Balancing programmatic revenue with the potential of driving consumer harm and putting your executives in jail.
The revenue versus risk balance is a continuous battle in programmatic advertising circles, one traditionally fought between ad operations, revenue, and editorial teams. Online scams are the latest to come under the microscope, but this time governance, legal and risk teams are involved.
Why? Consumers—elderly, children, trusting natures—are at risk. And now government authorities are invested—from the FTC’s generic “no unfair or deceptive acts or practices” statements to the UK’s proposed Online Safety Bill, a groundbreaking initiative to hold companies accountable for harms experienced by consumers during visits to their digital properties.
It’s clear that the ever-growing barrage of online scams—which grew 63% throughout 2021—can no longer be ignored. The problem is defining the term. The FTC tends to take a more commercial focus— e.g., promotion of goods using unproven claims—while the UK’s initiative is more focused on financial harms caused to consumers.
To protect your valuable audience and avoid regulatory scrutiny it’s time to tackle online scams. The heart of the issue is that an online scam is difficult to distinguish from clickbait or outright malicious activity, making it easy to bypass creative blockers that rely on established lists keyed off known technical signals, words, and images.
Defining an online scam
Online scams come in many forms, from delivery format (e.g., creative, tag, landing page, website) to the affected party (e.g., businesses, consumers, governments).
When it comes to advertising, there are four terms that define potentially unwanted online activity:
Clickbait: Ads that market salacious and potentially false claims, fake news, and/or images to generate clicks and drive revenue. There is no overt harm caused to consumers or businesses.
Scams: Schemes that defraud consumers or mislead them into sharing personal information which is then used in an unauthorized manner. They typically use clickbait to advertise products/services that drive consumers to a website that promotes goods with false claims and/or harvests their personal identifying information (PII). Scams typically transition to landing pages that house unwanted activity like data exfiltration, misinformation propagation, command & control communication, and DNS tunneling.
Ad Fraud: Activity meant to deceive participants in the digital advertising supply chain. These attacks generate click and/or impression fraud during the ad delivery process. This activity is considered malicious as its primary intention is to illegally obtain money by deception. Examples include impression fraud, click fraud, clickjacking, ad stuffing and ad stacking.
Malware: Building on scams and ad fraud, malicious content demonstrates a direct intention to harm consumers. The activity usually involves unauthorized redirects—which are not always visible to the consumer. The harm can be overt (e.g., download of exploit kits, keystroke loggers, ransomware, adware) or cloaked, where the malicious activity only executes under certain conditions (e.g., fake antivirus software install prompts, credit card theft). This also includes characteristics associated with known attack patterns and/or threat actors.
Online scams harm everyone
The opaque nature of digital advertising makes it easy to hide harmful ads. While businesses are subject to revenue loss, brand damage, and regulatory violation repercussions, it’s really consumers who are most impacted. These predatory scams typically target vulnerable members of our society and take advantage of their financial instability and/or technological naivete. The goal is to drive credit card theft, counterfeit/deceptive goods, PII theft, and so much more that enable secondary attacks like device infection and ransomware.
This is what the authorities are looking to stop. The UK government is focused on activities that defraud consumers from their money, e.g., Bitcoin investments (aka “Fizzcore”). Currently, this initiative is directed at search engines and social platforms; however, the writing is on the wall. A further review of online advertising regulations andonline scams is scheduled in the second half of 2022. These discussions will likely broaden the scope to include other consumer-harming activity such as misleading product promotions.
A solid digital trust and safety program with a policy delineating acceptable content can mean the difference between revenue and financial (or regulatory) penalties. Even worse, jail time for executives.
