Fraud Prevention Engine

The core of the Singular Fraud Prevention Engine is built from two parts:

  1. Singular Protection Methods
    Singular Detection & Preventions methods can be activated by a press of a button (see Managing the Singular Protection Methods). These methods are built and refined by our fraud experts and protect against the most common types of fraud.

  2. User Defined Rules
    Singular supports the creation of user defined custom rules that can be leveraged by  users to address their specific needs.

Each touchpoint is checked against all of the configured User Defined Rules & Singular Protection Methods, and marked as:

  1. Whitelisted - any touchpoint that matches a whitelisting rule will be considered valid and no other rule will be evaluated on it.

  2. Rejected - any touchpoint matching this rule/method will be rejected.

  3. Suspicious - any touchpoint matching this rule/method will still be considered valid for attribution but will also be marked as suspicious.

Decision is based on the first matching rule and so the order of evaluation is important. Whitelist rules are evaluated first to make sure any whitelisted touchpoint is not rejected, then rejection rules are evaluated and finally suspicious rules are evaluated.


Singular Protection Methods

Singular has done extensive research into fraud to detect and implement the most useful and actionable fraud prevention methods in the market. One of the results of that research is the calculated effectiveness of each of the different methods in the market today:

Taken from Singular’s 2017 Fraud Index

Based on these results we have chosen and tuned the most effective methods and have made them easily accessible in the UI. We fine-tuned the methods based on the collective information from Singular’s clients to achieve the best results while minimizing the false-positive rate.

The pre-defined methods Singular employ are:

Blacklisted IPs

The method is triggered when a touchpoint’s IP address matches a blacklisted IP range.
Singular maintains a list of blacklisted IPs that updates continuously, the list contains IP addresses of:

  1. Cloud Service Providers and Data Centers
  2. Proxy and IP anonymization services
  3. TOR exit points
  4. High risk IPs - IPs thats have been spotted doing fraudulent or other abusive activity on the internet.


This method triggers in the case of impossible travel - i.e if an end-user moved at impossible speeds from the click location to the install location.
For example, if an end-user clicks an Ad and two hours afterwards Singular receives an install-event from 10K kilometers away.


In many cases click spamming and click injection creates an influx of clicks from the same source. The Hyper-Engagement method detects this influx and takes action to reject clicks coming from the same source.

TTI Outliers

Click Injection attacks are performed by detecting an installation and firing a fake-click. Since the click is fired as the app finished installing - it will often result in an abnormally short Time-to-Install (TTI).
This methods detects the cases of abnormally short TTIs.

iOS Install Receipt Validation

Apple provides a receipt for each app installed on an iOS device through iTunes.
The receipt can be used to verify that the app has been installed by a real user on a real device.
Receipt verification is a multi step process:

  1. Making sure that a receipt exists.
  2. Verifying the authenticity of the receipt by checking Apple’s digital signature.
  3. Validating the receipt by matching the receipt’s details to the current installation (for example comparing the app’s longname).
  4. Ensuring that the receipt hasn’t been used for another install (so that fraudsters wouldn’t re-use the same receipt on multiple installations / devices).

* Singular preforms receipt validation only on devices with iOS 7.0 or higher and only when the app includes a Singular SDK of version 8.2 or higher. 

Managing the Singular Protection Methods

The methods can be found under “Settings” in the “Fraud Prevention” menu:

Once entered, the following should appear:

Each of the methods has an action associated with it, and that action dictates what happens when the method is triggered. Changing the action and Saving would affect the Fraud Engine immediately. The actions are:

  1. Do Nothing - method is disabled and will not affect the attribution decision or reporting.

  2. Mark as Suspicious - method flags touchpoints as suspicious, but doesn’t affect attribution decision.

  3. Reject - methods actively rejects touchpoints and prevents CPI & CPA billing postbacks.


User Defined Rules

Advanced use-cases might require more granular control over the fraud decision making, for that purpose Singular has implement the User Defined Custom Rules. These rules can be leveraged by the user for user-specific fraud prevention purposes.

The User Defined Rules screen can be accessed by pressing Rules in the Fraud Prevention menu:

Creating Rules

Once the “Create New Rule”  button is pressed a new rule form is presented and the rule can be edited and saved.

Each one of the fields controls a different aspect of the rule and can be edited by the user. Additionally the name of the user who last updated the rule and the last update time are shown.

Rule name

The rule name is used to identify the rule and would also show in the “Reason” dimension in the fraud reporting if it was triggered.

Rule Conditions

Conditions define the cases in which a rule will be triggered. Multiple conditions can be set for each rule and all of them need to apply for the rule to trigger on a touchpoint.

Each condition is built from three parts:

  1. Field - the field that is being evaluated based on the touchpoint and install. For example if the field is Source - the condition will be based on the source (Ad Network) of the touchpoint.
  2. Operator - the operator defines the relation between the field and the values.
  3. Values - the values used on the right side of the operator for the condition.

The possible fields are:

  • Source - The touchpoint’s source name.
  • App - The installed app.
  • Publisher - The touchpoint’s publisher ID.
  • Time to Install - The time from click to install, can be set to get less than number of seconds or greater than number of days.
  • Duplicate Clicks - The number from clicks from the same Ad Network.
  • Click Country - Originating country of the touchpoint (based of IP address)
  • Install Country - Originating country of the install (based of IP address)
  • Campaign Name - The name of the touchpoint’s campaign.
  • Attribution Method - The method used for attribution: strong identifier or fingerprint.
  • Receipt Validation - Is the supplied install receipt for iOS valid (see iOS Install Receipt Validation).
  • Click to Install Distance - The distance (based on IP geolocation) in kilometers the device has moved from the click event to the install event.
  • Click to Install Speed - The speed (based on IP geolocation) in kilometer per hour in which the device has moved from the click event to the install event.
  • Install Source - Android apps can query the package name that initiated their installation, this package name would be different if the app was installed by different stores or sideloaded as an APK.
  • App version - The version of the App (see versions comparison for more details).
  • OS version - The version of the OS (see versions comparison for more details).
  • OS - The device's OS (Android/iOS).
  • Touchpoint type - The touchpoint's type (Click/Impression).

Rule Action & Status

Actions dictate what happens when the rule’s conditions match a touchpoint. The different possible actions are:

  1. Whitelist - any touchpoint that matches a whitelisting rule will be considered valid and no other rule will be evaluated on it.
  2. Reject - any touchpoint matching this rule will be rejected.
  3. Mark as Suspicious - any touchpoint matching this rule will still be considered valid for attribution but will also be marked as suspicious.

The rule status can be used to quickly turn rules on or off.

Versions Comparison

Generally, version names have a structure to them. We check to see that the versions that are entered adhere to that structure.

  • The structure is as follows:Positive numbers separated by dots.
  • After the digits, a “-” followed by one the 4 types of suffixes:
    • alpha
    • beta
    • rc-x
    • dev

Valid Examples:

  • 2.3.5
  • 3.4-alpha
  • 4.5-rc3

Invalid Examples:

  • 2.3-master
  • 3.4Alpha
  • Alpha
Have more questions? Submit a request


Please sign in to leave a comment.