Internal fraud- fraud committed by employees due to their position and access to telecommunications equipment. The victims of such a fraud can be both the company itself, in which unscrupulous employees work, and customers.

In English-speaking countries, the word "fraud" means any fraud, in Russia the term fraud refers to a narrower category of crimes - fraud in the field of information technology. Hundreds and thousands of money rivers flow in this area - payment for calls, Internet traffic, online purchases and orders, mobile banking. And many have a desire to send a small trickle into their personal pocket through fraud.

In general, IT fraud can be divided into four broad categories:

• User, also referred to as subscriber fraud. It includes fraud on the part of users - illegal connection and non-payment for the services of telecom operators, calls at someone else's expense, forgery of bank cards and operations without the presence of a card.
• Operator fraud is all kinds of dubious actions of campaigns in relation to customers. These include automatic connection of paid services, the expensive cost of unsubscribing from them, cards with the ability to reduce the balance to a minus, etc.
• Inter-operator fraud is an attempt by operators to deceive each other. Its varieties include all kinds of traffic redirection, presentation of expensive types of communication as cheap, etc.

Classification and methods of internal fraud

In turn, internal fraud can be divided into two broad categories - theft and abuse. In the first case, there is a direct theft of money or other material assets, in the second, the extraction of material or non-material benefits is not associated with direct theft.

As already mentioned, a lot of money is constantly moving in the IT sphere - from a client to a bank or operator, between clients, between firms. And some employees find an opportunity to profit at the expense of the employer or clients.

For example, there may be cases of fictitious services, services at inflated prices or contracts with affiliated contractors. Fraudulent activities are also possible with the company's customers. This is especially true for mobile operators, where certain amounts are debited regularly, often several times a day, and if an employee adds a small payment to his own account, the client is unlikely to notice. And since there are tens and hundreds of thousands of such customers, the amount in the end is impressive.

In terms of abuse, information technology also presents a wide field for action. The scale here is the widest, from connecting friends to profitable intra-corporate tariffs and up to issuing millions of bills for fictitious, most often informational, i.e. intangible services.

Types of economic crimes: main areas of risk, what to look for

The overestimation of the results is also a big problem. Many fictitious customers can bring impressive real bonuses to an employee or department.

It is also worth noting the abuse associated with access to equipment. Unlike traditional industry, where financial scams are the preserve of management and accounting, in the information industry, technical specialists are also able to organize various fraudulent schemes by properly setting up servers and other equipment. For example, exclude certain types of traffic from accounting, register expensive calls as cheap, and then connect individual numbers to them. It is very difficult to detect such crimes, even more difficult to prove, because a misconfiguration can always be explained by a mistake.

Finally, IT companies are subject to all the abuses that existed long before the dawn of the information age - hiring fictitious employees (usually friends and relatives of superiors), issuing inflated bonuses, writing off still working equipment for the purpose of further sale, using company vehicles and other property for private purposes.

Who suffers from internal fraud

Fraudsters can target equipment and software of the company, paper and electronic financial documents, higher and lower employees.

Servers, routers and other equipment are very vulnerable due to the dependence of their work on many settings performed by a narrow circle of specialists, in which everyone else, as a rule, does not understand at all. This gives engineers and programmers ample opportunity to redirect traffic, distort reports about it, and infect malware.

Persons with access to financial programs can either directly steal small, and therefore imperceptible amounts from the accounts of many clients, or issue false invoices, payments, inquiries about the return of allegedly erroneously transferred funds, etc.

Options for defrauding employees may include overestimation of indicators to receive high bonuses, fake requests for money transfers, blocking and unblocking accounts, extorting logins and passwords from colleagues of a higher access level.

Threat Source

In accordance with the objects of influence, three main sources of internal fraud in the IT sphere can be distinguished.

People with a criminal past are more likely to commit fraudulent activities. Therefore, any company must check the candidate before hiring, monitor his activities in the process of work, maintain a high corporate culture and implement effective motivation schemes, because decent and stable official earnings are more attractive than temporary, moreover, fraudulent schemes that threaten criminal prosecution.

