Social networking giant Facebook needs no introduction. It has continuously made headlines since skyrocketing to popularity in the late 2000s, powering worldwide connections on its platform. It currently has 2.3 billion active monthly users and earns $16.6 billion in quarterly ad revenue. These numbers are certainly impressive, but they also make Facebook a honeypot for hackers.
Facebook and its subsidiary Instagram must regularly combat ad fraud, which can take many different forms and requires a multitude of solutions to detect and counter. PYMNTS recently spoke with Facebook’s Director of Product Management Rob Leathern about how the company fights ad fraud by vetting advertisers and weeding out potential scammers.
How Fraudsters Target Facebook
Leathern stated that Facebook’s biggest challenge is the sheer number of fraud attempts combined with the multiple forms it can take.
“You have to defend a variety of different channels, whereas [attackers] can always focus their efforts into one particular area,” Leathern said. “And many of these adversaries are well-funded and persistent.”
Facebook’s most common ad fraud threat is invalid traffic, where a fraudster utilizes bots to generate clicks on an ad. Studies have shown that up to 18 percent of all ad traffic is invalid. It typically comes in one of two forms: general invalid traffic (GIVT) and sophisticated invalid traffic (SIVT). Both use similar automated methods to generate clicks, but GIVT is easier for automated security systems to spot. SIVT actively covers its tracks with malware, cookie stuffing, proxy traffic and other methods.
How Facebook Keeps Bad Actors at Bay
Leathern explained that the best way to fight ad fraud is to make sure fraudsters are disincentivized from using Facebook for their schemes. Invalid traffic generates profit through clicks, but Facebook’s ad revenue system focuses on business outcomes rather than engagement.
“It’s certainly not impossible, but [it is] much more difficult to fake real outcomes for advertisers,” he said. “Outcomes like adding something to a shopping cart, buying something, downloading a white paper, etc.”
Clicks are still a valid revenue stream for Facebook and its advertisers – as long as they are heavily monitored.
“We look at things like whether the click has happened within a certain time limit after the ad request was made,” Leathern explained. “We also validate that clicks are associated with specific impressions. It's really important to make sure those things are matching in expected ways.”
Most of these checks and validations are done through automated systems, a process that is necessary due to the sheer volume of advertisements Facebook processes each day. Every step of the ad verification process – including advertiser account creation, ad creation, ad payments and the actual ad itself – must be constantly monitored to ensure that fraudsters are not at work.
Collaboration with advertising platforms is another vital part of Facebook’s ad fraud prevention strategy. The company is part of the leadership council of the Trustworthy Accountability Group (TAG), a cross-industry initiative geared toward eliminating fraudulent ad traffic. Its members include Amazon, Disney and Google.
“Many of these bad actors are targeting a variety of different players in the ecosystem,” Leathern said. “The different companies [that] are exposed to these risks have to be talking to one another, either through an industry body like TAG or even directly.”
Transparency and Moderation are Key
One of Facebook’s perpetual security challenges is the need to strike a balance between ad fraud prevention and seamless user experiences – both for advertisers and general users. The social network vets advertisers before granting access, but it is sometimes difficult to determine whether a potential advertiser is a scammer or simply new to the platform.
“We want to have an open platform that can allow small businesses to compete on equal footing with large businesses,” Leathern explained. “If someone has no history of ever having bought an ad, they might be a mom-and-pop shop that's trying to get off the ground and run ads in the local area.”
The key to balancing the scales is transparency; every advertiser knows what to bring to the table and why their submission might face scrutiny, Leathern stated. An important facet of providing that transparency is Facebook’s ad library, which contains every single active ad across Facebook and Instagram and is accessible to everyone.
“There are certain kinds of ads where we're going to require additional disclosure and provide additional information,” he said. “For example, for ads about social issues, elections or politics, we require the advertiser to provide a government identity and we verify their physical address. … [Through the ad library], we provide additional information about who's being reached, like the demographics, [such as] age, gender and location, so journalists and watchdogs in the public can hold us and advertisers more accountable.”
There is only one Facebook – and an untold number of hackers looking to illicitly profit off of its advertising system.
“We definitely know that no one thing is going to be enough,” Leathern said. “We need to take a variety of approaches, not only on enforcement – which many people may not see – but also on transparency.”
Facebook’s public profile is continuing to rise alongside its profits, meaning the threats against it will surely grow more numerous and sophisticated. It is a tall order for all advertising platforms to stay ahead.