Affiliate marketing has become a go-to customer acquisition strategy, projected to grow to $8.2 billion by 2022 according to Forrester. However, the meteoric rise of affiliate marketing has been accompanied by an explosion of fraud that is bleeding advertisers dry. Marketers lost over $1.4 billion to affiliate fraud in 2020 alone, a 20% increase from the previous year according to a report from CHEQ and the Performance Marketing Association.1
As a web analytics expert with over a decade of experience in the affiliate marketing space, I‘ve seen firsthand how pervasive and detrimental affiliate fraud has become. In this comprehensive guide, I‘ll explain what affiliate fraud is, break down the most common techniques fraudsters use, and share best practices to help companies detect and prevent affiliate scams.
What is Affiliate Fraud?
Affiliate fraud refers to any illegitimate methods used by affiliates to generate fraudulent commissions from an advertiser‘s affiliate program.
The core motivation behind these scams is financial gain. Fraudsters want to earn easy money, and many affiliate programs provide the perfect environment for it:
- Commission structures that reward actions like clicks or leads
- Attribution models that focus on last-click
- Difficulty tracking across channels
- Lack of transparency into affiliate practices
By using techniques to artificially inflate conversion metrics associated with commissions (e.g. clicks, impressions, registrations), affiliates can drastically boost their payouts.
For example, a fraudster using bots to generate 10,000 fake clicks per day on a 10 cent CPC affiliate campaign could make $1,000 per day, or $365,000 per year. Even on a small scale, affiliate fraud adds up over time.
Ultimately, affiliate fraud erodes trust in affiliate partnerships, decreases ROI on advertising budgets, and violates regulatory compliance for industries like finance and healthcare. Advertisers lose billions each year to these schemes, which is why prevention is critical.
The 6 Most Common Techniques of Affiliate Fraud
Affiliate fraudsters are creative when it comes to gaming the system. Here are six of the most prevalent techniques I see businesses struggle with:
1. Click Fraud
Click fraud is one of the most common types of affiliate fraud targeting pay-per-click (PPC) campaigns.
In PPC programs, affiliates earn commission for each click their link or ad generates. The more clicks, the more they make, which directly incentivizes click fraud schemes.
Fraudsters use bots, automation software, or outsourced low-wage labor to systematically click on their own PPC ads and affiliate links. These fake clicks don‘t result in real customers, but they artificially inflate the affiliate‘s click volume. That lets them earn more commissions while wasting the advertiser‘s PPC budget.
In a recent client engagement, our analytics uncovered sudden surges in clicks from specific IP ranges in South Asia. On review, we identified clear patterns of automated clicking behavior. The clicks spiked during Sunday daylight hours in the region – an odd pattern for normal traffic. This pointed to outsourced click fraud farms generating traffic on the weekends.
Identifying click fraud requires in-depth analytics of traffic patterns over time. Warning signs include:
- Spikes in clicks without corresponding bumps in conversions
- Clicks driven by suspicious IPs or geography
- Repeated clicks from the same IP addresses
- Abnormal click-to-install time (CTIT)
Sophisticated bot networks and IP randomization make click fraud hard to detect. But robust analytics can pinpoint patterns suggestive of fraud.
2. Cookie Stuffing
Cookie stuffing is another common affiliate scam that manipulates attribution.
The tactic involves injecting tracking cookies associated with an affiliate‘s ID onto visitor browsers without consent. This tricks the advertiser into crediting affiliate conversions that they had no hand in driving.
Cookie stuffing can be implemented using a range of methods:
- Hidden iframes that ping the affiliate link
- rogue browser extensions
- redirects through the affiliate link
- javascript or plugins that drop cookies
For example, we helped an online retailer uncover a cookie stuffing operation targeting their customers. Affiliate X would purchase ads on Facebook that appeared harmless, but landed on a gateway page injected with a hidden iframe.
The iframe silently pinged Affiliate X‘s tracking link in the background before redirecting to the retailer‘s site. Even though Affiliate X played no real part in driving the sale, this let them take credit via the cookie.