It should be emphasized that special attention should be paid to working with people. Special risk categories should include people with a criminal record, system administrators and other employees with a high level of access, people who transfer funds. separate category are leaving employees, especially in the case of forced layoffs or dismissals for violations in work. Driven by resentment or as compensation, they may try to steal databases, misconfigure equipment, or infect computers with malware.

Internal fraud risk analysis

All companies in which you can profit at least something are vulnerable to internal fraud, these are banks, government agencies, Russian Railways, the oil and gas industry and others. Another problem is the complexity of the industry. Often, employees, especially newcomers, take a long time to master complex programs, while operations are performed in violation of strict norms. And any violation is a loophole for fraud.

A clear transparent structure with good internal controls leaves very few opportunities for fraudsters to scam.

In addition to the internal, regular external audits are also required, both technical and financial transactions, which allows you to identify incorrect settings of servers and computers, dubious money transfers. The very possibility of disclosure of fraudulent schemes will force many to abandon their plans.

It is necessary to analyze the performance indicators of both an individual employee and entire departments. Sometimes their sharp increase is not a consequence of improved performance, but a fraudulent increase in order to obtain large bonuses.

Finally, the overall corporate culture is of great importance. In its absence, low labor discipline, everything often begins with small abuses, which are turned a blind eye. Impunity pushes a person to seek (and find) larger schemes in which the company and customers are already losing millions.

At the same time, a clear, transparent system, strict control, including an external independent audit, and awareness of the inevitability of punishment will make the majority forget about fraudulent schemes in favor of honest earnings. To counteract internal fraud, DLP systems, employee profiling systems, and UEBA behavioral analysis are used.

He spoke about the types of mobile fraud and methods of dealing with them.

Everyone who works with ads in applications faces the problem of fraud. If you think that you are not colliding, you are colliding, you simply do not know about it. The article will help you learn to identify and distinguish 4 types of fraud that are relevant today.

By 2020, $250 billion will be spent on mobile app advertising.

The volume of fraud is only growing and is already approaching 16-17 billion dollars, which advertisers lose annually. To understand how to avoid fraud with such rapid growth, we will analyze the 4 most relevant types.

Install Hijacking

At Install Hijacking malware that resides on the device of the user installing the app detects the download of the app and tries to intercept the installation, which rightfully belongs to another source. The way to deal with this kind of fraud is to track the distribution of time from click to install.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

At the beginning of the chart, there are extreme points, where a huge number of installations occur in a short period of time, which does not correspond to human behavior. With the help of such tracking, we evaluate and filter out this kind of behavior.

Click Flood

Click Flood - malware intercepts organic installs by flooding the tracking system with a large number of clicks. Apps with good organic traffic are more prone to this type of scam.

To understand the method of dealing with Click Flood, let's pay attention to the following set of KPIs.

1. CTIT - time distribution from click to install.
2. Conversion rate.
3. Involvement.
4. Multichannel index.

Consider several traffic sources and how they behave based on the KPIs in the table below. There is a source "A" and a source "B". We evaluate them according to the 4th KPI.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

CTIT. The normal distribution of clicks per install takes about 40 seconds, about 70% of installs are made in the first hour and 95% in the first 24 hours. Accordingly, we monitor this indicator.

Conversion rate. Obviously, with a large number of clicks, the conversion is small. Abnormally low values ​​or those that are lower than expected are checked for fraud.

Involvement. When installing from an organic source, engagement is maintained at the organic level. This results in a user who behaves well and cool: pays, reaches some levels, and so on. The level is determined individually: your own understanding of loyal users is configured.

Multi-channel index- the ratio of the number of auxiliary clicks of the first source to the number of last clicks. Tracking platforms track last-click attribution. This means that if an app install had several clicks on an ad, then the last one is considered to be a converting one - it is the one that gets credit for the install. With Click Flood, the fraudster sends a huge number of clicks that clog the conversion funnel and sometimes end up in the latter, so tracking the multichannel attribution funnel is extremely important.

