Cookie Stuffing

May 28, 2021 | 10 min read

Cookie stuffing. The term may sound like it describes chocolate chips or marshmallows. In the world of affiliate advertising, though, it’s a devious way for fraudsters to siphon away unearned money behind an advertiser’s back.

Affiliate marketing is a marketing channel where publishers earn a commission by promoting another brand’s product or service. Affiliate marketing fraud, or affiliate fraud, is a process where criminals circumvent the system in order to claim unearned sales commissions.

Done correctly, affiliate marketing can be a robust tool for driving traffic to your website. However, fraud from illegitimate schemes means you could be paying commissions on bogus sales. If you work with affiliates, you need to get the scoop on cookie stuffing…before you get burned.

Affiliate Marketing & Cookies

Cookies are small data files that connect a user to a particular site via their traffic pattern. Websites can read from and write data to these cookies for a variety of purposes, like saving a user’s login information. They can also use cookies to track a user’s browser history if they visit your site more than once. You can even have cookies that tell the website not to save cookies!

In affiliate marketing, a third-party website promotes your products, earning a commission if users actually end up buying. As an example, let’s take a major appliance seller (the advertiser), who may place ads connecting their store to the website of an appliance repair outlet (the affiliate, or publisher). If a user clicks through the ad on the affiliate’s site, and then later makes a purchase from the advertiser, the affiliate will get a commission.

It’s a good deal for both parties; the advertiser only pays out when they make a sale, while the affiliate can earn passive income through their online presence. But what does all this have to do with cookies?

Any time a customer clicks on an ad and visits the advertiser’s site, the advertiser attaches a small file, or cookie, to the customer’s browser. The cookie “remembers” that the shopper came to the website at least once via the ad. If that customer leaves, but then comes back and completes a purchase within a predetermined period of time, the advertiser will attribute the sale to the affiliate and pay out a commission.

It’s an effective technique that benefits everyone involved. It’s not surprising, then, that fraudsters found ways to subvert the system.

Ensure your next campaign is a success. Click to get started.


Cookie Stuffing

[noun]kʊ ● kɪ ● stʌ ● fɪŋ

Cookie stuffing is a practice by which a fraudster uses web cookies to collect affiliate commissions on goods they did not sell.

In contrast to the legitimate use of cookies by affiliate marketers, cookie stuffing—or cookie dropping, as it is sometimes known—is considered a blackhat online marketing technique. It’s a practice by which fraudsters use cookies of their own to collect commissions on goods they did not sell.

The fraudster begins by joining an online affiliate community or developing independent relationships with advertisers. Then, every time someone lands on the fraudster’s site, they attach a number of third-party cookies to the user’s web browser; mostly tied to major retailers like eBay, Amazon, Walmart, etc. Later, if that user happens to visit one of these sites and make a purchase, the cookie would make it appear to the advertiser that the lead was driven by the affiliate.

Consumers have to click through from the affiliate’s site to the advertiser’s site and make a purchase to legitimize a commission. With cookie stuffing, though, the advertiser pays out a commission, even though the fraudster didn’t actually earn it. The fraudulent cookie might even override another cookie placed by a legitimate affiliate, meaning they don’t get the commission they earned.

For effective prevention, both advertisers and affiliates need to know how cookie stuffing happens. Here are five common methods fraudsters use to sneak cookies onto a site:



Pop-up dialog boxes can sometimes be annoying, but they’re generally a harmless way for websites to make offers or announcements. A pop-up can also be programmed to attach cookies to browsers if the user interacts with it, though.


JavaScript can be used to force redirect visitors to a different page. Fraudsters can take advantage of that to slip in an additional redirect, where deceptive affiliate cookies can be dropped quickly enough that the user doesn’t notice.



Iframes are commonly used to embed a separate HTML item inside an existing HTML, such as placing an ad within a page. The fraudster can embed an iframe onto a page that loads their fraudulent affiliate URL while loading the page.



The “<img>” HTML tag tells a browser to retrieve an image, but the URL doesn't have to have an image extension (.jpg, .png, .gif, etc.). Affiliate links can be put indirectly or by creating a redirect through this practice.

Style Sheets

Style Sheets

Cascading Style Sheets (CSS) make it easier to code pages so they display consistently site-wide. The fraudster could slip the direct affiliate URL into the style sheet as an image, making it load on every page. This technique is one of the hardest to detect.