Spotting unauthorized cookies and excessive last-click attribution are signals of cookie stuffing. Strict cookie consent practices and direct attribution models limits its impact.
3. Typosquatting
Typosquatting is an devious tactic affiliates use to reap commissions from genuine web traffic that isn‘t theirs.
The fraudster registers domains containing likely misspellings and typos of popular websites or brands. For example, amzon.com, facebok.com, or acqorn.com.
When users accidentally navigate to one of these domains, they get redirected through the typosquatter‘s affiliate link before ending up at the actual intended website. If the user makes a purchase, the typosquatter earns a commission for "referring" what was actually a typing error.
We helped Acme Co. analyze traffic sources and found spikes in referral traffic from random domains like amzon.co, amazn.co, acrne.com, etc. Checking WhoIs data confirmed they were recently registered typo-squat domains.
Proactively registering common typo variants of your domains prevents this manipulative tactic. Monitoring traffic sources and analyzing referers also helps identify typosquatting patterns.
4. Chargeback Fraud
Chargeback fraud exploits the ability to reverse transactions and claw back funds.
An affiliate makes purchases from the advertiser using stolen credit card details. After the commission is paid out, the actual cardholder initiates a chargeback with their bank, leaving the merchant with the loss.
Affiliates may also use their own cards and intentionally trigger chargebacks after reaping the commission. In friendly fraud scenarios, the card owner issues a chargeback due to confusion without malicious intent.
We saw an athletic apparel merchant experience a spike in chargebacks traced back to a single affiliate‘s transactions. On investigation, the affiliate had been promoting the merchant through gift card giveaways aimed at collecting credit card details. By analyzing order and chargeback patterns, we uncovered this scheme early before it did further damage.
Monitoring changes in chargeback rates helps detect surges tied to potential fraud. Having clearly defined return and refund policies also limits excessive chargebacks.
5. Malicious Adware
Malicious adware allows shady affiliates to earn commissions even when users aren‘t actively clicking on links.
The affiliate spreads malware that infects devices with adware containing their hidden referral links. As the user browses the web, the adware silently pings these links to rack up commissions from the affiliate program.
Ads for free software, extensions, and file-sharing sites commonly distribute adware Trojans. The downloader looks legitimate, but carries the hidden adware payload. One of our clients saw conversions spike from India despite minimal paid advertising in the region. Diving into the data revealed adware referrals from pirated software sites as the cause.
Scrutinizing traffic sources and monitoring affiliate link click patterns helps uncover adware schemes. Because it operates behind-the-scenes, adware activity can be harder to detect.
6. SDK Spoofing
SDK spoofing is an advanced method of generating fake affiliate conversions. It is most common in mobile app affiliate programs.
Sophisticated fraudsters reverse engineer the advertiser‘s app tracking SDK code. They then simulate app installs by mimicking SDK calls from phantom devices.
For example, an affiliate will spoof 10,000 unique device IDs and programmatically fire the conversion pixel as if those devices installed the app. This generates 10,000 fake but seemingly valid conversions to earn commissions.
Preventing SDK spoofing requires thorough device fingerprinting and analysis to detect patterns of simulation. For user acquisition programs, look for signals like dense traffic over short time spans, abnormal ID sequencing, and mismatching IP geography.
4 Best Practices to Prevent Affiliate Fraud
Beating affiliate fraud requires going beyond basic compliance screening and monitoring. Advertisers need proactive solutions to detect, prevent, and respond to scam attempts.
Here are 4 key strategies I recommend for robust affiliate fraud prevention:
1. Vet Affiliates Thoroughly
The first line of defense is rigorous affiliate screening during onboarding. Actively look for red flags including:
- Fake or inconsistent contact details
- Poor web reputation and reviews
- Spammy promotional methods
- Too-good-to-be-true claims
Conduct background checks using tools like DomainBigData and monitor chatter on affiliate discussion forums. The high-risk verticals like payday lending or nutraceuticals require extra diligence in evaluating affiliates.
Ongoing monitoring is also critical to spot issues early before major damage is done. Regularly review affiliate activities and watch for sudden changes in typical patterns.
