Fraudsters are finding new and sophisticated methods to defraud advertising efforts – all while trying to remain imperceptible and unscathed.

But as fraudsters evolve, so do advertisers. Advertisers stay up to date and have a highly-analytical, data-driven approach to fighting fraud, always looking for the best tools to help them stay safe from fraudsters.

In this post, we present you with the top 10 signs that help you identify if your user acquisition campaign is being compromised.

1. Organic traffic takes a big fall – a sign of attribution fraud

As you monitor your app’s performance, you must be wary of dramatic falls in organic traffic. Fraudsters tend to use attribution fraud, also known as organic stealing, to attack ad campaigns and commit theft by exploiting the last-click attribution model. The intent is to steal your organic installs and attribute them incorrectly by using click spam and click injection.

2. Abnormally high rates of post-install activity – a sign of incentive traffic injection or smart bots

When you see a high rate of post-install activity and are ready to high-five yourself, hold off on celebrating just yet. Abnormally high post-install activity may be a sign of incentive traffic injection or smart bots. In both cases, fraudsters analyse all advertiser post-install events and KPIs, and train bots or motivate users to perform the required in-app activity.

3. Abnormally low conversion rate – a sign of click spam

Based on the nature of click spam, fraudsters try to “spray” clicks with their tracking link on as many users as possible. Fraudsters flood with as many clicks as possibles to deliver the last-click prior organic installs and assign these installs to themselves. But fraudsters can’t affect whether users install the app or not after a click, so the conversion rate can drop abnormally low, which is a red flag for click spam.

4. Abnormally high conversion rate – a sign of incentivised traffic or bots injection

High conversion rates are another reason to celebrate – and while we don’t want to rain on your parade, we recommend that you investigate if you are the victim of incentivised traffic or bots injection. If users are installing the app at an abnormally high pace, it could mean that fraudsters are injecting incentivised users or bots into your app without being caught. 

5. High rate of paying users – a sign of fake financial events

If you see an unusual amount of paying users in your app for no demonstrable reason, you may be the victim of smart bots making these payments.

Smart bots are a very sophisticated and dynamic type of fraud with constant reverse engineering. Unlike classic bots, smart bots cannot be detected by manual analysis of abnormal post-install activity and require a detailed analysis of post-install events using Machine Learning and Big Data techniques.

6. Disappearance in retention and return of a large number of users – a sign of smart bots

An abnormally high retention rate may signal smart bots, and fraudsters find ways to manipulate the retention rate within each daily cohort so they don’t look suspicious. For example, an unexpected loss of a specific group of users for several days, and its subsequent return in a rather high amount (e.g. retention: 18 days – 20%, 19-21 days – 0%, 22 days – 15% in a specific cohort) could mean your app is attacked by smart bots.

7. Large fragmentation at a sub-publisher level within the source – a sign of click spam

Usually, you need a cohort of at least 15 conversions within 1 sub-publisher for accurate traffic analysis. Large source fragmentation is a fraudulent attempt to prevent marketers from properly evaluating a specific group of users for fraud due to the small number of installs within one sub-publisher. This method is used by click spammers and the level of fragmentation can reach 1 install per 1 sub-publisher. 

8. Concentration of installs with similar hardware parameters – a sign of device farms or bots

Fraudsters purchase a large number of cheap devices with real hardware parameters and use them to create device farms to increase the volume of paid traffic, all through fraudulent installs to get paid for them.

If you notice a suspiciously large amount of installs with the same or similar “hardware” parameters – device, browser version, old OS versions, IPs, etc. – we recommend further analysis of install fraud.

9. Abnormally low drop in retention rates – a sign of incentivised traffic or bots

As a user acquisition manager, it’s an accomplishment to see a high level of retention. But first, you must analyse and discover the real reason behind an abnormally low drop in retention rates for specific traffic sources, in comparison to organic or other sources, as it could be a red flag for a fraudster attack via bots or incentivized traffic.

10. Stable, large volume of installs over a long period of time within a single source – a sign of smart bots

It sounds like a dream for any mobile marketer, but you must be concerned. All traffic sources tend to “burn out” because target audiences for each source are limited and it’s normal that after a period of time, the volume of installs gradually decreases. This usually happens starting from the second week. If you experience a large volume of traffic within one source that performs consistently for over a month, your user acquisition campaign may be the target of smart bots and needs to be double-checked. 

Final thoughts: taking effective, immediate action

Fighting ad fraud is an ongoing battle – as soon as advertisers find ways to neutralise one type of fraud, fraudsters are already hard at work to come up with new, more sophisticated threats – and not in vain as losses caused by app-install ad fraud are estimated to reach $12.6 billion in 2019.

As an experienced user acquisition manager, you understand the importance and the crucial need for a comprehensive and powerful anti-fraud tool. 

Arm yourself with the best technological engine and stay insured against fraud.