Mobile Fraud Overview: Prevention and Detection

This is an overview of the most common fraud types, and how to fight them.
Michael Cole
March 29, 2023

Common Types of Mobile Fraud & Best Practices

Click Injection/Ad Injection:

Fraud where the Affiliate injects their tracking link to fire off a tracking click right before the user completes their Conversion. This lets them hijack the credit for that Conversion.

Best Practice: Typically, this type of fraud will show up in an MTTI (Mean Time to Install) report as <15 Sec MTTI, so be sure to regularly check your reporting. It should be nearly impossible for a real user to click an ad, install the app and then open it within 15 seconds from that initial click; therefore, MTTI under <15 Seconds can almost always be considered fraudulent. You can also set up a notification alert when there is any Conversion under <15 Sec MTTI to catch any time this fraud pops up.

Click Spamming/Click Flooding:

Fraud where the Affiliate fires their click tracking link every time a user sees their ad, even though the user didn’t actually click on the ad. This allows them to cover a massive group of users with their tracking link. Most mobile campaigns are set up with an attribution window for click-through Conversions that gives affiliates credit for driving the Conversion up to 7 days after the click. If they track enough users, they will start taking credit for the advertiser’s natural (organic) Conversions from users that were already highly motivated and planning to sign up without advertising. The best way to monitor your mobile Offers for this type of fraud is by ensuring are never seeing more than 30% of your Conversions coming in >24 hours MTTI in your report.

Best Practice: Regularly check your MTTI report for any Offers consistently seeing more than 30% of your Conversions coming in >24 hours MTTI in your report. This case doesn’t necessarily mean your Publisher is doing fraud, but it’s recommended to work with your Publishers to optimize those placements.

Keep in mind that while 7-Day Click-Through Attribution is the standard, some Advertisers have 30-Day Click-Through Attribution. If the Advertiser’s attribution window is longer, then you will see more Conversions coming in >24 hours MTTI from the initial click.

Proxy Traffic:

Fraud where the user’s IP is spoofed, so it shows as coming from a different IP source than the users actual source. This is often used for bot traffic and other types of click farm fraud — groups of bots or people that fake their location and then perform fraud conversions.

Best Practice: When setting up Offers, under TARGETING > ensure Block Proxy Traffic is enabled.

Duplicate Conversions:

This happens when an Advertiser fires back a second Conversion from the same click ID. The default setting is for Everflow to “reject” duplicate Conversions, so it won’t pay out to the Affiliate on those Conversions. You can change this setting on the REVENUE & PAYOUT within the Offer.

Best Practice: During Offer Setup, under REVENUE & PAYOUT, be sure not to check the box under Allow Duplicate Conversions. Under TRACKING & CONTROLS > Enable Duplicate Click Filter. The Duplicate Conversions will keep you safe from paying your Affiliates twice. The Duplicate Click Filter will also keep your Advertisers safe from receiving the second click.

SDK Spoofing:

SDK Spoofing is where the fraud source uses bots to send fake data that creates a simulation of real traffic: faked clicks, Conversions and Events. This can create scary situations, where the tracking partner’s MMP (Mobile Measurement Partner) shows traffic as driving high quality installs with a lot of Events but, when they check their internal non-MMP reporting numbers, they see none of the Events showing up inside the MMP dashboard.

Best Practice: The best way to defend yourself is by implementing the Verification Tokens feature. Spoofing works by simulating a user’s actions, but the fraudster doesn’t have access to the security token, so they are unable to easily imitate it. Learn more about how to set up Verification Tokens — Click Here.

Bot Traffic:

Fake traffic that simulates a user completing the base Conversion on the Offer. SDK Spoofing is the more advanced form of this fraud, where they are also injecting artificial Events into the reporting dashboard.

Best Practice: Ensure your Affiliates are passing their Placement IDs on clicks (Ex: &sub2=[Affiliate Placement ID].) Use the Analytics reports to keep a close eye on the quality of installs by Placement ID. Work with your Affiliates to deactivate low quality sources enabling your budgets to go to the higher quality sources.

Incentivized Traffic:

Fraud where the Advertiser doesn’t allow this promotion method. For Incent, the user is receiving a reward in exchange for taking an action, such as downloading an app or completing an Event Conversion. Typically Incent traffic delivers much lower user quality than standard promotion methods.

Best Practice: Same as bot traffic, keep a close eye on the quality of your Affiliate’s sources. If you see any unnaturally high Conversion rates, investigate those sources with your Publisher to ensure the high rates aren’t due to incentives.

Further Prevention Strategies

Set Targeting Restrictions:

While setting up new Offers, be sure to set up targeting restrictions under the ‘Targeting’ tab. This will ensure any traffic that isn’t from a US source or iOS source will automatically be marked as invalid (going to your Fail Traffic Offers, if you’ve set them up, or a blank page).

Recommended: State clearly in your Offers Name any major requirements around parameters or location targeting. In the description section of your Offer, include clear instructions about the types of promotions that are approved and restricted.

Any traffic that is blocked by your targeting restrictions can be easily viewed in the Offer Report by clicking the Invalid Clicks highlighted in blue.

Require Offer Approval

Putting sensitive Offer’s visibility on the “Require Approval” setting will allow you to see exactly which Affiliate/Publisher/Partner would like to run a specific Offer. Click Here to find out how to set this up.

Manually Approve Conversions

You can actually set the Offer to not allow Conversions to come through to the Affiliate/Publisher/Partner until you have manually approved them. Click here for instructions.

*IMPORTANT* If you wait to approve Conversions manually for a long time, the Affiliate/Publisher/Partner will see a lot of delay in when the Conversions post, which could cause them to stop running traffic for the Offer.

Detection Tactics

Referring URLs

To see Referring URLs, go to Reporting — Conversions > Run Report > Click on Columns > Make sure ‘Referrer’ is selected > You should now see Referrer on the far right of the report > Sort by Referrer to see any Conversions that detected a Referrer URL. Placements show up as Referrer URLs when there is another tracking platform re-directing the click right before it reaches Everflow’s tracking. Referrer URLs often mean one of two things: 1) The Affiliate is using an extra domain for their own internal tracking usage. 2) The Affiliate is rebrokering your Offers through another Affiliate platform.

Sub IDs

You can use Sub IDs when generating the tracking URL for different Affiliates/Publishers/Partners in order to have them report data about the campaign. This can be anything from blind site IDs to actual site names. You can use this to run reports on the data they are sending you.

IP Addresses

In order to determine the origins of the Conversions you can look at the IP addresses of the Conversions. If you see a lot of Conversions coming from the same IP it would indicate that the Conversions might be fraudulent.

Spikes in KPIs (Key Performance Indicators)

If you notice a spike in any of the KPIs it might signal fraud traffic. To stay on top of this, you can set alerts to go to the dashboard or your email.

Use the Mean Time To Conversion Report

You can use the Mean Time To Conversion report to see the time in-between the click and install/Conversion. If a large amount of installs are coming in either super quickly or super late, it could signal fraudulent traffic.

Subscribe To Our Newsletter

Get weekly updates on upcoming fireside chats, events, parties, and exciting announcements from our side!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related posts

View all
View all

Ready To Scale Your Growth?

Start tracking every partnership and channel, analyze what delivers revenue and engagement, and consolidate your growth efforts.

Transparent Pricing Tiers

Unlimited Seats & Access

World Class Support