Let's look at an example of AppsFlyer's multi-channel attribution report:

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

To describe the technique, an event is taken - an installation. Shows the 3 previous clicks and how they relate to each other. For each install to this traffic source, the funnel for multi-channel attribution is clogged by the same source or a specific publisher. This raises questions and leads to some reflections. In a normal situation, there will not be a clear pattern in the distribution of auxiliary installations throughout the funnel. If there is a suspicion of Click Flood, then the difference between these settings is either the same, or it is very close to the installation time - just a few seconds. Accordingly, it was a burst of clicks, some of which hit the target, while all are close to each other.

click hijacking

Another type of fraud to combat which uses the multi-channel index and multi-channel attribution is Click Hijacking. The mechanics are similar to Install Hijacking, but here the malicious application detects a real click and sends a fake click report from a competing network, thus intercepting the click and the installation itself.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

On the chart above, you can see how the time is distributed from the penultimate to the last click. The model from Appsflyer has the last click that converts, and the first contributor is the previous click in the funnel. Accordingly, a pattern is visible in multi-channel attribution: the penultimate click is unnaturally close to the last one. You can immediately cut off such a jump and work with this data with suspicion of Click Hijacking.

Install Fraud

The last type of fraud on the list is associated with installations - Installs Fraud. Modeling all sorts of distributions is a cool thing, but it's always necessary to have multiple layers of protection. To test any hypotheses, you need to have information from different sources. AppsFlyer decided to use their own data in order to fight this type of fraud.

The project lasted about six months. All devices were taken from the database. On the this moment The Appsflyer database unites about 98% of all devices that are in circulation. The goal of the project was to understand what account each such ID has in the system, in terms of an anti-fraud solution. Scoring based on 1.4 trillion mobile interactions

Using big data processing algorithms, each mobile device was assigned a certain rating. The rating scale is similar to the rating valuable papers: Rogue devices are rated "C", suspicious devices are rated "B", real devices are rated "A", "AA" or "AAA", new ones are rated "N", LAT (Limit Ad Tracking) are rated "X".

After scoring, the question remained what to do with new devices.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

With the help of aggregated data, it became clear that according to some traffic sources, an abnormally large number of new devices come, which turned out to be not the latest Samsung or iPhone models, but old devices from 2012-2013 with outdated software versions. This indicates device emulation followed by a reset of the advertising ID. In this case, the dummy device performs the necessary actions on the advertising offer, after which it resets idfa / gaid and starts a new circle of installations. An effective method for catching emulated devices is to use large databases like AppsFlyer. Analyzing 98% of the devices in circulation, each new device is a kind of flag that makes one think that the grid cannot give 100% of new users. There is a standard circulation of new devices in nature - about 5-10%, but definitely not 100% or even 50%.

If you filter by campaigns, you can see that some companies offer more new devices, while others offer less.

Presentation Fighting mobile fraud - new approaches and metrics. Alexander Grach, AppsFlyer

Having put a breakdown by sub-publishers, it is clear that they are the same. This means that there is one or more suspicious sub-publishers that mix fake traffic into different campaigns, into different traffic sources. Thus, by tracking the activity, you can catch the fraudster.

Fraud is a disease, but there is a cure for it

Fraud is a mobile app advertising disease, but many vaccines have already been developed for it. Using the solutions described in the article, you will be able to detect the 4 most popular types of mobile fraud. Do not skimp on the fight against fraud, learn to see it. Constantly look for solutions and contact qualified companies to help you with this.

If you find a typo - highlight it and press Ctrl + Enter! To contact us, you can use .

Fraud is one of the most dangerous crimes against property. There are several articles in the criminal law devoted to it.

The general composition of the encroachment is provided for in Article 159 of the Criminal Code of the Russian Federation. The norm establishes penalties for illegal actions with physical objects or property rights. Article 159 of the Criminal Code of the Russian Federation provides for qualified and especially qualified compositions. In Art. 159.6 establishes punishment for acts in the field of computer information. Meanwhile, a new type of fraud - fraud. The Criminal Code does not provide for liability for it.

