Fake traffic is growing more sophisticated than ever, and that could be bad news both for your analytics and your advertisers. Here are a few starting points for limiting the impact of traffic fakery.
Your analytics are an incredibly important part of what makes your association’s website useful—sometimes even essential to its bottom line.
But when that data isn’t quite accurate, it can create some big problems—and lead you to some decisions that aren’t the right ones.
Which is why a recent report on the nature of “fake traffic”—that is, artificially inflated traffic that appears either in your server logs or your analytics profile—struck me as particularly alarming.
According to the advertising verification firm CHEQ, 18 percent of online ad traffic from October through February was fraudulent, which is a lot, but only half of the 36 percent rate the Interactive Advertising Bureau bandied about five years ago. (Credit the recent progress made on ad fraud, apparently.)
But the real problem, according to CHEQ, is that the ad fraud is becoming more sophisticated. To put it another way, the bots are getting smarter. According to a news release, “sophisticated invalid traffic” (SIVT) represented 77 percent of all bot traffic detected.
This is bad news for a few reasons, among them that fake traffic is getting harder to manage. We may be past the days when you can block an IP address or two and shut down a botnet that is causing big problems, and we are forced instead to look at other tactics that are more complicated to manage.
And while organizations like the Trustworthy Accountability Group (TAG) have put a lot of work into preventing ad fraud, it’s worth noting that fake traffic can happen even to sites that don’t run ads—and it can be for reasons as simple as sheer dissonance or dislike of analytics.
So what can you do to tackle fake traffic? Among the tactics that your association should look into as a starting point:
Strengthen your Google Analytics filters. Google Analytics is a great service but has a limitation that makes it susceptible to potential fakery: The number associated with your account can easily be spoofed, maliciously or not. The result of a spoof is that while no actual traffic is hitting your site, it can lead to fake referrers or made-up traffic, which is almost as bad. The search engine specialist firm Moz says the problem of “ghost spam” is still out there, though it was actually much worse two or three years ago. Nonetheless, it remains important to filter out traffic that shouldn’t be there, so as not to allow that data to improperly impact your search results. There are lots of guides out there that can help you properly set filters to remove this made-up traffic; here’s just one. This should help make it so your Google Analytics aren’t getting gamed.
Look at your server logs occasionally. While adding in strong Google Analytics filters can help you block out weird user agents or spammy referrers, it can only do so much when it comes to real traffic that is hitting your site—even if that traffic is clearly spammy. It’s worth digging into your server logs sometimes to understand the kind of traffic you’re getting, along with the kind of traffic that shouldn’t be there—and that you should block at the server level. Admittedly, you might be getting into the weeds by doing this, but it’s often a good way to diagnose problems, from common 404 errors to fake traffic patterns. Sometimes a quick look might highlight problem IP addresses that are using way more server resources than everyone else. Or, you might, as I once did, go through the logs and find that you’re getting an unusual amount of traffic from a user agent for the Microsoft Zune—aka the little-used iPod competitor that had some web browsing capabilities in its most recent version, released in 2009. (That was a fun discovery.)
Use a tool like Cloudflare to block malicious traffic. Over the last eight or so years, Cloudflare has proven to be one of the most important tools online for protecting your site from malicious traffic, as well as for adding features such as caching. Part of the reason it’s so good at these things are its roots: It came to life via a tool called Project Honey Pot, which detects malicious traffic. Cloudflare essentially extended this idea and gave it a polished sheen and a firewall layer for individual websites, making it easy to stop distributed denial-of-service (DDoS) attacks, cache frequently used content, and put up a “challenge” against traffic from sketchy sources—which can be as small as a specific IP address or as broad as an entire country. While some features are paid, many of the basic ones are available for free—including a just-added “bot fight mode,” which goes on the offensive against bot traffic. The benefit of this approach (and similar tools like Incapsula) is that it ultimately prevents a lot of fake traffic from ever hitting your site and adds an extra layer of protection if a DDoS attack does hit.
Use certification programs to find vendors focused on fighting fraud. Tools like the TAG’s Certified Against Fraud Program can help lead you in the right direction when it comes to choosing vendors focused on advertising in particular. It’s worth noting that ads are perhaps the most persistent target of fake traffic, as they can directly skew how much advertisers spend, creating ample opportunities for fraud. TAG’s standard is useful here as it creates some rules of the road for how fake traffic is understood by both advertiser and publisher.
Any fake traffic disasters you’ve had to tackle? Share your insights in the comments below.