The Risks of Audience Extension Sites and User Acquisition

It makes sense that today’s advertisers have high expectations for reaching the right audiences. There’s an unprecedented and ever-growing volume of data available on the consumers – 90% of which was created in just the last two years. There are 2.5 quintillion bytes of data being produced every single day — in just one minute, internet users post 456,000 tweets, stream 69,444 hours of video on Netflix, and spend $258,000 on Amazon.

What’s more, advertisers’ ability to organize, interpret, and execute on all this data is becoming increasingly sophisticated. Adoption of big data initiatives has more than tripled among organizations from 17% in 2015 to 53%, and it’s easy to see why. Today’s analytics allow advertisers to see exactly how each campaign is performing – down to a millionth of a percentage point – and respond in real-time to optimize results.

Together, these trends have created an environment in which advertisers feel they can reach the exact audiences they want to target. But, they have also opened the door for more invalid traffic to enter the advertising ecosystem.

What This Means for Publishers

For publishers, delivering these hyper-specific audiences isn’t as easy as it might seem. The web is being flooded with new publishers sending out new content to vie for consumers’ attention. Today, there are a total of 1.8 billion unique websites on the web, and as of 2015, there were 1,400 new blog posts being published every minute. That number has certainly only grown in the years since.

In order to meet advertisers’ heightening expectations, publishers looking to fulfill their commitments typically rely on two tactics: user acquisition and audience extension. Unfortunately, both these methods have become hotspots for non-human activity.

Traffic acquisition can encompass any number of different methods for growing a publication’s audience, including syndication with other publications and platforms, search engine optimization (SEO), and promotion on social media. But if those methods don’t attract enough traffic, publishers may turn to traffic vendors, who promise real human viewers in exchange for a small fee. Paying for traffic isn’t inherently malicious, but as we’ll explain, it can be dicey territory.

Another tactic publishers use to deliver these audiences is audience extension, which involves dropping cookies onto visitors’ computers so that advertisers can track their activity across the web, continuing to engage them well after they leave a given site. By selling advertisers the ability to retarget, publishers can monetize their content without having to open up new inventory.

How Cybercriminals Take Advantage

But while audience extension and user acquisition are acceptable methods for delivering more users, they signify a tension between what advertisers expect and what publishers can really deliver — a tension that cybercriminals controlling huge networks of bots have exploited.

Take purchased traffic, for instance. If a publisher can’t meet an advertiser’s quota through organic traffic, it may turn to buying traffic to make up the difference. The purchaser may navigate several vendors’ sites, all of which look professional and legitimate. However, there’s virtually no way to tell on first blush which services are legitimate and which are backed by cybercriminals. (It is important to note that sometimes traffic can be bought and sold several times before actually reaching a publisher). As a result, purchased traffic is often filled with bots, many of which are advanced enough to steal human users’ cookies, get picked up by retargeting campaigns, and steal even more.

The problem gets worse with audience extension, which is notoriously bot-heavy. White Ops has uncovered audience extension sites with as much as 97% non-human traffic.

Because these bots typically live on real users’ computers, advertisers often can’t tell that the audiences they’ve purchased are completely phony. Once bot detection is turned on and advertisers realize that they’ve been defrauded, it’s publishers who often suffer damage to their reputation and revenue, even if they never sought out to buy bot traffic.

How We Can Fix It

Nobody is entirely at fault for this incidence of fraud (except the cybercriminals, of course). That being said, there are plenty of things that advertisers and publishers can do to diminish the vicious cycle of fraudulent traffic.

First, advertisers can level their expectations with demographic data and the established human audience of a given publisher. It’s tempting to create highly-targeted audience segments, but some audiences are just too good to be true. By making it clear that they’re interested in audiences that publishers can realistically deliver, advertisers can set realistic targets for ad campaigns, improving both parties’ respective ROI and denying revenue to cybercriminals.

For publishers, eliminating fraud starts with demanding full transparency from all vendors, since non-human traffic thrives in areas of opacity. It’s best practice to seek out specifics about pricing, traffic sourcing, and the extent of audiences being delivered via owned and operated domains versus those being delivered via audience extension.

The data and technology at our disposal today are truly astounding, but they’re not magic wands we can wave at our quarterly targets. They require expert use, collaboration with trustworthy partners, and most importantly, patience and realistic expectations to get the results advertisers are looking for.