2. Implement Fraud Detection Technology
Specialised antifraud software provides vital automation to identify threats. Integrate solutions that offer:
- Browser fingerprinting to detect bots and click farms
- Proxy and VPN detection to uncover tricky traffic sources
- Activity analysis for unusual spikes or account behavior
- Link redirection tracing to map conversion paths
- Device intelligence to spot emulators and spoofers
You can‘t rely on manual monitoring alone given the sophistication of fraudsters. Technology assistance is needed to flag schemes at scale.
3. Establish Strict Attribution Models
Program terms should clearly define commission requirements and prohibited practices based on the risk profile:
-
Direct attribution – Ensure affiliates only get credited for users that arrive directly from their site or ad. This prevents cookie stuffing and attribution manipulation.
-
Short cookie windows – Lengthy cookies invite cookie fraud. Consider 24-48 hour windows.
-
Block incentivized traffic – Prohibit commission-inflating tactics like cashbacks, gateway signatures, etc.
-
Limit redirects – Multiple pre-landing page redirects are a red flag and enable click inflation.
Such guidelines limit loopholes fraudsters try to exploit. Any violations should lead to swift suspensions per program policies.
4. Incorporate Fraud Prevention Early
Don‘t wait until you already have a problem – build in fraud prevention from the start when creating or assessing an affiliate program:
- Perform competitor analysis to see where they‘ve faced fraud issues
- Research vertical-specific risks like regulated sectors
- Consult experts to stress test your program terms, technologies, and processes
- Conduct thorough technical integrations to limit tracking gaps or attribution errors
Rolling out a program with protection in place saves the hassle of trying to fix a broken system later. Prevention is far more effective than reaction.
Case Study: Uncovering Cookie Stuffing at BrandX
Seeing real examples brings these threats to life. Let me walk through how my team helped major retailer BrandX intercept a cookie stuffing scam attempting to infiltrate their new affiliate program.
BrandX wanted additional sales channels and decided to explore affiliate marketing. Starting from scratch, they needed an audit before opening the program to confirm everything was fraud-proof.
We thoroughly inspected BrandX‘s website, affiliate portal, tracking methods, and attribution model. This turned up a concerning technical gap – their site allowed arbitrary cookie writes in user browsers without validation.
This meant that any external party could stuff their affiliate cookies and hijack credit for sending customers. Just a few days after soft-launching their program, we noticed affiliate PartnerA had already referred an unusually high number of transactions.
Checking the cookies on these users revealed suspicious PartnerA tracking cookies. Further analysis uncovered the technique – PartnerA had purchased Facebook ads pointing to an intermediate landing page on their own domain.
This page dynamically inserted an iframe that pinged PartnerA‘s affiliate link in the background before redirecting to BrandX‘s site. The hidden iframe stuffing enabled PartnerA to grab credit for any subsequent customer conversions, even though the Facebook ads brought them in.
By catching this early, BrandX was able to shut down PartnerA‘s account, tighten their cookie permissions, and implement our recommended fraud detection stack. This saved them from rampant cookie stuffing as the program scaled up. The experience made BrandX realize affiliate fraud protection must be baked into program design from day one.
Conclusion
Affiliate marketing presents an attractive incremental sales channel, but also carries risks of large-scale fraud eating into ROI. Advertisers lose billions each year from common manipulative tactics threat actors use to game Commission systems for financial gain.
The combination of thorough affiliate screening, fraud detection technology, strict program policies, and expert guidance provides the best protection. With the right strategies, businesses can unlock the benefits of performance marketing while avoiding pitfalls.
As affiliate marketing expands across digital commerce and lead gen, expect fraudsters to grow ever more sophisticated. However, staying vigilant and quickly adapting prevention measures will keep them at bay. Brands that learn from others’ mistakes in this space, seek help early, and plan ahead will maintain affiliate marketing as a key growth lever without hemorrhaging profits.
Footnotes:
- Coppinger, Kerry. "Affiliate marketing fraud now a $3.4 Billion problem, New Study Finds." PRNewswire, 31 May 2022, https://www.prnewswire.com