{"id":40168,"date":"2021-08-25T10:51:49","date_gmt":"2021-08-25T17:51:49","guid":{"rendered":"https:\/\/www.kochava.com\/?p=40168"},"modified":"2022-08-18T14:31:12","modified_gmt":"2022-08-18T21:31:12","slug":"fake-emails-lead-to-install-farm-fraud","status":"publish","type":"post","link":"https:\/\/www.kochava.com\/ko\/blog\/fake-emails-lead-to-install-farm-fraud\/","title":{"rendered":"Fake Emails Lead To Discovery of Install Farm Fraud"},"content":{"rendered":"[vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_spacing=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” column_border_radius=”none” column_link_target=”_self” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” tablet_text_alignment=”default” phone_text_alignment=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text]\r\n

How the Kochava Foundry team uncovered an install farm for a fintech company<\/span><\/h3>\r\n[\/vc_column_text][divider line_type=”No Line”][vc_column_text]Fraud isn\u2019t always blatantly obvious at first but can creep into campaigns, hiding in plain sight as good traffic. Thankfully it does, however, always leave a trail. Real-time mitigation solutions stop the lion\u2019s share of fraud from the most common tactics, but marketers need to remain vigilant of data anomalies nonetheless\u2014although they don\u2019t immediately signal fraud, it pays to have experts dig in. If something stands out as different or strange in your data, don\u2019t let it go. It could be an indicator of a much larger fraud being committed.<\/span>\r\n\r\nThat\u2019s exactly what happened to a fintech services app running a large campaign in EMEA, and it all started with a grouping of fake emails linked back to what had appeared to be a successful acquisition campaign. The fintech marketing team contacted <\/span>Kochava Foundry<\/span>TM<\/sup><\/span><\/a> to determine the cause, but how the Foundry analyst investigated may surprise you.<\/span>\r\n

The anatomy of a fraud investigation: First, attempt to explain anomalies<\/span><\/h3>\r\nWhen presented with an anomaly, Kochava Foundry analysts do not immediately suspect fraud because if initially set on proving fraud without much evidence, that could cloud the investigation and overlook simple data errors or alternative explanations.\u00a0<\/span>\r\n\r\nIn the case of this fintech company, our analyst first worked on the assumption that the campaign traffic was legitimate (innocent until proven guilty) and sought potentially reasonable explanations for the anomalies. Developer testing, event tracking implementation issues, and other errors were reviewed and eliminated as potential causes.\u00a0<\/span>\r\n\r\nNext, the analyst looked at the app\u2019s traffic during the campaign. The campaign was running on a cost-per-engagement (CPE) model, and it drove an impressive amount of signups, the target event. As the analyst probed further, he saw a disproportionate number of the signups within the campaign time frame had absolutely no subsequent money transfer events. By segmenting the newly acquired audience cohorts by attributed network and sub-publisher, it became clear that the exponential spike in signups with no transfers was isolated to a specific grouping of sub-publishers. While the typical rate of signup-to-no-transfer was 30-40% across most paid and owned media, these cohorts displayed a signup-to-no-transfer rate of 99%. This was a major outlier and highly suspect. It became the first red flag that install farm fraud was likely at play behind these publishers. The hypothesis was that an install farm was clicking campaign offers, quickly installing the app, then completing the target CPE event with a fake email before then uninstalling the app to rinse and repeat the process.\u00a0<\/span>[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”20″ bottom_padding=”20″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” shape_type=””][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_spacing=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” column_border_radius=”none” column_link_target=”_self” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” tablet_text_alignment=”default” phone_text_alignment=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][image_with_animation image_url=”40169″ animation=”Fade In” hover_animation=”none” alignment=”center” border_radius=”none” box_shadow=”none” image_loading=”default” max_width=”75%” max_width_mobile=”default”][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_spacing=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” column_border_radius=”none” column_link_target=”_self” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” tablet_text_alignment=”default” phone_text_alignment=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text]\r\n

