While click fraud and identity theft are probably the most common forms of larceny on the Internet, I just heard of a company that sets a whole new standard of bad, lying to advertisers about, well, everything.
Click fraud is when a web site either clicks on its own ads to increase revenue, gets someone else to click on them with no intention of buying or works with botnets to generate millions of illegal clicks. I wrote a few months ago how longtime YouTubers were suffering income drops as Google algorithmically eliminated their botnet clicks. But click fraud requires a third party ad network to work. What I am writing about here is something completely different.
I have an old friend who works in the private equity world where companies are bought and sold for millions. He was about to do exactly that with a prominent web media site (buying it for low nine figures) when due diligence revealed the amazing news that the company was completely fudging its ad numbers.
It was too good to be true.
This can only happen for sites that sell their own ads but this particular site was just sending invoices to advertisers for amounts that were consistently 10 or more times what the advertisers would have paid on the basis of real — not fake — clicks.
It’s click fraud without the clicks, since all the complexity of clicks and bots is eliminated in favor of just sending a bogus bill.
I wonder how common this is? Have you heard of this happening or has it happened where you work or used to work?
There is apparently no standardized ad auditing capability on the Internet so scams of this sort are actually easy to do. And advertisers often lean into it by often preferring not to know precisely how effective are their ads.
Take my money, please.
Now here’s the strangest part: having discovered this blatant fraud my friend walked away from the deal but did nothing to bust the offending web site. His lawyer advised that because he signed a non-disclosure agreement with the crooks my friend might be legally liable if he turned them in to the authorities. It is his intention, though, to bust them just as soon as the NDA expires… in three years.
Yes, I know the name of the web site, but if I tell then again my friend is liable. So my lips, too, are sealed.
Until then I suppose advertisers will be soaked for more millions. That is unless the web site owners can find a really stupid buyer.
Isn’t there enough information in this article such that, in three years, that company might be able to prove (or at least ask your friend under oath) that the NDA was broken in 2012?
I don’t know which outfit he’s talking about. on the basis of “the average citizen” Cringe’s pal is safe.
IANAL, but I have worked for several. Go ahead and name the name(s); generally speaking as a matter of law, an NDA type agreement cannot be used to keep someone from disclosing fraudulent/illegal activities…
I have to agree. That sounds like a bs excuse to me, or your friend has a crap lawyer. I think he just made himself in an accessory to fraud, instead of a whistle blower who went into the deal with honorable intentions.
I was hoping Bob was going to say he didn’t know the name of the company either. Maybe this article should disappear down the memory hole.
MY FRIEND told me this story on the condition that I not disclose the name of the company. Just because I legally could give the name doesn’t mean that I’m required to do so. Further, I am not a party to the transaction (heck, in the end there never was a transaction) and from a strictly legal position what I’ve given is just hearsay. I believe it to be true or I wouldn’t have printed it, but I think the premise is more important than the details. That’s why I am asking my very experienced readers whether they’ve seen this behavior before? THAT part is I think important.
IMHO as a non-lawyer, I believe that you would be off the hook from criminal prosecution because what your friend told you would be classified as hearsay. However, in your friend’s case, he could be breaking federal or state laws. I hope he has the attorney’s advice to keep his mouth shut (which he didn’t by telling you) in writing.
It depends on the contents of the NDA and the jurisdiction in which it was executed.
The genie is already out of the bottle. I’d do a quick check with an attorney to make sure you aren’t exposed from a criminal perspective. If the company is a publicly traded firm, you might be exposed from a civil perspective in the future.
As Edmund aptly stated, ad clicks are a 90’s ponzi scheme which will collapse shortly as the economy continues to contract.
In three years when your friend reveals the truth, whom do you think the pissed off customers who were over charged are going to sue besides the company? The NDA will not protect him from being named in the lawsuit(s).
You writing about it here in a public forum just solidifies that your friend knew of the fraud. Your friend will need a lot better lawyer in three years.