Yes. Cookie stuffing undermines merchants’ affiliate marketing strategies and siphons unearned commissions from their revenue pool. Plus, top-producing affiliates will see fewer profits, giving them less reason to continue participating.

Cookie stuffing also violates broad data security regulations like the General Data Protection Regulation (GDPR). This European regulation strictly bans data collection without express permission. It also mandates that websites inform users any time they collect data. Cookie stuffing violates both these precepts.

Cookie stuffing is considered a form of wire fraud. Thus, an affiliate engaged in cookie stuffing could be open to criminal charges. In one well-publicized case, a top eBay marketer was sentenced to federal prison for defrauding the auction site of $28 million over the course of several years.

All that said, eliminating cookie stuffing is easier said than done. There are several reasons for this:

  • Code Can Go in Anywhere: Any request—even just calling an image—can be used to drop cookies.
  • Most Cases Are Smaller-Scale: Fraudulent affiliates using this technique want to avoid getting caught. They typically use it on a smaller scale to avoid attracting attention.
  • Advertisers Don’t Have Sufficient Resources: A company like eBay has the resources to pursue some high-profile fraudsters, but most merchants don’t.
  • Many Advertisers Lack the Expertise: Cookie stuffers fly under the radar, making it difficult for merchants to identify dangerous behavior.

Cookie stuffing may seem like a minor problem compared to other affiliates' fraud tactics like click fraud or identity theft. These steal millions from advertisers each year. Cookies are sneakier, though, and can be dropped without the user’s knowledge or consent. Those unearned commissions add up and can be much very damaging over time.

Concerned that some of your affiliates may be engaged in cookie stuffing? Here are a few signs to look for that might suggest your partners are up to no good:

Unusually High/Low Conversion Rates

Ensuring that your numbers are realistic is an important part of eCommerce conversion optimization. If conversion rates are high, it may suggest the use of adware to drop cookies in shoppers’ browsers. Low conversion with high traffic, on the other hand, could mean the affiliate is placing cookies everywhere in hopes a customer will randomly end up on an advertiser’s page.

Poor-Quality Site

Be wary of any affiliate whose site seems unimpressive, but who still manages to generate a lot of traffic. Without any reason for customers to visit the affiliate’s website, the most likely explanation for conversion is cookie stuffing.

Reliance on Redirect Pages

HTML redirects are an easy way to hide cookie stuffing activity. Users are sent to a secondary page for a split second before being referred to the advertiser’s page. Fortunately, you can see which referring pages are redirects simply by examining the site analytics.

Suspicious Click Latency

The time between a customer clicking a link and ultimately buying a product is referred to as click latency. Naturally, conversions should decrease as time following a click increases. The lack of an obvious relationship between click latency and conversions should be considered a red flag.

Know Your Affiliates

Implementing manual approval is one of the best—and easiest—methods to ensure that your affiliates are honest. Each applicant to your affiliate program should be screened and reviewed to ensure that it is a reputable and trusted lead source. You can also look into each applicant’s customer service skills to know that they will represent your brand well.

Of course, affiliate cookie stuffing is only one of many potential threats to your next ad campaign. Other malicious forms of affiliate fraud are out there waiting to drain your campaign and flood your business with costly chargebacks.

Chargebacks911® offers products specifically designed to detect, identify, and prevent the most common forms of affiliate fraud. Regardless of the size of your affiliate marketing campaign, we can help optimize your advertising, reduce risk, and turn potential liabilities into profit opportunities. Contact us today to learn more.


Cookie stuffing is a practice by which a fraudster uses web cookies to collect affiliate commissions on goods they did not sell.

Yes. Affiliate cooking stuffing both unethical and also illegal. It uses interstate or international electronic communications to commit fraud, making it a form of wire fraud.

Cookie stuffing undermines merchants’ affiliate marketing strategies and siphons unearned commissions from their revenue pool. Plus, top-producing affiliates will see fewer profits, giving them less reason to continue participating.

There are several tactics that can help you identify cookie stuffing, including unusually high or low conversion rates, a poor-quality site, reliance on redirects, or suspicious click latency.

Probably not entirely. However, vigilance and careful screening can dramatically decrease instances. Third-party products can also be extremely effective.

We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard