PMPs Aren't Actually Immune to Fraud

Private marketplaces (PMPs) have secured their place in the adtech ecosystem over the past five years. These exclusive exchanges offer the benefits of both direct buys and programmatic pipes with little downside -- as long as you can secure an invitation. But, like the rest of the advertising ecosystem, fraud is creeping into PMPs at an alarming pace.

What exactly is a PMP?

A PMP is an invite-only auction where reputable publishers sell inventory to a select group of advertisers. PMPs first hit the market in 2011 when publishers were getting frustrated with the limited visibility and variable quality found on the open exchanges. They wanted to apply the mechanics of real-time bidding (RTB), but not have the risks of dealing with unsavory brands.

A few enterprising publishers -- like Conde Nast, Hearst, and The New York Times -- decided to create a middle ground between the programmatic exchange and the traditional direct sale. The publisher got all the benefits of RTB, but could control for inventory and user experience. Advertisers were drawn to the idea because it offered them access to premium inventory on reputable pubs for less than a direct buy cost.

In 2012, only 12% of ads were bought via PMPs. But, the idea experienced rapid adoption by the industry: research from eMarketer shows that digital display ad spending on PMPs rose 190% in 2015, and another 105% in 2016. While the pace has slowed in 2017, half of all digital display ad spending is expected to happen on PMPs by 2019.

As spending has increased, several subtypes of PMPs have also developed to accommodate different needs. While the private auction model is still the most popular, some publishers have created variations that are slightly more public (open auction with priority) or slightly more private (preferred deal). Still, the benefits are mostly the same: visibility and quality.

Are PMPs really immune to fraud?

For years, many believed PMPs were free of fraud. Since the exchanges were private and hosted by reputable publishers, it seemed impossible that invalid traffic could creep into this gated community.

This reputation for being fraud-free was more appropriate in the early days of PMPs when bots were immature and easy to detect. Although there were thousands of "cash-out" sites, advertisers were typically exposed to these malicious sites through long-tail, programmatic buys. If you bought on a PMP, you were working with a reputable pub with trusted traffic, so chances of fraud were low.

But, cybercriminals then began developing craftier, more sophisticated bots. Fast forward several years and the cybercriminal tactics have changed considerably. Today’s bots look much more human than the bots of even three years ago. Today over 75% of botnet traffic is operated from residential human machines, running in the background, completely unbeknownst to the machine’s rightful owner.

Instead of being obviously robotic, botnets now piggyback on existing malware-infected computers, mimic human behaviors, and reverse engineer detection solutions. They can copy IP addresses, browsing times, cookies, mouse movements, keystrokes, and more.

The result is that PMPs buys are now just as susceptible to fraud as non-PMP ones. Research from White Ops uncovered that 40% of domains had more fraud on private buys than outside PMPs.

Screen Shot 2018-03-09 at 1.26.13 PM.png

How does fraud get on PMPs?

The evolution of bots and botnets has created a vulnerability for PMPs - particularly because reputable publishers are no longer as immune to fraud as they once were. You will still experience fraud if you transact on open, programmatic exchanges or in direct buys.

Most of the fraud that appears in a PMP transaction is due to audience extension or traffic sourcing. Audience extension by publishers can introduce high bot percentages by extending content to providers that source traffic.

Investigations by White Ops have uncovered audience extension sites with as much as 97% non-human traffic. These tactics have become more potent for cybercriminals because the bots are now nearly indistinguishable from humans.

How do I buy on PMPs with confidence?

These PMPs -- traditionally thought of as premium sources of fraud-free inventory -- are now just as susceptible to ad fraud. Unless a private marketplace is specifically engineered to be immune to publishers buying evasive bot traffic, it will have just as much of a bot problem as any other kind of buy.

One of the best ways to manage fraud is to ask publishers about any audience extension practices. Advertisers should ask for any audience extension sites the publisher uses and assess from there. The same principle applies for traffic sourcing.

Still, the best way to really protect traffic and improve the efficacy of digital ad spend is to implement an anti-ad fraud solution. Bots are getting more and more sophisticated each day and even the best mitigation strategies have expiration dates. These anti-ad fraud companies are constantly developing new prevention and detection technology so advertisers can focus on what really matters.