The point Bob is making, based on my read, is that (regardless of the legality of his disclosure) it’s personal ethics and his work (to a friend or otherwise) that constrains his choice to name names.
He’s given us enough fodder to spur discussion and perhaps uncover the personal experiences of those who have seen this sort of thing (and are devoid of NDAs, promises, or maybe ethics).
Kudos, Bob for being this person who seems increasing rare as the years pass.
Bunk. What, you’ve never heard of Crimestoppers?
If you are afraid of repercussions why not just report the crime anonymously?
YOUR FRIEND sounds like a dirtbag, and if you genuinely don’t want to lift a finger to take minimal action, YOU don’t sound much different.
I have another theory: maybe this is just a made-up story. Why I can make up click-fraud stories, too. Here’s one: my “friend” does 8-digit deals and in his anecdote, some representatives of the government said they didn’t want the new type of click fraud that he found exposed because it would create a new wave of cybercrime. In other words, the government wanted to sweep the individual, specific problem under the carpet until they could invent a legal work-around, because if they didn’t the problem would jeopardize all of capitalistic society itself until it could be solved. Unfortunately, MY FRIEND told me all this in confidence knowing I would make this posting, so I can’t reveal any details to anybody. Sorry about it guys but that’s my story.
The problem with breaking confidentiality to report a crime is you have to show that you had reasonable cause to believe a crime was being committed. This is easy with a murdered body, hard to do with piles of paper. Also, Bob has friends all over the world, with zillions of different laws to protect or punish whistleblowers.
I’m surprised to read this, most large advertisers these days use 3rd party adservers to track clicks, impressions and actions post click/impression on the advertisers site. 3rd party adserving allows them to have unified reporting across many publishers and is also used to identify discrepancies.
I can’t see how any publisher would be able to get away with this at any scale.
on the Internet, nobody knows you’re a fraud.
and to think they took the get’Facedbook IPO seriously… .
I would like to buy this company! Unfortunately my funds are currently tied up with a Nigerian prince. 😉
Hope you enjoy being a partner in crime Cringely.
The I can’t say anything, or I am in jeopardy too argument, is the lamest of the lame.
I have read before how out there you can be. Well you just confirmed it. Just Wow.
What statute am I violating here? If you are going to damn me please be specific about it.
From my understanding you may be in breach of http://en.wikipedia.org/wiki/Misprision_of_felony
“18 U.S.C. § 4, Misprision of Felony
Whoever , having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.”
My understanding is that fraud is a felony.
Further (at least from my understanding in other countries, not the USA), part of one’s fiduciary duty as a company director is to report crimes, corruption, and fraud that you come across (in your own company or others), and generally act as a “good citizen”.
If your friend is a company director, they may be in breach of that duty, as well as the above code. Failure to report may render him unable to be a company director now or ever again in the future. I’m not sure if you are also perhaps a company director – if so this may apply to you too.
Note that given the existance of an NDA there may be a ‘correct’ process to resolving this, and I think that you should make the company aware of their problem and give them some time to resolve it. Reporting it straight away may be taken as similar to this case: http://skipames.com/?p=27
OP
Don’t think so, Mr. P. Mr. Cringely has only hearsay evidence. It’s not as if he audited the companies books and has first-hand evidence of wrongdoing.
That’s why Mr. Cringely’s friend did his “due dilligence”. Good on him for avoiding this particular cowpie. Too bad Fidelity didn’t have him on staff when they bought Facebook.
http://venturebeat.com/2012/08/01/fidelity-takes-a-dump/
Also, keep in mind that Bob is working in the capacity of a journalist here, and there is a whole body of legal precedent that permits a journalist to protect the anonymity of his sources, even in criminal matters. If this was a situation of incipient murder or terrorism, well, even lawyers, physicians and psychiatrists are required to breach confidentiality in those circumstances, but it’s not, so the point is moot. It’s a dirty shame that these thieves will get away with bilking their clients for the next three years, but they’ll get theirs in the end, and in the meantime as a journalist, Bob has a moral obligation to protect his source.
