Cookie stuffing, also called cookie dropping, is an affiliate marketing fraud in which a fraudster wrongfully earns commissions from visitors' purchases by forcing altered cookies onto the browsers of unaware users. These stuffed cookies allow the fraudster to claim sales from transactions they influence in no way whatsoever.
There are multiple prevalent examples of cookie stuffing: Shawn Hogan scamming eBay a staggering sum of $28 million as far back as 2008, to more recent incidents of 2019 involving two ad blockers stuffing over 1 million Google Chrome users. Losses in affiliate marketing due to fraud are increasing yearly - with cookie stuffing still playing a central role in the issue.
In this article, we'll look at how cookies are stuffed. We'll also explore practical ways merchants and businesses can identify the threat in their operations, as well as ways to protect the health of your revenue streams.
How Are Cookies Dropped?
When a website requests a user's permission to access cookies, it is asking the user for consent to place a small piece of code on the user's browser. Cookies are used to hold data specific to a user as they browse the internet. Generally, cookies can be:
- Session: used to store your browsing history, remember the items in your carts while you shop online, etc.
- First-party: used to save your preferences whenever you return to websites you've visited in the past — helpful for saving your login details, language selections, etc.
- Third-party: used to track a user's activities on the web, gathering details that would help in delivering highly targeted advertisements at a later time.
Cookies, third-party for our purposes here, can contain sensitive information and are generally closely scrutinized by advertising tracking companies, web hosts, and developers. They have parameters that can be passed in/out of them, making them vulnerable to extortion if they are to fall in the wrong hands.
Among those parameters is the domain, which implies the issuer of the cookie or where a user is accessing a certain site — the primary way merchants would know the source domains users are accessing their website from, but also an excellent backdoor for fraudsters to rig the cookies to their advantage.
Fraudsters drop cookies through several methods that traverse the layers of users' web browsing experience. Pop-ups, inline framing, images, and animations on web pages, browser plugins, etc., are all commonly used.
Once cookies are dropped, the fraudster can claim that a user is reaching a certain merchant's site through their own site, claiming a commission that should otherwise be paid to a legitimate affiliate — or nobody, really, as the user might have simply heard about the merchant from the merchant themselves.
In essence, cookie stuffing fraud goes like this:
- A user interacts with one of the numerous methods cookies can be dropped on the web.
- Altered cookies get dropped onto the user's browser.
- At another time, the user makes a purchase on one of the merchant sites targeted by one of the stuffed cookies.
- The merchant checks for affiliate links when the user checks out. Upon finding one, they pay out a commission to the source traffic indicated by the user's accompanying cookie.
- The fraudster ends up getting paid a hefty commission for nothing.
Ways to Identify Cookie Stuffing
Unusually high/low conversions
Whenever you record a high conversion rate from one of your publishers — especially if the traffic they send your way is so sparse — it is possible that they're stuffing cookies. In the same light, high traffic and low conversion from a reputable publisher might mean someone else is taking advantage of that publisher.
Traffic from strange domains
Shady TLDs like .xyz or .stream are popular with fraudsters. Any affiliate sales from a similar domain name should raise suspicion. Such sites can be used to redirect users, burying where the cookies may have been originally stuffed.
Increased affiliate payouts
It might be nothing, but when one of your affiliates suddenly began to make huge gains while everyone else roughly stayed the same — a clear indication that external factors like trends, seasons, etc., have nothing to do with it — it might be time to take a closer look.
Increased withdrawals from your affiliate program
Publishers invest years to become thought leaders in their fields. When they see lots of their audience clicking through a site, yet no increase in commissions, they'd be right to assume that either their audience doesn't like the product or there is a fault with how the affiliate merchant handles payments. In any case, they would likely give up, withdraw from the program, and move on to somewhere else.
How to Prevent Cookie Stuffing
Merchants can take several measures to ensure cookie stuffing doesn't cripple their marketing operations, ensuring a flourishing platform where all affected parties benefit from the process.
One way to achieve this is to keep a keen eye on the analytics for any increase in affiliate payouts, unusually high or low conversions, or increased withdrawals by publishers from the affiliate program. In each case, acting accordingly — blocking the offending publishers and reporting them to the appropriate authorities, for instance — would help mitigate the issue.
Another way businesses can prevent cookie stuffing is to manually inspect and approve publishers looking to join their affiliate programs. They can reject those publishers that appear dubious, and conduct better due diligence on those they welcome to join their program.
The aforementioned manual methods of dealing with cookie stuffing aren't effective, especially for large businesses dealing with thousands of publishers. Inspections and approvals take time and resources. Even when banned, fraudsters can easily reappear under varying guises. Also, human error is bound to lead to more than a few slip-ups.
Instead, a better way to combat cookie stuffing is to automate detecting and blocking it using ad fraud detection and prevention tools. Through techniques such as device fingerprinting, today's advanced anti-ad fraud tools can monitor traffic, detect anomalies, block abnormal redirects, and much more.
Cookie stuffing works because most fraudsters run small-scale operations with different publisher accounts, making them invisible under the radar. But even those who run large operations often get away with it. Unlike eBay, not all merchants have the resources to pursue the perpetrators with the ferocity necessary to secure a lasting legal victory. We the good guys can only win, collectively, by instituting proactive ad fraud protection measures.