Fraudulent traffic on your campaigns is a pain. There are some bad guys out there trying to make you think your campaign is running well or guys just want your cost per click budget to run out. Be aware of them. And get rid of them in your reports but also in reality.
2. Catch your Advertising Money Thieves
• Is someone stealing your advertising money?
• Who or what is producing invalid traffic at your cost?
• You want to get alerted when suspicious traffic kicks in (Fraud)?
• You want a clean and accurate basis for your Marketing Analytics
without fraud traffic?
4. Before we start – some “good to know”
• The data we are talking about does not live long (GDPR compliance).
• IP Address processing is necessary for the purposes of the legitimate interests pursued by the
controller - Security and Fraud detection are two legitimate interests.
• You need to understand what can appear as “direct campaign traffic” means.
Learn about it here: https://www.youtube.com/watch?v=8oGlkqq_0Ao
• Be very careful with your analysis and ask a security specialist for a second
opinion before you report your findings.
• Expect Fraud everywhere but also be aware that some users show strange click
flows.
• Read this: https://www.wfanet.org/adfraud
5. Prerequiste: Get the Logs into New Relic
• Define New Relic the endpoint of your Logs in your CDN or from your servers (in case no CDN is
used)
• Check if logs arrive
(Example for Fastly) (Logs arrived in New Relic)
6. Make sense of the of the data
Focus for this use case only on traffic coming from your paid campaigns (Paid Search,
Paid Social etc.)
Most thieves hide themselves by using sophisticated scripts run on a variety of servers. Expect to see
one thieve use multiple IP addresses.
A good starting point is to count the calls of UTM Campaign traffic and separate it by IP address.
Select count(client_ip) as 'Requests'
from Log
where request_user_agent not like '%bot%'
and request_query_string like '%utm_campaign%'
and request_referer not like '%yourdomain.%'
facet client_ip
limit 50 since 1 day ago
xxx.xx.xx.xx
xxx.xx.xx.xx
xxx.xx.xx.xx
xxx.xx.xx.xx
7. Narrow down to get more intelligence
• Ask Questions
What campaigns are affected?
Is this real fraud?
xxx.xx.xx.xx
xxx.xx.xx.xx
xxx.xx.xx.xx
xxx.xx.xx.xx
Click to
filter
Campaigns
Called
Red Flag ’Cost
per Click’
Campaign
8. Is the specific IP address known as Fraud?
• Various platforms provide databases of known fraud traffic Ips
• Example: https://scamalytics.com/
• Confirms my assumption: Most likely fraud !
9. Further Analysis
• Check the log entry further for
Is a referral present?
Is a gclid present? (you might need it for reporting it to google)
Is anything else looking suspicious?
A starred as request
language…suspicious
Export gclid
directly from New
Relic
11. Automate Fraud detection
• Implement a script using the NR APIs to get the list of possible fraud
Ips
• Query the https://scamalytics.com/ API and send the results (as
custom events) into New Relic using the ingestion API.
• Now you can query the data easily and get alerted on high fraud
traffic based on public available data
13. Report identified Thieves
• https://support.google.com/googleads/troubleshooter/2557048?rd=1
• Make sure the ALL the data requested by Google. The better you report the faster
Google can react and probably refund you. All requested data should be available
in your logs.