Aside to Bob re: the headline: It’s “old fashioned”, not “old fashion”. Your SEO service may be increasing your clicks, but they’ve been slipping quite a few typos into your headlines lately.
Darn! I should have checked a dictionary before I posted, because according to Merriam-Webster.com, I’m wrong too. It’s actually “old-fashioned” with a hyphen.
As per https://www.merriam-webster.com/dictionary/old%20fashioned
Another way to look at this… Lets suppose you use an independent advertising service like Mr. Cringely uses. How do we know that advertising service is being honest with us? What happens if I think I have more visitors to my site than my advertiser? What happens if my visitors click through to more ads than they are paying me?
I hate to blame the victim, but every business I’ve worked with uses some kind of analytics to measure the effect of an ad campaign — especially important on the web or on mobile.
If you can’t measure the effect, then you can’t know the cause either.
The question is: if your friend told you the name of the site in addition to the findings of a due diligence effort that included information shared under NDA, didn’t he violate the NDA by telling you the findings of the due diligence and/or the name of the site? (I’m assuming you have nothing to do with his effort and are therefore not covered by an NDA yourself.)
Obviously he told you the details of the due diligence effort…that alone could violate confidentiality. If he also shared the site name, that presumably would be a further broach of confidentiality.
Am I missing something here?
I think the point is the information he gave to Bob cannot hurt anyone, not even the perpetrator of the alleged fraud, as long as Bob doesn’t name names. All that Bob did with the information is generalize the problem so that others can share their experiences or at least be aware of this type of over billing.
To your main question: Google enables a version of click fraud by cleverly using a very, very, very lightly colored box at the top of search results to box in ads that precede the real search results. At first I thought my monitor’s color settings were off, but I noticed the effect on different monitors (desktop, laptop, mobile). You don’t know where the ads end and where the un-sponsored/real PageRank results begin. The number of ads served is different in most cases, so you can’t just jump to the third result and know that that’s always the start of the PageRank results (i.e. the results that you’re looking for).
Ain’t that aiding and abetting click fraud? Given the number of searches done daily on Google, I can only imagine the fees that Google is racking up using this tidy little piece of html box color coding.
To me the color difference is obvious, although they don’t say that those are ads. The REAL fraud is that they put up unpaid search results — then pause long enough for you to read the first 1 or 2 and click — but whammo! Those links have just moved down and you’ve clicked on an ad. It’s about a 4 second delay and the advertisers are paying for clicks by people who didn’t go to click on their ads.
To me, on all sorts of different monitors, the background color is next-to-invisible. Unless I change my angle of viewing from straight on. Now I do have a color deficiency in my vision, but for me it is hard to determine at a glance where the paid ads end.
Google are frauds as well.
Years ago, I had some advertising on my website. I had to reach $100 before google would send me a real cheque. As I approached the target, there were mysterious adjustments to reduce my balance, then as I reached the princely sum of $100 they sent me a real letter, not an email saying the minimum amount before google would pay is now $150…. Frauds, google are frauds as well, they just have better PR.
BS!
Ever since I heard of this guy, I’ve been suspicious of just this kind of thing:
https://en.wikipedia.org/wiki/Gurbaksh_Chahal
If your friend informs the police that he has information regarding criminal activity but he is bound by an NDA, they can then serve a notice on him to disclose the information which overides the NDA. Am I wrong?
They’re trying to identify the crooked web media company over on HackerNews using the clues left by Robert Cringely:
https://news.ycombinator.com/item?id=4384877
If your friend was in Europe then there is the Anti-Money Laundering legislation. They would be required to report the crime. Is the company not listed so not subject to Sarbanes Oxley audits?
If the Reddit community catches onto this post and gets their private eye caps on, I give it two days maximum before they work out the company behind the advertising fraud and they’re outed. So many clues in this post, only a matter of time. How many major media companies in the low nine figures, private are looking to sell based in the USA?
This is all hearsay to everyone except the original investor so most of the comments above are meaningless because there’s no proof, it’s just he said, she said.
