.png)
Affiliate programs are one of the best ways to grow a business on referrals. When they work the way they're supposed to, you pay for results: real customers, real sales, real relationships.
But there's a type of fraud most business owners have never heard of until it happens to them. It's called cookie stuffing, and it's designed to look like your affiliate program is working when it isn't.
Here's what it is, how to spot it, and what to do if you find it.
Cookie stuffing is a form of affiliate fraud where a bad actor forces a tracking cookie onto a visitor's browser without the visitor ever intentionally clicking an affiliate link.
In a legitimate affiliate program, here's how tracking works: a potential customer clicks a real link shared by an affiliate (in an email, on a blog, in a social post), and a tracking cookie is stored in their browser. If they later make a purchase, that affiliate gets credit and commission for the referral.
Cookie stuffing hijacks that process. Instead of earning the click, a fraudulent affiliate loads their tracking cookie onto a visitor's browser automatically. Often by getting them to land on a fake website, without any real referral taking place. If that visitor later purchases from you through any channel, the fraudulent affiliate collects the commission.
They didn't send you a customer. They just stole the credit.
Here's the typical playbook:
A fraudulent affiliate creates a website that mimics your brand or your program. Close enough that someone scrolling quickly might not notice. When a visitor lands on that site, a script automatically loads the affiliate's tracking cookie into their browser. No click required.
From that point on, if the visitor finds your site organically, responds to your own marketing, or hears about you from a friend and buys, the fraudulent affiliate is credited for the sale.
In some cases, these affiliates also run paid ads bidding on your branded search terms, directing traffic to their fake pages and loading cookies at scale. The more visitors they can cookie stuff, the more commissions they can claim, without ever delivering a single real referral.
This type of activity violates Rootabl's Terms of Service, which every affiliate agrees to when they join your program. It's not a gray area.
The obvious harm is financial: you're paying commissions for sales your affiliates didn't generate. We recently helped a business identify and remove affiliates who had cumulatively racked up five figures in fraudulent commissions. But the damage runs deeper than that.
Cookie stuffing also corrupts your data. When fraudulent affiliates are credited for organic sales or sales driven by your own marketing, you lose visibility into what's actually working in your program. Legitimate affiliates who are doing real work may appear to be underperforming by comparison. And if you're making decisions about who to reward or recruit based on that data, you're working with a skewed picture.
There's another layer of damage that's easy to miss: your brand. Real people are landing on fake pages you didn't create, with messaging you didn't approve, representing a business you've built with care. You have no control over what those pages say, how they look, or what experience someone has on them. And if a potential customer has a bad experience on a knockoff of your site, they're not going to go looking for the real one (they may not even realize it’s fake). They'll just move on, with a bad impression of your brand attached.
The warning signs exist. You just have to know what to look for:
Clicks coming from domains you don't recognize. Legitimate affiliates send traffic from their own platforms: their website, their email list, their social profiles. If you pull referrer data and see clicks coming from a URL that looks like a knockoff of your brand or program name, that's worth investigating.
Sudden spikes in affiliate activity that don't match their profile. A big jump in clicks or conversions that doesn't align with what that affiliate normally produces, or what they've told you they're doing, is a flag. Legitimate volume growth is usually gradual and traceable.
Affiliates bidding on your branded search terms. If someone is running paid ads using your business name or program name to drive traffic to a site you didn't create, you might catch it in your Google Ads data before it shows up in your affiliate dashboard.
Unusually high conversion rates. If an affiliate has an exceptionally high conversion rate compared to others, it can sometimes mean they're not generating new interest. They're taking credit for buyers who were already going to convert on their own.
If something looks off, start by pulling referrer domain data for that affiliate. Which websites are actually generating their clicks? That information is usually the clearest signal.
If you're on Rootabl, reach out to us. We can help you dig into the data and figure out what's actually going on.
If you confirm fraud, here's what to do next:
Document everything as you go. You may need it.
Catching fraud early is good. Not letting it in is better.
A few things worth setting up from the start:
Require an affiliate application. An open program where anyone with the link can join immediately is convenient, but it gives you no filter on who's in. An affiliate application process lets you approve affiliates before they ever start promoting. Ask where they plan to promote, what their audience looks like, and what their strategy is. The answers tell you a lot. Rootabl's application feature lets you approve or reject applicants directly in your dashboard, and keeps rejected applications on file.
Make your terms explicit. Every affiliate who joins through Rootabl agrees to standard terms of service that explicitly forbid the kinds of activities involved in cookie stuffing. You can also add custom terms specific to your program: which promotion methods are allowed, which platforms they can promote on, and what constitutes a violation. The more specific you are upfront, the less gray area exists if you ever need to act.
Use a payout schedule with a holding window. Rootabl's payout cycle creates time between when a sale is recorded and when commission is paid, and it’s an important feature. It gives you a window to review affiliate activity before money goes out the door. In the fraud cases we've seen, that holding period is exactly what allowed program owners to catch issues before significant commissions were disbursed.
None of this is about being suspicious of your affiliates. Most of them don't need this kind of oversight. It's just good program hygiene.
The best defense is visibility and knowing what normal looks like for each of your affiliates: their typical traffic sources, their conversion patterns, the channels they use. That makes anomalies much easier to spot.
The good news: the vast majority of affiliates are doing the real work. They're genuinely excited about your product and promoting it the right way. Cookie stuffing is a rare tactic, but it's worth knowing about so you can catch it early if it ever touches your program.
Your affiliate program is an asset. Protect it like one.
