch IPs regularly to hide their footprints, they disrupt the homogeneity of the distribution.
Duplicate IP occurs when many installs are received from the clicks that are from the same IP in a small period of time. Although duplicate IP might result from many people using the same public Wi-Fi; multiple installs coming from the same ad in a short period of time is a pattern fraudsters leave behind when they are providing installs from the same physical location.
Many fraudsters try to hide their footprints by using anonymous IPs such as hosting servers, VPNs or Proxies. This type of fraudulent activity can be detected on click level.
IP Reputation checks if the install information is received from an IP which was recently conducting fraudulent activity (not necessarily mobile ad fraud). When detected, individual installs are rejected.
Country mismatch occurs when clicks are provided from a country other than the one targeted for that specific campaign. It might occur from wrong targeting, as well as fraudulent activity. Detecting this on click level helps you to save campaign budgets. This alarm can also be used for auditing ad network targeting.
App Version Mismatch
Downloads from unofficial stores or fake installs of SDK spoofing and bot traffic can cause a mismatch between the targeted app version and installed app version. This alarm can also be used for auditing ad network targeting. If you have multiple app versions live on the store you should check their distributions to set thresholds but in most cases targeting the latest version would be suitable.
OS Version Mismatch
Operating System mismatch occurs when fraudsters provide a high percentage of installs from devices which have older OS versions than the one targeted for the campaign. This may be a footprint of a fraud since many farms use old operating system devices or it can be a result of SDK spoofing. This alarm can also be used for auditing ad network targeting.
SDK Version Mismatch
SDK Version mismatch occurs when install information is received from an older version of an MMP’s (attribution tool) SDK than the one used for the app. It generally means that an older SDK is reverse-engineered and install and event information is being spoofed by fraudsters.
High click-to-install conversion rate is a good indicator for unauthorised incentivised activity or fraudulent intentions as unusual amount of clicks convert into installs. On the other hand, low CR means unusual amount of clicks are received and it might indicate clickspamming or a fraudster trying to reduce
suspicion by sending high number of clicks.
High install-to-event conversion rate is a good indicator of quality traffic as users are engaging with the app. However too-good-to-be-true conversions might mean SDK spoofing as well and other fraud indicators should be checked as well. Low converting subpublishers can be blacklisted automatically as the reason can be a mismatch with the adnetwork targeting or a fraudulent activity is being conducted.