Anti-fraud solution

Anti-fraud solution is a system designed to detect and prevent fraudulent activity.

Fraudulent actions, such as generating fake clicks or installs, reduce ad effectiveness. As a result, return on investment (ROI) decreases and advertisers are exposed to financial losses. Fraud also distorts analytical data so it's hard to make informed business decisions.

Fraud types

According to FraudScore, a leading provider of solutions for analyzing and detecting fraud in mobile traffic, about 30% of iOS traffic and 40% of Android traffic is fraudulent.

The most common fraud types are:

  • Click spam: Generating lots of clicks without actual ad interaction. Fraudsters use this technique to intercept organic traffic and attribute it to specific publishers.
  • Click injection: Sending a fake ad engagement between an app download and its first launch. Using this method, fraudsters steal attributions from other sources.
  • Device farms: Generating user actions by bots to simulate user activity and boost traffic.
  • SDK spoofing: Sending fake requests from an SDK to the analytical system's servers. Fraudsters use this technique to generate fake installs and user events.

AppMetrica is integrated with the FraudScore system, which helps you detect click spam, click injection, and bots that mimic real users. To combat SDK spoofing, AppMetrica offers event verification solutions.

How to enable the anti-fraud solution

Our anti-fraud solution is a paid feature. For pricing information, see Additional options available for purchase.

To enable the anti-fraud feature:

  1. From the side panel, go to Organization.

  2. Select a pricing plan and click Settings.

  3. Go to the FraudScore antifraud tab and select the amount of installs you need.

  4. Click Proceed to purchase.

    Payment

    Instead of being charged for the entire month at once, you are charged daily. If the number of installs per month exceeds the limit you selected, fraud detection stops automatically.

  5. Once you enable the feature, new and existing trackers will have the Antifraud by FraudScore option. Enable this option in the trackers where you want to check installations for fraud. While the option is active, all the installations recorded by those tracker are sent to FraudScore.

    Restrictions

    The anti-fraud option is not availabe in trackers with media sources Google Ads, Google Search, and Yandex.Direct.

Assessment scores are available in AppMetrica after 3-4 days and may be updated later. You can view them in the SourcesFraud assessment and Fraud assessment details grouping in the User Acquisition report.

We recommend using as many parameters provided by the ad network as possible, including:

  • Platform ID
  • Keywords
  • Group ID
  • Ad ID

This information helps analyze fraud in greater detail and address fraudulent activity in a more targeted manner (for example, only disable individual platforms when needed).

How the fraud risk is assessed

FraudScore analyzes traffic using more than 150 metrics that are divided into 15 groups called Fraud Reasons. In each group, several metrics are analyzed using different algorithms.

For each extended fraud reason identified, the conversion gets a fraud score. If multiple anomalies are detected for the same conversion, its fraud scores for these anomalies are summed up. Depending on its total fraud score, the conversion is assigned a fraud level:

  • Not fraud: Non-suspicious traffic.
  • Likely not fraud: Low fraud risk level (1–2 violations), the fraud score is no more than 33.
  • Likely fraud: Medium fraud risk level (2–4 violations), the fraud score is between 33 and 66.
  • Fraud: High fraud risk level (4 or more non-critical violations, 3 or more critical violations), the fraud score is over 66.

AppMetrica reports only include resources classified as fraud and likely fraud.

Report example

Descriptions for fraud reasons

No.

Name

Description

1

Activity

A category of various suspicious actions related to performing conversions. For example, an anomalous rate of transitions from impressions to clicks in the impression-click-install funnel is typically a sign of click-spamming in attribution based on both impressions and clicks.

2

Attribution

A category of anomalous activity that may constitute fraud during attribution:

  • Clickspamming — an app installation attributed to a click, which is an organic installation captured by an ad network through user fingerprint spam algorithms;
  • Click injection — a specific type of fraud for Android where a click is simulated to steal an organic installation.

3

Blacklist & Dynamic Blacklist

Blacklist and Dynamic Blacklist (for mobile devices) are parameters that help detect and block conversions made by users whose IP address was recently used by fraudulent devices (devices used to perform fraudulent actions).

4

Browser

The Browser category flags situations where an outdated browser version is used. Currently, almost all browsers automatically update to the latest versions. Fraudsters more often use outdated browser versions, as they lack the necessary control and security updates available in newer versions.

5

Click

The Click category refers to a group of parameters flagging users with anomalies in clicks. For example, a suspicious distribution of time between clicks on different ads. Bots typically make such clicks.

6

Crawler

A category flagging search engines and other automated scanners.

7

Datacenter

The Datacenter category flags traffic originating from servers in data centers or known cloud platform providers, rather than from residential or corporate networks, which have a very low likelihood of being from a real human user.

8

Device

A category encompassing all anomalies detected in device parameters:

  • Fake device identifiers (user agent, IDFA/Android ID, MAC address, etc.) and their combinations;
  • Device emulators;
  • Hacked devices with a user present, where additional HTML or ad calls are made independently of the content requested from the user’s IP (all violations identified by IP address in combination with other conversion parameters).

9

Events

Events - a group of parameters that help identify fraudulent conversions based on in-app event data. For example, conversions made by users who did not continue using the app after the target event.

10

HighCR

A category indicating an anomalously high conversion rate from click to conversion (installation or registration). This characteristic is typical for sources with bot-driven devices and may indicate the presence of incentivized users.

11

IP

A category of anomalies or suspicious actions related to IP addresses:

  • Multiple transitions from the same IP;
  • Multiple conversions from the same IP subnet.
    IP addresses are also constantly checked against "black IP" databases.

12

LowCR

A category indicating an anomalously low conversion rate from click to installation. Typically, this is a sign of click-spamming.

13

Operating system (OS)

A category of issues with the operating system is considered fraudulent. Abnormal distribution of devices in traffic (device models, browser versions, operating system, etc.).

14

Proxy

A category of anomalies identified by IP address in combination with other conversion parameters:

  • Traffic is routed through an intermediary proxy device or network, where ads are displayed on a user device with a real human user;
  • IP addresses associated with known botnets and adware;
  • A user actively hiding their identity or performing conversions from an undesirable GEO.

15

Source

In this category, all anomalies are related to traffic sources:

  • A click made from a suspicious website;
  • The traffic source does not match the declared source.

If you didn't find the answer you were looking for, you can use the feedback form to submit your question. Please describe the problem in as much detail as possible. Attach a screenshot if possible.

Contact support
Previous
Integration with Yandex Ads SDK
Next
Varioqub