Cookie Stuffing

If you’ve heard the term “cookie stuffing” recently and are wondering what it means, we’re sorry to say that it is neither an ill-advised culinary trend nor a viral food challenge. It is, in fact, an insidious and lucrative form of affiliate marketing fraud.

Affiliate programs provide passive income streams for many web publishers, but fraudsters have already found ways to exploit them, claiming unearned payouts and undermining the system for everyone participating in good faith. What is cookie stuffing, and what can merchants do to keep their affiliate marketing programs from being targeted?

You can’t have a chargeback without a credit card transaction, but merchants whose fraud management strategies start and end with credit card fraud may find themselves vulnerable to fraudsters with more unconventional schemes. Some of these fraudsters target affiliate marketing programs, especially now that affiliate marketing has grown to become a $12 billion global industry.

Affiliate fraud can come in many forms, but one of the simplest is by taking unearned credit and commissions for sales that the fraudster was not involved in.

Affiliate marketing should be a mutually beneficial deal. The merchant only has to pay a commission when a promotion results in an actual sale, and the publisher earns a commission every time their promotional efforts influence a purchase.

Unfortunately, the technology that makes it easy for affiliates to get credit for the sales they’re driving also makes it easy for fraudsters to hijack this process. Cookie stuffing attacks can be hard to detect, but merchants who engage in affiliate marketing need to know what they might end up dealing with.

What Is Cookie Stuffing?

The “cookie” in cookie stuffing refers to website cookies, the little files that websites are always asking you to accept. Cookies save user data so the website can know who is visiting and adjust the browsing experience accordingly. For example, cookies might store login information or display preferences.

Affiliate programs use cookies as a way to assign proper credit to promoters even if a user doesn’t immediately click through their affiliate link to make a purchase. When a publisher delivers promotional content, they can give the user a cookie that basically says, “I saw promotional content for Merchant X on Website Y.”

If the user visits Merchant X and makes a purchase hours or even days later, the cookie will let the merchant know that the sale was driven by their affiliate Website Y, who will receive the credit and compensation they rightly earned.

Cookie stuffers simply load up the users who visit their sites with fake affiliate cookies. They will deliver absolutely zero promotional content, but their cookies will say that they did. They may even overwrite cookies from legitimate affiliates. Then, whenever the user makes a purchase in the future, the merchant may see a fake affiliate cookie and pay out a commission even though the fraudster did nothing to earn it. 

Why Is Cookie Stuffing Dangerous?

For merchants accustomed to the sting of credit card fraud, affiliate fraud attacks like cookie stuffing may seem relatively innocuous. After all, they can’t result in chargebacks, and the fraudster can never steal more than the merchant would have paid out on a legitimate commission anyway.

The real danger of cookie stuffing is how undermining it is to affiliate programs, which are an important source of revenue for many publishers and a significant lead generator for merchants.

When fraudsters abuse the trust that affiliate programs depend on, it disincentivizes participation from merchants and publishers alike. Publishers perceive that they aren’t getting credit or income from their promotional efforts, and merchants find themselves paying out many more commissions without seeing a matching increase in sales.

How Can Merchants Identify Cookie Stuffing Attacks?

Detecting cookie stuffing isn’t always easy. Merchants usually see the first signs of it when they analyze the ROI of their affiliate program and discover that sales are not increasing relative to payouts.

Fraudsters have many different ways of getting cookies onto users’ devices, few of which require much engagement. Cookies can be slipped in through image tags, banner ads, pop-ups, redirects, iframes, browser extensions, and style sheets.

Of course, per the GDPR, websites in many regions of the world are required by law to ask permission before giving you cookies—hence all the pop-ups asking users to accept them. How does this affect cookie stuffing? It doesn’t. Consenting to accept cookies is not a technological requirement; fraudsters do not ask permission before stuffing devices full of cookies.

The strongest defense against credit stuffing and other forms of affiliate fraud is to vet your affiliates carefully. Visit their sites, contact their customer service departments, and listen to your gut when a site seems sketchy.

As bad as cookie stuffing is, there are worse forms of affiliate fraud that can indeed involve credit card fraud and identity theft. As you would with any partnership, go into affiliate programs with research, data, and firsthand knowledge about the people you’re doing business with.

Conclusion

Cookie stuffing is a good reminder that fraud doesn’t always emerge from the ranks of your customers. Merchant fraud is a real thing, and honest merchants are harmed by it as much as anyone.

When dealing with customer disputes, it’s good to keep in mind that some customers’ attitudes will have been shaped by prior interactions with unethical merchants. This perspective can be helpful in finding ways to work constructively with them to resolve issues and avoid chargebacks.

Adding cookie stuffing and other forms of affiliate fraud may feel like the last thing you want to do, but don’t give up on an affiliate program that’s working out for you.

Like credit card fraud, friendly fraud chargebacks, and all of the other attacks that retailers have to be prepared for, cookie stuffing may be a headache but it can’t keep a dedicated merchant down. Affiliate fraud can be mitigated and reduced to manageable levels if you analyze the problem, track down its sources, and come up with a data-driven strategy for preventing it.



Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: win@chargebackgurus.com

Ready to Start Reducing Chargebacks?