Definition

The word fraud in translation from English means "fraud". Its essence consists in unauthorized actions, unauthorized use of services and resources in communication networks. Simply put, this type of information technology fraud th.

There are different ways of committing a crime. Currently, more than 50 different methods of theft in communication networks are known.

Analyzing the cases that took place in practice, it can be said that what is fraud a crime for which it is very difficult to prosecute.

Classification

An attempt to identify the types of fraud was made in 1999 by F. Gosset and M. Hyland. They were able to identify 6 main types:

1. Subscription fraud - contract fraud. It is a deliberate indication of incorrect data when concluding an agreement or a failure by the subscriber to fulfill the conditions for payment. In this case, the subscriber does not initially plan to fulfill his obligations under the contract or at some point refuses to fulfill them.
2. Stolen fraud - use of a lost or stolen phone.
3. access fraud. The translation of the word access is "access". Accordingly, the crime consists in the illegal use of services by reprogramming identification and serial numbers of telephones.
4. Hacking fraud - hacker fraud. It is a penetration into the security system of a computer network in order to remove protection tools or change the configuration of the system for unauthorized use.
5. Technical fraud - technical fraud. It involves the illegal production of payment telephone cards with fake subscriber identifiers, payment marks, numbers. This type of fraud is also referred to as intracorporate fraud. In this case, the attacker has the opportunity to use communication services at a low price by gaining illegal access to the corporate network. Counts, what is this fraud the most dangerous act, since it is quite difficult to detect it.
6. Procedural fraud - procedural fraud. Its essence lies in illegal interference in business processes, for example, in billing, in order to reduce the amount of payment for services.

Later, this classification was greatly simplified; all methods were combined into 4 groups: procedural, hacker, contract, technical fraud.

Main types

It is necessary to understand what is fraud crime, the source of which can be anywhere. In this regard, the issue is of particular relevance. In accordance with this, the following three types of fraud are distinguished:

• internal;
• operator;
• subscriber.

Consider their main features.

Subscriber fraud

The most common actions are:

• Imitation of signaling using special devices that allow you to make long-distance / international calls, including from payphones.
• Physical connection to the line.
• Creation of an illegal point of contact through a hacked PBX.
• Carding - emulation of phone cards or illegal actions with prepaid cards (for example, fraudulent replenishment).
• Deliberate refusal to pay for telephone conversations. This option is possible if the services are provided on credit. As a rule, mobile operators providing roaming services, when information between operators is transmitted with a delay, become victims of malefactors.
• Cloning handsets, SIM cards. Cell scammers get the opportunity to make calls in any direction for free, and the account will be sent to the owner of the cloned SIM card.
• Using the phone as a call center. Such actions are carried out in those places where there is a connection: at airports, train stations, etc. The essence of fraud is as follows: SIM cards are purchased for a found / stolen passport, the tariffs for which provide for the possibility of forming a debt. For a small fee, those who wish are invited to call. This continues until the number is blocked for the resulting debt. Of course, no one is going to repay it.

Operator fraud

Often it is expressed in the organization of very intricate schemes associated with the exchange of traffic on networks. Some of the most common misconduct include:

• Intentional misrepresentation of information. In such cases, the unscrupulous operator configures the switch so that calls can be spoofed through another unsuspecting operator.
• Multiple return calls. As a rule, such a "loop" occurs when there are differences in the tariffication of operators when transferring calls between them. An unscrupulous operator returns the call to the outgoing network, but through a third party. As a result, the call returns again to the unscrupulous operator, who can send it again along the same chain.
• "Landing" of traffic. This type of fraud is also referred to as "tunneling". It occurs when an unscrupulous operator sends its traffic to the network via VoIP. For this, an IP telephony gateway is used.
• Traffic withdrawal. In this case, several schemes are created that provide for the illegal provision of services at reduced prices. For example, 2 unscrupulous operators enter into an agreement to receive additional income. At the same time, one of them does not have a license to provide communication services. In the terms of the agreement, the parties stipulate that an entity that does not have permission will use the partner's network as a transit network to pass and inject its traffic into the network of a third party - the victim operator.

