Ad Fraud Isn’t Always Technical

Humans are still just as easy to hack as computers

There’s a market for preventing online ad fraud. It’s thriving. From bots to viewability to brand safety. There are all sorts of technical solutions and companies that specialize in them.

Like choosing an impossible-to-remember password, you’re reminded there are hackers out there. Someone’s always trying to get in. They’re wearing a hoodie. They’re the bad guy in CSI. They’re in China, Russia, wherever.

But there’s the human angle. Social engineering. Or a simple question.

“Hi, this is Bob from corporate security. There’s been a breach of some accounts. Can you confirm you password?”

And it works.

If it didn’t, no one would do it. Like spam.

Recently, someone (we’ll call him Bob), contacted any ad provider he could saying he was from hockeyfights.com. He wrote he has a lot of video impressions to sell. He asked for code immediately.

At first Bob used an email from hockeyfights.com. That naturally bounced, and lead to us receiving inquiries about it. Next Bob used an email similar to hockeyfights.com. Luckily, we were able to shut that off. Maybe he’s moved on to another address now.

Emails have trickled in.

“Hi Bob, I see videos on the site are from YouTube, where can I put my pre-roll?”
“Hi, we received this email from Bob, but our reply bounced.”
“Hi, we’ve sent over ad tags, but want to know when our campaign will begin.”
“Hi, we can’t reach Bob. Can you let us know when our ad tags will go back up?”

A progression from “what?” to conned.

I wound up creating a templated email to send back to anyone who contacted us about Bob, or anything Bob-like.

We received apologies for our site getting hacked or compromised. But it wasn’t. Nothing happened on our end outside of our reputation getting smeared.

There are many things could have prevented this situation. A LinkedIn search or a visit to the site don’t take much time. Neither does checking on where your ads are being served from with a new publisher.

I’m sure there are elaborate, sophisticated schemes for poaching ads out there. Just as I’m sure that an email or two can sometimes accomplish the same thing.