Attribution Fraud: How Affiliates Game Click Counts and How to Stop It

Click fraud costs affiliate programs an estimated 15% of total commission spend annually, according to data from the Association of National Advertisers. Affiliate fraud is not a theoretical risk — it is a running cost that most SaaS programmes pay without knowing it. Demand Sage's affiliate industry analysis puts fraudulent activity at an estimated 15% of total commission spend across mid-market programmes. That 15% is not a margin rounding error; for a programme paying $10,000/month in commissions, it is $1,500 walking out of the door every month to affiliates who did not earn it. Attribution fraud in affiliate marketing is the deliberate manipulation of click-tracking, cookie, or referral signals to generate commission payments for conversions the affiliate did not genuinely drive — typically through cookie stuffing, click injection, bot traffic, or self-referral. This guide defines each fraud type, shows the technical signals that expose it, and explains the thresholds and checks that make it unprofitable to attempt.

Why This Matters for Your Revenue

Affiliate fraud inflicts two distinct financial injuries. The obvious one is the commission itself — real money paid for fake attribution. The less visible injury is the displacement of honest affiliates: when a fraudulent affiliate claims commission on a conversion that an honest affiliate or an owned channel actually drove, the legitimate channel's performance looks weaker than it is. If you respond by reducing that channel's budget or deprioritising its affiliates, you compound the damage beyond the stolen commission.

For a SaaS programme at $50,000 MRR with a 20% affiliate-driven share and a 20% commission rate, the maths are unambiguous: fraud at 15% of commission spend means $300/month misallocated — roughly the equivalent of one genuinely performing affiliate's monthly commission consumed by a fraudulent one. Over a year that is $3,600 in direct losses, plus the opportunity cost of the budget decisions made on distorted data. The programmes most vulnerable are those that grew quickly and added affiliates without a fraud-monitoring layer, which describes the majority of self-serve SaaS affiliate launches.

The four types of affiliate attribution fraud

Fraud patterns fall into four categories, each exploiting a different weakness in how click and cookie attribution works. Most sophisticated fraudsters use more than one technique simultaneously.

Cookie stuffing

Cookie stuffing is the oldest and most widespread form of affiliate fraud. The fraudulent affiliate loads your tracking pixel — or fires a redirect to your tracking link — on a page the buyer visits for an entirely unrelated reason. The buyer's browser sets the affiliate cookie without any genuine recommendation, ad impression, or click. When the buyer later navigates to your product and converts, the cookie is present and the affiliate collects commission for a conversion they had no role in.

The technical mechanism varies: some stuffers embed an invisible iframe pointing to the affiliate link; others fire a hidden JavaScript redirect; others use malicious browser extensions that load affiliate tracking URLs in the background when the user visits any e-commerce or SaaS pricing page. The common thread is that the buyer never voluntarily clicked the affiliate's link. The cookie is planted, not earned.

Detection is possible because cookie stuffing produces a characteristic signal: the time between the cookie being set and the conversion is extremely short (often under one minute) because the stuffer is targeting buyers who are already mid-purchase rather than driving new intent. More on the specific time-threshold detection in the technical signals section below.

Click injection

Click injection is the mobile-specific evolution of cookie stuffing. A malicious Android app — usually a utility, battery-saver, or VPN app downloaded from a third-party store — listens for Android broadcast events that signal another app installation or an app opening. When it detects that the user is about to complete a relevant action, it fires a fake click event to your affiliate tracking server before the conversion completes. The affiliate's click timestamp is recorded milliseconds before the conversion, making it appear legitimate.

The tell is in the click-to-conversion time. Genuine organic affiliate clicks take hours, days, or weeks to convert — the buyer saw a recommendation, considered it, and eventually paid. Injected clicks convert in under 10 seconds because the click was fabricated immediately before the already-in-progress conversion. Any affiliate with a median click-to-conversion time under 30 seconds should be flagged for manual review immediately. HubSpot Research covers mobile attribution fraud patterns in depth at research.hubspot.com.

Fake and bot traffic

Bot traffic inflates click counts — and, by extension, the apparent traffic value of an affiliate — without any real user behind the browser. Sophisticated bot operators use residential proxy networks and rotate user agents to mimic genuine browsing patterns, making naive IP-blacklist approaches ineffective. The economic incentive is click-based commission structures: if you pay per click rather than per conversion, bot traffic is pure profit for the fraudster.

For conversion-based affiliate programmes (pay per subscription, pay per trial), bot traffic is less directly profitable — a bot cannot complete a Stripe checkout. However, bots are used to inflate an affiliate's apparent reach and traffic quality during the onboarding process, making a low-quality or fraudulent affiliate appear to be a high-volume legitimate publisher. The fraud materialises later, once the affiliate has been approved for higher commission tiers.

Self-referral

Self-referral is the simplest form of affiliate fraud: the affiliate uses their own referral link to sign up for your product, collects commission on their own subscription, and may use a refund policy or chargeback to recover the subscription cost afterwards. It is particularly common in programmes with generous first-purchase commissions and short or no lock-out periods.

Self-referral is also the easiest to prevent. Require affiliates to register with a different email domain than their customer account, or block commission on subscriptions where the Stripe customer email matches the affiliate's registered email. Flag any affiliate who converts within 24 hours of joining the programme — a legitimate affiliate rarely has an audience ready to buy the day they sign up.

Fraud type by detection difficulty and financial impact

Technical signals that expose affiliate fraud

Fraud detection does not require machine learning or a security team. Four signals, monitored as rolling aggregates per affiliate, surface the vast majority of fraudulent activity.