Internal fraud

It involves the actions of employees of a communication company related to the theft of traffic. An employee, for example, can use his official position to extract illegal profits. In this case, the motive of his actions is self-interest. It also happens that an employee deliberately causes damage to the company, for example, due to a conflict with management.

Internal fraud can be committed by:

• Hiding part of the information on switching devices. The equipment can be configured so that for some routes, information about the services provided will not be recorded or will be entered into an unused port. Actions of this kind are extremely problematic to detect, even when analyzing billing network data, since it does not receive primary information about connections.
• Hiding part of the data on the equipment of billing networks.

This is a pretty specific scam. It has to do with online shopping.

Customers place an order and pay for it, as a rule, by bank transfer from a card or account. They then initiate a chargeback claiming that the payment instrument or account information was stolen. As a result, the funds are returned, and the purchased goods remain with the attacker.

Practical difficulties

As practice shows, attackers use several methods of fraud at once. After all, in fact, These are people who are well versed in information technology.

In order not to be caught, they develop various schemes, which are often almost impossible to unravel. This is achieved precisely by applying several illegal models at the same time. At the same time, some method can be used to send law enforcement agencies on the wrong track. Fraud monitoring often does not help either.

Today, most experts come to the unanimous conclusion that it is impossible to compile an exhaustive list of all types of telecommunications fraud. This is quite understandable. First of all, technologies do not stand still: they are constantly developing. Secondly, it is necessary to take into account the specifics of this area of ​​criminal activity. Telecommunications fraud is closely related to the implementation of specific services of certain telecom operators. Accordingly, in addition to general difficulties, each company will have its own specific problems inherent only to it.

General principles of wrestling

Any operator should be aware of the existing types of telecommunications fraud. Classification helps to streamline activities aimed at combating crime.

The most common is the division of fraud into functional areas:

• roaming;
• transit;
• SMS fraud;
• VoIP fraud;
• PRS fraud.

However, the classification does not make it easier for the operator to solve the problem of providing protection against fraud. For example, transit fraud involves the implementation of a huge number of fraudulent schemes. Despite the fact that all of them are to some extent related to the provision of one service - traffic transit, they are detected using completely different tools and methods.

Alternative classification

Given the complexity of the problem, when planning activities to fraud monitoring operators should use the typology of fraudulent schemes in accordance with the methods of their detection and detection. This classification is presented as a limited list of fraud classes. Any emerging, including previously unaccounted for fraud scheme, the operator can attribute to any class, depending on the method used to disclose it.

The starting point for such a division will be the idea of ​​any model as a combination of 2 components.

The first element is the "pre-fraud state". It involves a certain situation, a combination of conditions that have arisen in the system settings, in business processes, favorable for the implementation of a fraudulent scheme.

For example, there is such a model as "phantom subscribers". These entities have gained access to services, but are not registered in the billing system. This phenomenon is called the "pre-fraud state" - the desynchronization of data between network elements and accounting systems. This, of course, is not yet a fraud. But in the presence of this desynchronization, it may well be implemented.

The second element is the "fraud event", i.e. the action for which the scheme is organized.

If we continue to consider "phantom subscribers", the action will be considered SMS, call, traffic transit, data transfer, committed by one of these subscribers. Due to the fact that it is absent in the billing system, the services will not be paid.

Fraud and GSM

Technical telecommunications fraud creates many problems.

First of all, instead of a controlled and legitimate connection, mailings are carried out from an incomprehensible device. The situation is complicated by the fact that the content of messages cannot be moderated (checked).

Secondly, in addition to losses from unpaid mailings, the operator has increased direct costs for network expansion due to increased load on devices due to illegal signaling traffic.

Another problem is the complexity of offsets between operators. Of course, no one wants to pay for pirated traffic.

This problem has become rampant. To get out of this situation, the GSM Association has developed several documents. They reveal the concept of SMS fraud, give recommendations on the main methods of its detection.