But the point of the article is simple – what measures exist to verify that any specific internet advertising works and that any given advertising agency is honest? Frankly, there’s so much opportunity for fraud with any of these agencies – El Reg in the UK has been documenting the issues with Google Ads for several years – that it’s simply a matter of time before the entire pyramid collapses.
I’m no lawyer so I’ll stay out of all that. Also this is my first post ever and I’ve been reading Bob forever. Weird now that he’s almost done. Hey Bob.
Anyway, this is rampant in the affiliate marketing world only it goes a little differently.
You typically work with an affiliate marketing clearinghouse and they report your clicks and your commissions. What they do, since they own all the backend to keep track of it all, is short you on clicks.
If you got 100 clicks you should get commission on 100 clicks. What they do is report 94 clicks and pay you commission on 94. They keep the commission on the other 6. You can do things to track yourself but there isn’t much you can really do to reconcile.
Not quite the same but an example of someone who owns the accounting network using it for their own advantage.
Hi Bob,
Don’t you love it when the gist of your post gets ignored, and the thread turns into a discussion of something only marginally related ?
To try to help get this back on topic, I will note that I work for a retailer with a web presence. We’ve got our own rudimentary home-grown analytics as well as Google Analytics, and yes, the marketplace venues whom we also use to post our listings usually have there own set of data as well. My experience has been that they are generally cooperative when I find a discrepancy between my data and theirs, and it often can be traced to a single IP address making a boatload of clicks. On the other hand, we’re a small business and don’t have the time to be constantly auditing the results.
I’ll close by noting an experience I had with an account rep at one of those marketplaces, whose take on it was that the CPC rate is somewhat arbitrary. If you were to somehow magically eliminate all those fraudulent clicks out there, the marketplaces would make up for the loss of clicks by simply raising the CPC rate in order to keep the revenue constant.
A couple of years ago I was approached by my previous employer, a big auditing and consulting firm, to help develop a service offering around auditing exactly this same thing.
Apparently they saw a need, but nothing came out of it. So maybe nobody is really interested in accurate statistics, as Bob so cynically points out.
I dunno. The websites themselves and the ad agencies obviously have a stake in obfuscation, but If I were the head of marketing at Ford or Delta Airlines or Frito-Lay, I don’t think I’d be very happy to find out that I was pouring my online ad budget down a fraudulent hole. I think I’d call the legal department so fast the phone would melt.
the visionary who started it all
https://en.wikipedia.org/wiki/Gurbaksh_Chahal
I’ll bet he’s smart enough to configure a hosts file.
Despite all the banter about who may or may not be in trouble, the original supposition was do we, as advertisers, see this happening?
Having my day job at a mobile marketing company, I can tell you that for the most part, companies are honest with their dealings. Analytics aside, a client can ask for the raw log files from our devices and see what actually happened. It is not worth the trouble to fake the server log files. Since we use a closed system, we also know that click fraud is hard in our system. You physically have to go to the locations where our devices are, accept and and click (it isn’t like the unbridled internets).
Given all that I have seen in the SEO world and in some advertising markets, I would not be surprised if there is at least some fraud going on. But I do believe that most companies try to do the right thing.
Hey kids,
Bob dropped a huge hint here which is being ignored, and that is to quit debating legalistic interpretation and get your brains together to identify and out the offending company. Shouldn’t be too hard for this brain trust, should it?
Someone has been trying to do that on Hacker News, as mentioned earlier in this thread:
https://news.ycombinator.com/item?id=4384877
Hey, Mr. Cringely, could you us whether the company in question is or isn’t on the “short list” compiled over at Hacker News?
Wouldn’t the clicks normally be measured by both the website and the advertiser? So they can compare notes. This can be tricked with bots, but just sending a fake bill wouldn’t work. It’s pretty straightforward for an advertiser to measure the clicks on their own ads, even if placed on another site.
“a prominent web media site”. Being simple-minded I googled webmedia. Now what?
