Antifraud

About Antifraud

Anti-Fraud is a system designed to detect and prevent fraud in affiliate and partner marketing. Scammers are always finding new ways to trick advertisers and affiliate networks. They use methods like creating fake traffic from bot farms, fake registrations, and even viruses that infect users’ networks. These activities hurt businesses by reducing profits and damaging trust between partners. How Anti-fraud works in UCLIQ To stop fraud, you need more than just a simple plugin that checks IP addresses. Modern fraud systems need to analyze traffic in real time using advanced tools. UCLIQ’s system does just that. It uses machine learning to analyze traffic, detect suspicious activity, and protect against fraud. Analysis, detection, and prevention UCLIQ analyzes incoming traffic with multiple checks. It doesn’t just rely on basic methods like checking IP addresses. Instead, it looks at detailed factors such as the device’s parameters, matching them with patterns of previous fraud attempts. Key steps: - Checking IP addresses for repeat visits and known click farms. - Analyzing device details to make sure they match real systems. - Comparing traffic patterns with historical data to detect suspicious activity. UCLIQ is fully integrated with the platform, so it can analyze traffic in real-time and use historical data to identify potential fraud. How fraud detection works: For each suspicious click, UCLIQ checks various features such as: - Using VPNs or bots (common in corporate networks). - Mismatch of connection type (e.g., VPN or emulator). - Repeated attempts from the same device. - Language mismatch (browser and IP). - Time zone mismatch (device and IP). - Touch support issues (emulator detection). - Repeated use of IP addresses. - Suspicious traffic sources (e.g., from social media or instant messengers). Each feature match adds risk points to the click. These risk points help UCLIQ identify high-risk traffic. Levels of fraud detection 1. At the click level: Traffic that matches suspicious patterns is sent to a fallback address, so it doesn't affect your campaigns. 2. At the advertiser's conversion level: If a conversion comes from a click with high risk points, the system will stop generating payouts for it and send it for manual review by the manager. 3. After generating payments to publishers: If the payment has already been processed, the system can cancel it if it detects fraud, ensuring that publishers are not paid for fraudulent conversions.

Configuring Antifraud: Auto-Hold and Auto-Decline

Antifraud engine assigns a Risk Score to every incoming click based on a wide range of traffic signals. This enables you to automate the handling of potentially fraudulent conversions either by holding them for review or declining them outright. Risk Score Overview Each click receives a numerical Risk Score. The system uses real-time traffic analysis to detect anomalies, including: - Use of emulators or data centers - IP or fingerprint repetition - Language/time zone mismatches - Suspicious connection types - Motivated traffic patterns These patterns are matched against known fraud templates. Each match increases the Risk Score. Global Configuration: 1. Go to System > Settings > Processing Rules 2. Set a value for Risk score limit under “Auto-Hold” and “Auto-Decline” settings 3. Any conversion from a click with a score equal to or above these values will be held or declined 4. Held conversions require manual confirmation in the Antifraud > Scoring section Confirmed conversions will be processed as usual; declined ones will not trigger publisher payouts. Offer Level Configuration: 1. Open the specific Offer 2. In the General widget set the Risk Score Decline and Hold threshold 3. Any conversion exceeding this threshold will be automatically held and declined. 4. Declined conversions will not be included in payouts This setup helps reduce exposure to low-quality traffic without manual intervention. You would want to start with a conservative threshold (e.g., 60–70) and adjust based on observed traffic quality Use the Antifraud > Risk Scoring dashboard to analyze publisher behavior over time

Average risk score

Average Risk Score The Average Risk Score feature helps you evaluate whether traffic from a given publisher looks suspicious or clean. The system shows how often risky patterns were detected, how serious they are, and gives you a clear overview of each publisher's traffic quality. Why it matters: A high average risk score on a publisher's traffic means that click and conversion data from that source contain multiple fraud indicators. Low scores indicate clean, reliable traffic. This tool is used to: - Decide how many risk points are enough to flag or stop conversions - Turn on conversion hold if needed - Block specific publishers or sub-sources if their traffic doesn't perform well on certain offers Column Definitions The Average Risk Score report displays the following columns: - Publisher  - The name of the partner sending traffic - Count - Total number of conversions - Triggered - How often risk patterns were triggered, shown as a percentage - Avg - Average risk score for their conversions - Risk Signals - Each incoming click is analyzed against known fraud templates. When certain characteristics match fraud indicators, the click is assigned a risk score. The more matches a click has, the higher the risk score. Risk Signals Risk signals you'll see in the report: - OS mismatch — device OS doesn't match expected (likely emulator) - Connection type mismatch — traffic comes from unexpected network types (can be a fraud sign) - Language mismatch — device language doesn't fit the geo (risk of fake users) - Autonomous system mismatch — likely traffic from data centers or bots - Same IP — too many conversions from the same IP - Duplicate fingerprint — same device fingerprint reused - Touch support — if there's no touch support, could mean emulator - Motivated — traffic looks like it came from users who were incentivized - Time zone mismatch — time zone doesn't match geo (common for spoofing) - Windows conversions — using tech like WinSock, which can be a red flag Every incoming click is analyzed using the regularly revised templates from the. When certain characteristics match known fraud indicators, the click is assigned a risk score. These characteristics can include things like IP address matches, device fingerprinting, and behavior that suggests fraudulent activity (e.g., VPN usage or emulation). The system assigns risk points based on how many of these indicators match. The more matches a click has with fraud patterns, the higher the risk score assigned to it. Publishers also accumulate risk points, which help determine the overall risk level of their traffic. Each risk signal corresponds to a specific template in the risk scoring engine: - Same IP - Too many conversions from the same IP address, +1 per existing click over 30 days - Duplicate fingerprint - Same device fingerprint reused, +1 per matching fingerprint over 30 days - Autonomous system mismatch - Traffic likely from data centers or bots +2 - Connection type mismatch - Unexpected network types (possible fraud) +1 - Timezone mismatch - Timezone doesn't match geo (common for spoofing) +1 - OS mismatch - Device OS doesn't match expected (likely emulator) +2 - Touch support - No touch support could mean emulator +2 - Language mismatch - Device language doesn't fit the geo (fake users) +0.5 - Motivated - Traffic looks incentivized +0.5 - Windows conversions - Using tech like WinSock (red flag) +1 Taking Action Based on Risk Scoring Data Once you've analyzed the publisher risk profile, you can take appropriate action based on the risk level. Blocking Publishers If a publisher consistently triggers fraud patterns and has a high average risk score, you may decide to block them from working with certain offers or from the platform entirely. How to block a publisher: 1. Open the Average Risk Score report. 2. Identify publishers with high average risk scores and high triggered percentages. 3. Review the specific risk signals to confirm the nature of the fraud. 4. Block the publisher through the Publishers section of the admin panel. Blocking Sub-Sources For affiliate publishers, you may choose to block specific sub-sources that are generating poor-quality traffic or triggering frequent fraud patterns. This helps maintain the integrity of your campaigns without needing to block the entire publisher. How to block a sub-source: 1. Navigate to the publisher's page. 2. Locate the under-performing sub-source in the report. 3. Block that specific sub-source to preserve the rest of the publisher's traffic. Conversion Retention Mode If a publisher's traffic shows signs of potential fraud, you can enable Conversion Retention Mode, which temporarily holds conversions for review before they are processed. This helps prevent fraudulent conversions from being paid out. How to enable Conversion Retention Mode: 1. Go to Analytics > Conversions in the admin panel. 2. Filter by the publisher in question. 3. Use the retention status filter to view conversions under review. 4. Manually Confirm legitimate conversions or Cancel suspicious ones.