One of the reasons for the spread of SMS fraud, experts call the untimely update of the phone's OS. Statistics show that a large number of users do not want to buy new phone until the machine in use fails. Because of this, more than half of the devices are running old software, which, in turn, has gaps. They are used by scammers to implement their schemes. Meanwhile, modern versions have their own vulnerabilities.

You can fix the problem by updating the system to the latest version and running an application that detects vulnerabilities.

It must be remembered that attackers do not separate mobile and fixed communications. Fraud schemes can be implemented in any vulnerable network. Fraudsters study the features of both connections, identify similar gaps and penetrate them. Of course, the threat cannot be completely ruled out. However, it is quite possible to eliminate the most obvious vulnerabilities.

1) Unrealistically short time between clicks and targeted actions

Standard Internet connection speed allows you to download the application in 30 seconds. At the same time, installations from one channel can take place in 2-10 seconds. Such traffic can be considered fraudulent.

2) Obviously patterned user behavior after clicking on an ad

Real users spend different amounts of time deciding whether to download an app and browsing internal pages. They will have different internet connection speeds and different purposes for accessing the app/website.

A channel that consistently shows the same sequence of user actions or equal intervals between clicks is most likely to bring fraud.

3) Different geo clicks and installs for the same user

Any device connected to the Internet has an IP address. It contains information about the region you are in. If the user is sitting in Mobile Internet, the IP address comes from the mobile provider. If the user connects to the Internet via Wi-Fi, the IP comes from the point of connection to the Internet.

Clicking in one region and downloading an application in another is almost impossible.

4) Abnormally many clicks from one IP/ID

This is the first sign that you are receiving traffic from a bot farm. Although such indicators may indicate the work of real people. For example, if scammers reset the advertising identifiers of the devices from which they scam and re-perform installations and targeted actions.

5) Too little or too much conversion from click to install

If the conversion from clicks to installs is below 0.3% with a large traffic flow, most likely fraudsters are clicking on ads.

A conversion above 30% is also a sign of fraud. Such values ​​are real for search campaigns. In other cases, there is a high probability that the installations are fake. The same goes for unrealistically high or negligible CTRs and

eCPM. If their values ​​for a particular channel are too different from the average, you can write the source to the fraud list.

6) Suspicious activity at night

Usually users within the same geo are more active in the morning, afternoon or evening. And programs that generate fraud can work 24 hours a day. Many clicks and installs at night, close in number to organic indicators at other times of the day, are suspicious. A source with such traffic needs additional checks.

Typically, most real installs happen within the first hour after a click. By the second hour, the number of installs drops sharply. In fraudulent campaigns, due to the specifics of how programs work, the install curve is much more even.

8) No base events

If you track a hello screen or app open and see that these actions do not occur after installation, most likely you have encountered a fraud.

Fraudsters can imitate a report on the completion of a targeted action in the analytics system. Then you will see a report about the installation and the necessary in-app activity, while the steps required for real users will be skipped.

The extremely low Retention Rate and deletion of the app immediately after installation indicate motivated traffic: scammers download the app and immediately delete it. A rare but possible case: a real user downloaded the app, but didn't want to/forgot to use it.

Fraud types

SDK spoofing

SDK spoofing is a type of fraud in which fraudsters control the transmission of messages between the application's SDK and the server receiving the information.

The original messages are changed to more profitable ones for the advertiser. For example, a report on the display of a banner - for a signal about an application download. So you see new installs that didn't really exist.

click spam

A type of spam in which scammers insert banners so that users do not see them and click on them without knowing it. For example, you click on the play button on a free online movie theater site and you are taken to a third-party site. Or you play a game inside the app and each tap on the screen counts as a click on banners that you don't even see. These clicks count as ad clicks.

Signs that you have been the victim of this type of fraud include:

• organic installs plummeted;
• paid users behave the same way as those who came after organic installs.

Click Injection

In some classifications, it stands out as a subtype of click spam. The user installs an application with malicious code. Usually these are copies-fakes of popular applications or applications of the “tools” category. Fraud source label is assigned to the infected device.

