Affiliate marketing pays for a result. A partner sends a buyer, the buyer converts, the partner gets a cut. That is the appeal: a merchant does not pay until something good happens. It is also an open invitation. If the only thing between a stranger and your money is a tracking signal, the fastest way to get paid is not to send buyers. It is to forge the signal.
Almost every affiliate scam is the same trick in different clothes. The fraudster studies how a payout is triggered, then manufactures that trigger without doing the work it was meant to reward. A cookie is supposed to mean a referral happened, a click is supposed to mean interest, a lead form is supposed to mean a real person raised a hand. Fraud is the gap between what the signal says and what actually occurred. The reassuring part is that forgery leaves marks: a faked referral does not behave like a real one, and the difference shows up in the data if you know where to look. This is a field guide to the five fraud types that drain affiliate budgets: what each does, why the payout model invites it, and the anomaly that gives it away.
Origin: a channel born with a fraud problem
Affiliate marketing did not develop fraud later. It shipped with it. The model went public in 1996 when Amazon opened its Associates program, and within a few years the channel had a reputation problem built on cookie stuffing, spam pages, adware that overwrote tracking, and email spam. The infrastructure networks like Commission Junction and LinkShare built in the 2000s was as much about policing partners as recruiting them.
The reason is structural. A merchant running an affiliate program pays people it has never met, often cannot identify, for actions it cannot directly observe. Pay-per-sale, the model behind roughly four in five programs, is the hardest to fake because a real purchase has to occur. Pay-per-click and pay-per-lead are softer, because a click or a form submission is cheap to manufacture.
One industry estimate put affiliate fraud losses at roughly 3.4 billion dollars in 2022, more than double the figure two years earlier, with fraudulent traffic estimated at around 17 percent of all affiliate traffic, up from about 10 percent in 2020. Treat those as directional, because fraud is hard to count. The shape is what matters: a meaningful slice of every affiliate dollar goes to people who did nothing.
Cookie stuffing: the referral that never happened
Start with the oldest scam, because it explains the others. Affiliate tracking drops a cookie in your browser when you click a partner's link, stamped with the partner's ID. If you buy from that merchant before the cookie expires, the merchant reads the ID and pays a commission. The cookie is a stand-in for an event: you clicked, therefore a referral happened. Cookie stuffing severs that link. The fraudster drops the affiliate cookie in your browser without you clicking anything, through a one-by-one-pixel invisible image, a hidden iframe that loads a merchant page in the background, or JavaScript that fires on page load. You visit an unrelated site, a cookie for a major retailer is quietly planted, and if you happen to shop at that retailer in the next week the stuffer collects a commission. Stuff enough cookies across enough browsers and a small fraction will convert by chance. That fraction is free money. The scam invites itself because last-click attribution pays whoever owns the most recent cookie: the fraudster does not need to influence anyone, only to have volume and patience.
It also leaves an unmistakable fingerprint. A legitimate affiliate has a sane ratio between clicks and conversions, because every conversion followed a real click. A cookie stuffer has almost no clicks and a stream of conversions, because the conversions come from cookies nobody clicked. An affiliate posting conversions with little or no traceable click traffic is the single clearest signal in affiliate fraud detection. A second tell is referrer obfuscation: a 2015 study of cookie-stuffing sites found more than 91 percent used HTTP or script redirects and over 84 percent hid the referring page. An honest referral has nothing to hide.
Cookie stuffing is also the scam with a criminal record. eBay's two largest affiliates, Shawn Hogan and Brian Dunning, ran cookie-stuffing operations through widgets that planted eBay cookies on visitors. Hogan collected over 28 million dollars in commissions, Dunning over 5 million during 2006 and 2007. An FBI sting that began in 2006 led to wire fraud indictments in June 2010. Hogan was sentenced to five months in federal prison and a 25,000 dollar fine, Dunning to 15 months. The wire fraud charged was the interstate transmission of the cookies themselves.