I’ve heard that Google does the same:
An irate small business compared his invoice with his web traffic and found a discrepancy. He complained to no avail. Google was charging for “hover” not click. Apple also complained about the “hover” and FCC (?) fined Google $10M or so*. With Google’s power and “DO NO EVIL” motto most business fail to see how corrupt Google is.
The faster Google is exposed as a criminal enterprise the better for other entrepreneurs and the web.
I’ve said elsewhere that Google could be protected by the FBI – CIA. The Mafia and al Qaida are liked for their gifts to the needy. That they killed and robbed to get the money appears to not matter to the needy. Likewise Google and that makes us, if needy, complicit in their crime.
But if this is the new USA standard then heaven help us all.
* With ‘too big to fail’ and other mega companies the fine has to be proportional to the corporation — annual income for first offense twice annual income for second etc not profit. They have to feel the pain to learn that crime does not pay! And if that does not work capital punishment for capital crimes! Bush43 failed to see anything with all of his Oversight Commissions.
An Oz company paid $20 million to lawyers to save $40 million in tax — when that happens the other taxpayers are burdened unfairly. And as Niall Ferguson said the law becomes lawyer centered.
Do you want to add rich texture to your garden? Do you want to display trophies or other awards in a manner befitting their importance?
https://www.coachfactoryonline2012onsale.com/ Coach Factory
Hello, i think that i noticed you visited my site so i got here to return the prefer?.I’m trying to to find issues to improve my web site!I assume its ok to use a few of your concepts!!
A few years back we advertised with a tech publisher. They are well known and had all the big tech companies advertising. I noticed that the reported advertising stats were never turning into sales. I did some digging and tracked all the IPs from the clicks we were receiving. What I found was that 90% of the clicks were fraudulent out of a single IP in India. I figured the publisher was paying these people to click advertisements in their network. What struck me was just how unsophisticated the whole thing was. There was basically no attempt to cover their tracks.
Google AdWords is the new frontier. I spend hours every week blocking IP’s. A lot of the time it is completely obvious, in that they are coming from specific IP ranges. I did however have to write some software to dig this out of our system to save some time and hassle. Google’s responses to us have been largely frustrating and clueless. We detected massive click-fraud in our statistics from campaigns 5 years ago. The response from Google was essentially a shrug of their shoulders.
All I can say is you have to look after yourself out there. Do not assume that any of these companies are doing the right thing.
Great post having good information really love this one.
Robert, I am glad I found your site as I have missed reading you many years ago in PCWEEK.
The point that should be taken here is that you should not trust anyone or anything on the Internet. If you are paying for advertising, but some kind of tracking in place so you have some clue if you are getting what you pay for.
Then, keep in mind that the vendor may be doing something to “fake” the information you are getting. That requires that you did deeper to know what is really going on. Just because your ad gets a lot of clicks doesn’t mean you are really getting potential customers and most importantly, sales.
And just because you are getting leads from your advertising, it doesn’t mean they are valid either. “Conversion Fraud” is alive and well and even though you receive verifiable contact information on a lead form, it doesn’t mean the person actually was the one that sent it. :-p
Blocking IPs at Google is useful if you detect the IPs to block. But they only let you block 500 although you can wildcard the last octet.
But consider blocking IP ranges that you have no use for. If you can’t use traffic from Korea, Nigeria, Romania, etc, then watch for that traffic, then look up the IP range and block them all! Then expand this idea and block any traffic you see from web hosting services that are often used to hide fraud IPs. Legit users don’t use web servers to access your site, so block the ranges assigned to HostGator, Godaddy, DeamHost, and others. Just be careful not to block hosting providers where you have services that need to access your server. 🙂
Hi my family member! I wish to say that this article is amazing, nice written and include almost all vital infos. I’d like to see extra posts like this .
I simply could not depart your site prior to suggesting that I extremely enjoyed the standard info a person supply on your guests?
Is going to be back continuously in order to inspect new posts
Terrific article. I have already been in search of something similar to that. Good data I’ll return for virtually every information regarding HCG .