New Fraud Threat in Rewarded UA: What You Need to Know

Dedicated fraud prevention teams and sophisticated tracking systems make rewarded advertising one of the safest UA channels. In 2024, rewarded networks claimed more top spots in major fraud indices than ever before. Yet, even the most secure channels need vigilance.

There’s a sneaky new fraud scheme that’s quietly draining the industry – fraudsters have found a new way to exploit IAP rewards. While this primarily affects CPA campaigns, it can also appear in multi-event CPI campaigns at a lower rate.

Since the savviest mobile game advertisers of today are allocating up to 30% of their UA budget to rewarded traffic, we want to ensure these funds stay protected.

We’ve got a simple solution that will both fix and prevent IAP fraud attempts. Let’s break it down.

How the Fraud Schemes Evolve

Rewarded advertising has transformed dramatically over the years. It started as a simple way to pay for installs: users would get something – coins, currency, or real-life rewards – after downloading a game. But those installs barely improved retention. Many users were collecting the rewards just to vanish into thin air right after.

Back then, fraudsters had a field day with basic schemes based on bots, device farms and VPN manipulation. While these traditional fraud methods are now well understood and effectively blocked, the nature of fraud evolved alongside the industry.

Today, rewarded ad networks have developed advanced ways to track user engagement and encourage deeper in-game actions. They focus on rewarding players in multiple ways over time to weed out anyone just looking for quick freebies. Take adjoe’s Playtime – it tracks each minute of interaction, giving users more rewards the longer they play, while also setting engaging goals that reward players for achieving specific milestones.

But just as the industry got smarter about rewards, fraudsters found new loopholes. Their latest approach specifically targets IAP-based reward campaigns, and it’s unlike anything we’ve seen before.

How Does the IAP Fraud Work?

This new fraud scheme exploits the app stores’ refund policies in a particularly clever way. 

Many advertisers assign high value rewards in such campaigns for in-app purchases – think up to $50 and even more – a legitimate practice that normally drives high-quality users with great retention rates.

However, fraudsters have found a way to take advantage of this: 

1. They make legitimate in-app purchases using real credit cards, instantly earning the network’s reward. 
2. They file refund claims with Apple or Google, often citing “unauthorized charges.” 
3. The app store processes the refund, but by then, your UA metrics have already registered this as a successful conversion. 

The damage is done: you’ve paid for what appeared to be a high-value user, while the scammer keeps the reward and gets their money back.

Because these refunds can happen hours or even days after the initial IAP, their impact on ROI or ROAS might slip under the radar. Advertisers often only see small dips in their aggregated revenue and might never trace that money back to a specific campaign or user. Over time, however, these small revenue leaks can make your whole UA ship sink.

This scheme is particularly challenging to detect through standard monitoring. Unlike traditional fraud that operates at scale, this approach can be profitable for fraudsters with relatively few transactions, making it harder to spot through usual pattern recognition and machine learning – especially since these users behave normally in all other aspects.

Why the Impact on Your Campaign Is So Hard to Catch

Let’s break down how this affects real network performance.

Imagine this scenario – you’re running two UA networks:

• Network A: 1,000 users at $1 CPI, 3 users make $50 IAPs = 15% ROAS
• Network B: 20,000 users at $1 CPI, 25 users make $50 IAPs = 6.25% ROAS
• Overall: 21,000 users at $1 CPI, 28 users make $50 IAPs = 6.67% ROAS

Your overall ROAS of 6.67% looks solid. However, if those three IAPs from network A get refunded days later (and drop to 0% ROAS), your actual ROAS drops to 5.95%, which at first seems like no big difference. But look closer – network A’s performance just plummeted from being your star performer to your worst channel. You’ve essentially wasted your entire budget on fraudulent conversions.

The challenge of spotting this scheme is a complex one because:

• Refunds typically occur days after the initial purchase
• Standard analytics don’t connect refunds back to specific UA sources
• Aggregate data can mask the impact on specific campaigns and UA sources
• Traditional fraud detection methods don’t catch this behavior as it looks legit.

Here’s a thought that keeps us up at night: why isn’t anyone connecting refund data to their UA sources across all dimensions? If you’re not doing that, you won’t see the drops in earnings – and will keep pouring money into a channel that might be leaking revenue.

Three Elements of The Solution

Major MMPs already offer built-in mechanisms to solve this problem. It’s all about purchase validation and its proper tracking that will allow you to identify fraud early and adjust your campaigns accordingly. 

When you integrate purchase validation, the MMP receives a security token for every IAP transaction. If that purchase is refunded later by Apple or Google, the MMP is notified and automatically adjusts your campaign performance data.  

These are the three main components of IAP protection:

1. Security Tokens – to save information about every purchase (and eventually connect it to a refund):

• Every IAP gets tracked with a unique security token
• Real-time validation with app stores
• Immediate flagging of suspicious patterns

2. Refund Tracking – to actually know about refunds on user level:

• Automatic syncing with app store refund data
• Connection of refunds to specific UA sources
• Historical data adjustment for accurate ROAS calculation

3. BI Integration – for game publishers to access the data on every level:

• Real-time data updates in your analytics
• Campaign-level refund monitoring
• Automated alerting for unusual patterns

With this system in place, refunds that come in get tracked back to the source allowing you to see the true ROAS of each source. You’ll be able to see which networks are providing genuinely valuable users – and share this data with your UA partners – and which ones might be hosting fraudsters who exploit refunds. The implementation requires just 1-2 days of development work but provides effective protection – saving millions of dollars.

For those ready to jump into the technical details, you’ll find plenty of resources in MMP documentation. AppsFlyer, for instance, explains how to validate and log iOS purchases. Adjust provides guidelines for purchase verification. And Singular’s In-App Purchase Validation FAQ is as helpful.

Four Steps to Protecting Your Campaigns

Here’s your step-by-step protection plan:

1. Contact your MMP about their purchase verification tools
2. Implement security token generation with your Dev Team
3. Configure real-time alerting with the help of your MMP or BI Team
4. Audit monthly and compare KPI results with corrected data weekly

Stay Protected

Fraudsters are always going to look for the next loophole.

The only foolproof way to protect yourself is to tie store-verified purchase data to your UA metrics. Without this, high-value users in your data might not be real spenders at all.

The cost-benefit ratio of implementing IAP validation is clearly in your favor. Need help getting started? The adjoe team is always happy to assist with the setup and share best practices from our experience. Get in touch!