Click flooding and click injection: faking the click
If cookie stuffing fakes the referral, click flooding and click injection fake the click that starts it. Both live in mobile app marketing, where merchants pay a bounty for app installs, and both exploit the same rule: the last click before an install gets the credit.
Click flooding, also called click spam, is the blunt version. The fraudster fires an enormous volume of fake clicks for many users, none tied to real interest, betting some will install the app anyway for unrelated reasons. When one does, the fraudster owns the last click and claims the bounty. It is cookie stuffing reborn for mobile.
Click injection is the surgical version, and nastier. On Android, the operating system broadcasts a system event when an app finishes installing. A malicious app already on the phone listens for that broadcast and fires a click a fraction of a second before the install completes. That click is now the last click. The fraudster steals credit for an install that was already happening. The attack is specific to Android because iOS does not let third-party apps monitor those install broadcasts. Both scams work because attribution rewards timing, not contribution: last-click logic never asks whether the click meant anything, only which click came last.
Detection turns on one elegant signal: click-to-install time, the gap between click and install. Real users take time. They see an ad, go to the app store, download, wait. Most legitimate installs land at least several minutes after the click, spread across a natural curve. Click injection collapses that curve, with installs arriving seconds after the click, because the click fired during the download. Click flooding produces the opposite shape: a flat distribution with no relationship between click time and install time. One is too fast and too tight, the other has no pattern at all, and neither looks like genuine intent. A flooding source also betrays itself with a conversion rate far below anything plausible.
Brand bidding and typosquatting: stealing demand that already exists
The next family does not fake a signal so much as intercept a buyer already on the way. The fraud is taking credit for demand the brand created.
Brand bidding abuse is the paid-search version. An affiliate buys ads on the merchant's own brand name and close variants. A shopper who already knows the brand searches for it, sees an ad that looks like the brand's own, clicks, and converts. The affiliate collects a commission on a customer who was going to buy regardless. The merchant pays out, often at a higher cost-per-click on its own name, for a sale it would have closed for free. Some brand bidding is allowed; the abuse is the affiliate quietly bidding on terms the program forbids, sometimes pausing its ads whenever the brand's compliance team is likely to be watching.
Typosquatting, also called URL hijacking, runs the same play through the address bar. The fraudster registers domains a keystroke from the real one, the brand name with a doubled or missing letter. A shopper fumbles the URL, lands on the lookalike, and gets bounced through an affiliate redirect to the real site, where any purchase now carries the squatter's tracking. The squatter taxes a typo. Both scams work because last-click attribution cannot tell demand created from demand captured: the affiliate did not generate the customer, it stood in the customer's path.
The fingerprint is found by reading traffic sources, not totals. An affiliate driving conversions from search ads on the brand's own trademarked terms shows up the moment anyone runs paid-search monitoring across engines, the job tools like BrandVerity exist to do. Typosquatting shows up in referral domains: conversions arriving through a domain that is the brand name misspelled, or through a chain of redirects from an expired site. Honest affiliate traffic comes from the affiliate's own content. Hijacked traffic comes from a doorway built out of the brand's name.
Lead fraud: the form filled by nobody
Pay-per-lead programs pay for a submitted form: an email, a phone number, a quote request. The signal is a real person with real interest. Lead fraud manufactures it at scale.
There are two production methods. The automated one uses bots to fill forms with fabricated or synthetic identities, sometimes a real stolen name stitched to a fake email and phone. The human one uses fraud farms, real people paid a few cents per submission to fill forms by hand. The farm version beats bot detection, because the submissions genuinely come from a human on a real device. What they do not come from is anyone who wants the product.
Pay-per-lead invites this more than any other model because the payout fires before the truth is known. A sale either happens or it does not. A lead is only a promise, and the commission is paid on the promise, weeks before anyone discovers the phone number is dead.