Confirming the tell-tale signs of install farm fraud<\/span><\/h3>\r\nOnce there is evidence of a type of fraud, in this case, sequenced app activity from an install farm, the Foundry analyst checked for other \u201cconfirming symptoms\u201d of that fraud tactic. Among other symptoms, he specifically looked for:\u00a0<\/span>\r\n
    \r\n \t
  1. Outliers in the time-to-install (TTI) distribution between the attributed ad click and first app launch (a.k.a. install)<\/span><\/li>\r\n \t
  2. Outliers in the time-to-engagement (TTE) distribution, the time between first app launch\/install and completion of the signup event<\/span><\/li>\r\n \t
  3. Abnormally high percentage of older device types and operating systems (OS)<\/span><\/li>\r\n<\/ol>\r\n

    Assessment from multiple angles<\/span><\/h3>\r\nBoth TTI and TTE were plotted against the device cohort from these sub-publishers alongside the rest of the fintech company\u2019s omni-channel media partners. The distribution from the suspect cohort was strikingly homogeneous (meaning the timing was similar across all converting devices). This is a commonly observed outcome when install farm workers are performing the same rinse & repeat process across racks of devices. On the other hand, other publisher sources displayed a non-homogeneous distribution trend where TTI and TTE naturally varied according to expected human behavior differences. <\/span>[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”20″ bottom_padding=”20″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” shape_type=””][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_spacing=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” column_border_radius=”none” column_link_target=”_self” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” tablet_text_alignment=”default” phone_text_alignment=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][image_with_animation image_url=”40194″ animation=”Fade In” hover_animation=”none” alignment=”center” border_radius=”none” box_shadow=”none” image_loading=”default” max_width=”50%” max_width_mobile=”default”][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_spacing=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” column_border_radius=”none” column_link_target=”_self” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” tablet_text_alignment=”default” phone_text_alignment=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text]To further confirm that an install farm was at play, the analyst observed the makeup of device type and OS among the suspect cohort. As suspected, the makeup was overwhelmingly older models, whereas the audience from all other publishers had a healthy distribution across new and older devices and OS versions.\u00a0<\/span>\r\n\r\nThese indicators were combined with other proprietary install farm detection methods and solidified the outcome of the Foundry investigation. The Foundry team then advised the fintech marketing team on the next steps to mitigate the issue and secure make-goods from the media partners involved.\u00a0\u00a0<\/span>\r\n

    Pulling on a thread, but making no assumptions<\/span><\/h3>\r\nMost of the time with respect to fraud investigations, the Foundry team is evaluating odd campaign data based on something the client is questioning. In this case, the fintech company saw a set of suspicious-looking emails and asked the team to explore them further. Once the analyst detangled some of the data threads, fraud was the evident culprit.<\/span>\r\n\r\nReal-time anti-fraud tools are necessary and effective, catching the majority of the fraud occurring in the ecosystem. However, marketers must stay vigilant to anything that looks suspicious or even too good to be true. For this fintech app\u2019s campaign, much of the traffic looked normal, and it wasn\u2019t until the traffic was analyzed from different angles to prove its validity that the fraudulent characteristics showed pointing to install farm fraud perpetrated by a subset of publishers.<\/span>\r\n\r\nWant to know how the Foundry team can help you? <\/span>Request a free consultation<\/span><\/a>.\u00a0<\/span>[\/vc_column_text][\/vc_column][\/vc_row]","protected":false},"excerpt":{"rendered":"

    [vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left”…<\/p>\n","protected":false},"author":55,"featured_media":40182,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,135],"tags":[],"class_list":{"0":"post-40168","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news-and-updates","8":"category-fraud-prevention"},"_links":{"self":[{"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/posts\/40168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/comments?post=40168"}],"version-history":[{"count":6,"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/posts\/40168\/revisions"}],"predecessor-version":[{"id":40204,"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/posts\/40168\/revisions\/40204"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/media\/40182"}],"wp:attachment":[{"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/media?parent=40168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/categories?post=40168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kochava.com\/ko\/wp-json\/wp\/v2\/tags?post=40168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}