When a user (even after a long time after the implementation of the code) downloads the desired application, the install will be counted as coming from a click on an ad, because it will be labeled accordingly in analytics.

Only smartphones with the Android operating system can suffer from this type of fraud.

Typically, this type of attack is indicated by a very short (>2 seconds) time between click and install.

Bot traffic

Fraudsters create farms where they collect a large number of smartphones. The devices are connected to a program that imitates the actions of real users on them: clicking on ads, installing an application, watching videos, etc. There is another option for organizing a farm: instead of a lot of devices, a program is used that creates virtual copies of devices with constantly updated IDs. The program still simulates the actions of real users, but on the server.

In order not to be detected, scammers change IP addresses, drive traffic through TOR or VPN.

Most likely your installations are fake:

• if they are immediately followed by the removal of the application;
• if there are many clicks/installs from the same IP address in the analytics.

Motivated traffic

There are special sites where users are paid for performing certain actions: clicks, installs, in-app actions, etc. Such traffic is called motivated because users perform targeted actions for a certain reward. This is usually real small money or in-game currency. On average, up to 200 rubles per target action.

Sometimes users are prompted to take actions offline. For example, a motivated user can leave a request to view an apartment in a new building and even go for a viewing.

Traffic is most likely motivated if:

• the retention rate from one channel is consistently low;
• users delete the application immediately after downloading or download and do not log in;
• users who download applications for a reward are often sent scripts for activity in the application. Download, click on certain buttons, delete after three days. Therefore, in analytics, there can be many, many installations with the same behavior model.

How to protect yourself from fraud

1) Update your SDKs

In new versions, protection systems against fraudulent traffic are also updated.

2) Discuss risks with contractors

At the beginning of work, discuss with your contractors how payment will be made and further work if you detect fraud. Write in the contract what you will do in such cases. For example, you can specify which traffic, based on indicators in analytics, will be considered fraud and will not be paid.

3) Remove contractors with fraudulent traffic

If you or your anti-fraud system has detected fraudulent traffic that comes from one of the contractors in a large volume, apply penalties to this company. If this happens repeatedly, then it is easier to disable the channel that supplies low-quality traffic.

4) Don't target suspicious OS versions

Do not target ads to devices with outdated or unreleased operating systems. As a rule, bot farms buy old smartphones that only support older OS versions. So you cut off a small percentage of real users, but avoid froder attacks.

5) Follow the analytics

Analysis of conversions by IP, device-info, time between click and conversion, user life after installing the application, conversions through VPN or proxy can let you know about fraud.

6) Use services with built-in antifraud

Mobile trackers and analytics systems have their own anti-fraud solutions: Adjust, Appsflyer, Fraudlogix

All these programs cost money. To evaluate the feasibility of investing in an anti-fraud solution, you can test the trial version. If during the trial period the system detects fraudulent traffic for an amount covering its cost, then it is worth renewing the subscription.

CPI networks are associated with a large number of small traffic providers, which makes them a favorable area for scammers. And it is also an important and large channel. The budgets allocated for it are decent, which means that the losses from fraud can be sensitive.

When a fraud is detected from the CPI network, you need to look at the sub-sources and disable those from which the fraud comes. If the total amount of fraud from the grid does not fall below 10%, despite the constant work on disabling suspicious sub-sources, you can try to figure out the reason. Perhaps transfer the budget to a more trustworthy source.

The anti-fraud tool saves a lot of time, replacing the need for manual processing of large amounts of data. Serves as a mediator, giving his guarantees, in disputable situations with partners. And, of course, it saves the budget by helping to weed out fraud.

I tested several large services and did not find any noticeable advantages over others in any of them. A more effective way out, in my opinion, can only be the development of an internal solution.

Stanislav Izmailov, BlaBlaCar Marketing Manager

We have released a new book "Content Marketing in in social networks: How to get into the head of subscribers and fall in love with your brand.

Fraud is a type of fraud in the field of information technology, any leakage of personal data that leads to the enrichment of attackers.