The fingerprint sits in two places: the leads themselves and the cohort they form. Individually, fraudulent leads fail verification, with undeliverable emails, disposable email domains, dead phone numbers, and form-fill speeds too fast for a human reading the fields. In aggregate, a fraudulent affiliate's leads cluster, with submissions from a narrow band of IP addresses or device fingerprints, an even pace, and templated data. The deepest tell is downstream: an honest lead source converts to sales at some normal rate, a fraudulent one converts at close to zero. If you only track leads delivered and never trace them to revenue, the fraud is invisible by design.
Adware and extension hijacking: the modern cookie stuffer
The newest entry is the oldest scam moved into the browser itself. A browser extension sits on every page the user visits, including checkout, which makes it a perfect tool for writing a last cookie. Hijacked extensions are cookie stuffing with a permanent seat in the browser.
The PayPal-owned coupon extension Honey became the public face of this after a December 2024 investigation alleged it overwrote affiliate cookies at checkout, claiming commissions creators had earned. Honey lost roughly 8 of its 20 million users through 2025, and Rakuten Advertising removed it from its network in January 2026. It was not alone. A Chrome extension called Save Image as Type, with more than a million users, was quietly taken over in late 2025. The new owner pushed an update that injected a hidden, full-screen iframe into nearly every page visited, held it for about 8.5 seconds, and used it to stuff affiliate cookies through close to 600 affiliate redirect URLs. Google did not remove it until March 2026, and it carried the store's Featured badge until the day it was pulled.
The payout model invites this because an extension does not have to win the last click. It is already present at the last moment, on every page, and last-click attribution hands the commission to the freshest cookie.
The fingerprint is the cookie-stuffing fingerprint at scale: a partner posting conversions across an enormous spread of unrelated merchants with no real click traffic and no content that could have driven any of it. The structural defense is to stop reading cookies from the browser. Server-side tracking, where the merchant's own server records the referral through a conversion API, gives an extension nothing to overwrite. Platforms are moving too. Google's Chrome Web Store published a tougher affiliate-ads policy on March 11, 2025, enforced from June 10, barring extensions from applying an affiliate link without a clear user action and a real, immediate benefit such as a genuine discount. An extension that silently stuffs cookies in a background iframe now breaks the store's rules.
Future and impact: detection becomes a data discipline
Two forces are reshaping affiliate fraud at once. AI makes it cheaper to manufacture every fake signal in this guide: synthetic leads, plausible content to wrap a stuffing operation, automated traffic that mimics human rhythm. At the same time, AI-mediated shopping is dissolving the clean click that last-click attribution depends on, so the signals fraud forges get blurrier even as the forgeries get better.
The defense does not change in principle. Every scam here is detected the same way: you know what a real referral looks like in your data, and you flag what does not match. A broken click-to-conversion ratio, a collapsed or flat click-to-install curve, traffic that traces back to the brand's own name, leads that fail verification and never reach revenue, conversions spread thin across unrelated merchants. None of this requires a fraud vendor to begin. It requires looking.
The structural fixes point where the rest of the channel is heading. Server-side tracking removes the browser as a place to forge cookies. Shorter cookie windows shrink the time a stuffed cookie has to get lucky. Most of all, judging affiliates on incrementality, on whether they produced customers who would not have converted otherwise, quietly defeats the entire captured-demand family, because a brand bidder or a checkout extension contributes no incremental customer to credit. The reader who finishes this guide does not need to memorize five scams. They need one habit: treat every affiliate payout as a claim, and ask what real event it stands in for.
Council summary
This post argues that affiliate fraud is one trick repeated five ways: forge the signal a payout rewards, and the forgery leaves a measurable mark in your data. The council verified the eBay prosecution, the Honey case, the Chrome Web Store affiliate-ads policy dates, and the 2015 Chachra et al. cookie-stuffing study. We corrected the study figures to the precise 91 percent and 84 percent, aligned the Dunning commission figure with the cited source, and replaced an overstated merchant count for the Save Image as Type extension with the verified figure of close to 600 affiliate redirect URLs. The reader leaves able to recognize each fraud type by the anomaly it produces.
Comments