Click-to-conversion time anomalies

The most reliable fraud signal is the distribution of time between the affiliate click and the Stripe conversion. For a genuine affiliate programme, click-to-conversion time follows a roughly log-normal distribution: most buyers convert within a few days, a long tail takes weeks, and almost nobody converts in under a minute. Cookie stuffing and click injection break this pattern sharply — they produce a spike of conversions within 0–60 seconds of the click.

Run this check per affiliate, not just in aggregate. A legitimate affiliate with 200 clicks and 4 conversions all within 30 seconds of the click is almost certainly stuffing cookies. An aggregate check across all affiliates would dilute this signal into noise. The per-affiliate click-to-conversion distribution is your single most discriminating fraud indicator.

IP and user-agent patterns

Genuine affiliate traffic comes from a mix of devices, locations, and browsers that reflects the affiliate's actual audience. Bot traffic and click farms produce patterns that deviate from this: a single IP or subnet generating a disproportionate share of clicks, a homogeneous user-agent string (all Chrome 120 on Windows 10, for example) across thousands of sessions, or clicks arriving in bursts rather than distributed across the day.

A useful threshold: if more than 12% of an affiliate's clicks originate from a single IP address, flag the affiliate for review. Legitimate audiences never concentrate that heavily in one IP. Similarly, if more than 40% of clicks share an identical user-agent string, the traffic source is likely automated. These thresholds are conservative enough to avoid false positives from affiliates with a single dominant traffic source (e.g., one large YouTube video) while catching the vast majority of bot activity.

Referrer mismatch

When a genuine affiliate sends traffic, the HTTP referrer on the click request should match the domain the affiliate claims to publish on. A blog affiliate who claims to drive traffic from their WordPress site should send clicks with a referrer of theirblog.com. Cookie stuffing and injected clicks often arrive with a referrer mismatch: the referrer is a random page the victim happened to be browsing, or it is absent entirely (direct load of the tracking URL).

Record the referrer for every affiliate click and compare it to the affiliate's registered domains. A referrer mismatch rate above 20% across an affiliate's clicks is a strong signal of stuffing or injection. Zero referrers across all clicks — when the affiliate claims to be a content publisher — means the affiliate links are being loaded in a context where no genuine navigation precedes them.

Threshold ratios that flag suspicious affiliates

Set these four thresholds as automated alerts that trigger a hold on commission payment pending manual review. They are calibrated to produce under 3% false-positive rates based on normal affiliate audience distributions.

• Click-to-conversion time <60 seconds on >15% of conversions — flags cookie stuffing and click injection. Legitimate variance almost never exceeds 2% of conversions in this window.
• Single IP concentration >12% of total clicks — flags bot traffic and click farms. Legitimate audiences rarely exceed 4% from any single IP.
• Identical user-agent >40% of total clicks — flags automated click generation. Real audiences vary across browser versions, operating systems, and device types.
• Referrer mismatch >20% of clicks — flags cookie stuffing and injected clicks fired outside of genuine navigation. Pair with registered-domain verification for tightest precision.
• Conversion within 24 hours of affiliate programme join — flags self-referral. Hold commission on any conversion from an affiliate who joined within one business day.
• Affiliate email domain matches Stripe customer domain — direct self-referral flag. Block commission and send an automated review notice.

Fraud detection checklist with thresholds

Prevention vs detection — what to build first

Detection finds fraud after it happens; prevention stops it from happening at all. The highest-leverage preventive measures are structural: a minimum traffic quality gate before approving affiliates (require a real published audience, a live website, and at least 30 days of history), a commission hold period (pay commissions 30 days after conversion, after the refund window closes), and a clear programme terms document that explicitly prohibits stuffing, injection, and self-referral.

Detection is still necessary because sophisticated fraudsters pass the initial approval gate and only start fraudulent behaviour after building apparent legitimacy. Automated threshold monitoring — running the six signals above on a rolling 7-day window — catches these actors before they accumulate significant stolen commission. The combination of preventive approval gates and automated detection reduces fraud exposure to under 3% of commission spend in programmes that implement both layers, versus 15% in programmes that have neither.

One more prevention lever: short attribution windows. A 7-day last-click window is far more fraud-resistant than a 30-day window because it reduces the pool of eligible conversions a fraudster can claim credit for. Read the full analysis in how to set your attribution window. And for tracking without relying on third-party cookies that are easier to stuff, see affiliate tracking without third-party cookies.

Protect your affiliate programme with TrackRev

TrackRev monitors every affiliate's click-to-conversion time distribution, IP concentration, referrer integrity, and user-agent diversity in real time, and raises automated alerts when any threshold is breached. Commission holds on flagged affiliates can be configured to trigger automatically, so suspicious affiliates do not accumulate payable balances while under review. Each Stripe charge is matched to its click event with a server-side first-party pixel — there is no client-side cookie for a stuffer to plant — and the click event records referrer, IP, user-agent, and timestamp for every hit. See the full affiliate tracking feature set, or compare the approach to legacy tracking in postback URL vs pixel tracking. For ROI measurement once fraud is cleaned up, read affiliate program ROI measurement.

When NOT to use TrackRev for fraud prevention

If your affiliate programme has fewer than 10 active affiliates and you review every conversion manually, the automated threshold monitoring TrackRev provides duplicates work you are already doing by hand. At that scale, a monthly manual audit of click-to-conversion times in a spreadsheet is sufficient. Similarly, if your programme is click-compensated rather than conversion-compensated, the fraud vectors are different (click farms rather than cookie stuffing) and require a different set of defences — primarily pre-click traffic quality scoring from a specialist invalid-traffic vendor, which is outside TrackRev's scope. TrackRev's fraud detection is designed for conversion-based SaaS affiliate programmes; it is not an ad-fraud or pre-bid IVT service.