How Cookie Stuffing is Used for Affiliate Fraud
CHEQ
|Cyber Risks & Threats | June 08, 2022
Affiliate marketing is a performance-based approach to online marketing. Nowadays, it is broadly used to help drive demand, because it helps marketers to boost growth by using the affiliate’s website to display advertisement links for commission payment in return.
This type of tactic strives to be a win-win situation for both parties. On one side, affiliates are generating a passive income by displaying an ad on their website, and on the other, marketers can collect site visits and sales for their business. Not by chance, 81% of brands around the world today are using affiliate programs to increase their exposure. While affiliate marketing can be effective, since it involves businesses enlisting external parties to drive site traffic, things can get messy quickly.
Cookies are important for affiliate marketing.
For a true win-win trade to occur, marketers need to be sure that the sales are properly attributed to an individual who clicked on the ad displayed on that affiliate’s website or online profile. One of the most common ways to do this is by using cookies. By now, you’ve definitely heard about them.
Cookies are pieces of information about users that are saved when these users visit a certain website. The information is saved on the user’s browser or device and it’s used to track them as they go from one website to another.
There are cookies that can be placed by websites to store the information you shared, so next time you won’t need to share it again, like your name, address, or credit card number. And there are other cookies that are placed by advertisers to understand what you’re interested in and in turn, serve you the right content – called third-party cookies. Because of this ability to keep track of users as they browse online, cookies have become a crucial feature for affiliate marketing.
This example helps to illustrate why.
Now that you understand what are cookies, the logic becomes simple. Imagine the following scenario: you go to a website and see an ad for a bag from a certain company called BAGS ONLINE. You click on that ad – get the cookie – and you are redirected to the website of BAGS ONLINE.
Finally, you make the purchase. The affiliate who displayed that ad on their website will get a commission for the purchase you did. This commission will be granted because the cookie will allow BAGS ONLINE to know that you got to their website through that specific affiliate.
But cookies can also be used to create false attribution, AKA cookie stuffing.
Unfortunately, as with many types of digital tools, cookies can also be used to commit fraud by creating false attribution and tricking marketers into paying fraudsters. This type of affiliate fraud, one of many, is done through a practice called cookie stuffing.
Cookie stuffing is a form of invalid malicious activity in which an affiliate marketer plants a batch of cookies on a visitor’s browser via a third-party site without their knowledge and consent. That’s why it is called “stuffing”. With it, all that logic of a win-win situation disappears. With cookie stuffing, you will pay an affiliate, even though he utilized an illegitimate practice, and he wasn’t the one who actually generated the traffic for your website.
For further comprehension, these are some of the methods of “cookie stuffing.”
1- Pop Up
A very common way of doing cookie stuff is using pop-ups. By installing pop-ups in the user’s browser, the fraudster is able to insert the affiliate link with his cookie and, with that, take advantage of the traffic that was not obtained by him, but rather by the website where his pop-up appeared.
The use of pop-ups is one of the simplest techniques and also the easiest to avoid, as you can even do it by adjusting your browser configurations.
2- Iframes
Affiliate sites without adequate security can also suffer from Iframes as a Cookie Stuffing technique. Iframes work as follows: As the user browses your site, he will see another page in the background. That means an HTML item will be inside another. The affiliates will have a line of code installed on that second page and take the visitor to the sales page, but with the fraudster’s cookie instead.
3- Images
Although easy to identify, many fraudsters also commit Cookie Stuffing through images on websites. That is, they replace the original link in the illustration shown in the <img> code with the affiliate link itself.
4- Javascript and Flash
On the internet, Javascript and Flash can be used, for example, to create animated content within a website. On the other hand, they can also redirect the visitor to secondary pages. In this way, both of them can assist in the practice of Cookie Stuffing, sometimes even making the fraud harder to be identified, because the code in question allows masking the origin link.
This can be a serious problem for marketing budgets and business performance.
This practice, like every affiliate fraud, compromises the integrity of your affiliate marketing program, as you will waste the budget on fraudulent partners and take away the opportunity to invest in legitimate affiliates driving clean traffic.
Moreover, because of the fraudulent nature of cookie stuffing and the huge amount of non-human traffic on the web, this type of practice can drive bots, fake users, and other types of invalid traffic to your website as well. These have the potential to enter your affiliate channels and skew your data, analytics, as well as the measurement of KPIs, presenting you with a false picture of your marketing and business performance.
The entire organization can become impacted as well.
As mentioned, cookie stuffing is only one type of affiliate fraud. Various notorious cases of it appeared during the last years and they are indeed scary. But the bigger picture is even scarier.
In 2020, our study showed that close to 10% of traffic coming from affiliate programs was fake, costing the industry $1.4 in losses. Today that number has almost doubled, as it has risen to 17%. And there is more: considering that the affiliate marketing industry has grown since 2020 from $15 Billion to over $20 Billion, the industry is expected to lose over $3.4 Billion to fraud just in 2022.
Thankfully, there are ways to identify cookie stuffing.
Analyze the number of conversions
If the number of conversions is far above or far below the average, this can be the first indicator of fraud. If an affiliate who has a site with some authority and good traffic does not have any conversions, it is recommended that he be analyzed.
The same thing happens when an affiliate has a lot of traffic and sales. You can analyze his website traffic as high numbers in conversions can be acquired through “renting” illegal spaces on other sites.
Watch out for low-quality websites
Affiliates selling through low-quality websites can be suspect. Sites with little traffic, irrelevant content, and, consequently, low authority do not usually convert in the affiliate market.
Look at click latency
When a user is willing to buy the product or service, latency times are typically shorter. So conversions with longer intervals between the click and the purchase should be analyzed carefully, as they can identify fraud.
Install Go-to-Market Security
All of these tactics can help identify cookie stuffing, but they are very hard to be done on a larger scale. If you really want to stop fraudulent affiliates to claim commissions and send fake traffic to your site, you should consider using a Go-To-Market security (GTMsec) solution. These solutions are built with advanced cybersecurity that can help identify affiliate fraud in real-time, and help businesses identify which affiliates are sending them fake traffic.