More videos on our channel - learn internet marketing with SEMANTICA

How fraud works in real life

Let's consider in practice what is considered fraud.

Larisa wants to buy a beautiful and high-quality handbag, but at a low price. She browses online stores with offers and finds the perfect model. On the site, she puts it in the basket, places an order and pays for the goods. She does not take into account that the site where she ordered the desired handbag and made the payment is unsafe, and scammers found out all the details of her bank card.

After receiving Larisa's card details, the scammer quickly looks for a method to get her money. The violator finds the seller and purchases goods from him for 10,000 rubles. The seller purchases a product from his supplier for 7,000 rubles, and immediately sells it to a fraudster for 10,000 rubles.

Larisa looks at her card statement and understands that her cash disappear somewhere. She goes to the bank and asks to sort it out and return her earned money. The bank will satisfy Larisa's application and request a forced refund from the seller - 10,000 rubles, and charge a commission of 2,000 rubles.

History summary:

1. Larisa returned all the money and is looking for a new place to buy a handbag.
2. The bank fulfilled the client's request and increased its reputation.
3. Payment processing took this seller into account. If repeated fraud occurs, then the payment processor refuses to cooperate with an unsafe online store and provide services to this seller.
4. The supplier made money, he will not return. Competent protection against fraud is the responsibility of the seller.
5. The scammer was satisfied with a free product bought with someone else's money debited from a bank card.

The seller (online store) suffered losses:

• 7,000 thousand rubles to the supplier;
• 10,000 thousand rubles for Larisa;
• 2,000 thousand rubles fine to the bank.

This is how fraud can harm an inexperienced seller.

Why is it dangerous to miss a fraud

The most significant losses occur in low-margin businesses. For example, with a sales margin of 2-3%, the merchant will need to sell a couple of dozen products in order to cover the resulting losses in one fraudulent operation. Remember that the main thing in such actions is that a high average check worsens the situation and creates new criteria for scammers. The most popular categories and industries for fraud operations are travel and retail sales of goods.

Fraud in the field of information technology is a large-scale organized business. Internet criminals unite in groups that carry out their fraudulent activities in every area.

Violators of the law make their communities in social networks, in various forums and do it with one goal - to improve skills, collect general knowledge, share their experience and distribute the most optimal attack schemes. All this helps criminals on the network to get maximum performance and bring unauthorized operations to perfection.

What types of fraud are there

In 1999, F. Gosset and M. Hyland identified 6 types of this fraud:

1. Subscription fraud is a contract type, which is an incorrect indication of data when concluding contracts for subscription payments.
2. Stolen fraud is the use of a stolen phone.
3. Access fraud - reprogramming identification numbers phones.
4. Hacking fraud is the most common type. Illegal penetration into the security system of a computer network.
5. Technical fraud is a technical fraud that involves the production of illegal payment cards.
6. Procedural fraud is a procedural type that interferes with business processes.

How to recognize fraud: suspicion of fraud

Suspicion of fraud is a way to prevent any unauthorized actions of fraudsters.

You can recognize it by a variety of actions:

1. Too high download speed.
2. Template user behavior (equal time intervals between transitions on the site).
3. The minimum time interval between the transition on the ad and the purchase.
4. Different location for the same client.
5. Many clicks from one IP/ID.
6. The lifetime of the consumer is a maximum of 3 days.
7. High activity at night.

How a scammer can get card details

Common methods for intercepting personal data:

1. The buyer pays for a product or service on an unsecured and unverified site (an online store with a low level of protection), and violators intercept personal data.
2. The client uses an ATM that has a skimming device. At the same time, a person provides unlimited access to funds.
3. The consumer makes a purchase in an online store and pays for the goods with an electronic wallet using public Wi-Fi. After that, the fraudster gets access to all cards linked to the electronic wallet.

How to deal with fraud

High-quality antifraud is a specialized service that is guaranteed to cope with all the manipulations of scammers and does not allow you to cash out money and purchase products for strangers. bank cards through an online store.