Cookie stuffing in affiliate marketing: what you need to know

Cookie stuffing in affiliate marketing: what you need to know
Cookie stuffing in affiliate marketing

Affiliate Marketing

Written by



December 8, 2021


Affiliate Marketing

It’s no secret: online fraud is everywhere these days, and with the rise in popularity of affiliate networks and affiliate marketing, it’s no surprise fraudsters would do anything they can to try to get a piece of that pie. 

For the past few years, one of the techniques used by fraudsters to get their hands on a percentage of affiliate transactions is cookie stuffing (also known as cookie dropping). Here’s what you need to know about this type of affiliate fraud and how you can protect yourself from it.

What is a cookie, anyway?

Let’s start with the basics. The concept of a “cookie” is pretty simple: it’s a text file, or a small piece of code, that websites will drop in their users’ browsers in order to store data. That data can include login details, shopping cart selections, and user preferences that advertisers can then use to better tailor their services to their users.

It’s also a great way to develop effective retargeting strategies. 

If you’ve visited any website recently, you’ve probably seen one of those famous cookie pop-ups asking you to allow the website to store that data. 

Cookies are essential to affiliate programs because they allow affiliate networks to associate a certain customer or lead activity to the right affiliate. That might be you! This is what ensures that you get paid accurately and end up with the right compensation in your pocket. 

You certainly wouldn’t want that information to be tempered with, would you?

This is where cookie stuffing comes into play.

What is cookie stuffing?

Cookies can fall within 2 categories: first or third-party. 

First-party cookies are created by the website the user visits and are used to identify them and to provide them with a customized experience. 

Third-party cookies are created by an outside vendor with the main purpose of creating targeted ads and tracking users. They’re also what allows a publisher to know when users click on one of their affiliate links. 

Cookie stuffing (or cookie dropping) falls within the second category.

Is cookie stuffing illegal?

In short: yes. It’s a form of affiliate fraud where a third party will drop one or multiple cookies on a user’s browser in the hopes of claiming commission from the sales completed on that browser.

Basically, the fraudster takes credit from someone else’s sale. 

They will simply wait for a user to visit an affiliate site (like yours), collect information on which e-commerce platforms you, the publisher, send your traffic to, and subsequently drop a bunch of cookies on those shopping websites, waiting for the user to make a purchase. 

As soon as a sale is completed, the CPA network (that’s us) is contacted with the order information. Commission is then paid to the publisher - except in this case, part of it goes to the fraudster, instead of your pockets.

Why is it happening?

The tricky thing about cookie stuffing is that because advertisers are still making money (just not as much as they should have), fraudsters are harder to catch.

Why affiliate marketing?

In the past few years, affiliate marketing has considerably risen in popularity and continues to do so today. When done properly, it’s a very lucrative business with high rewards. As things go with online markets, it can also be vulnerable to fraud as it involves information passing between different hands. 

Being vigilant is more important than ever. Being successful in affiliate marketing takes a lot of effort, and you wouldn’t want your efforts to be in vain. Here are some signs to look out for and different ways you can ensure your own protection against this kind of fraud.

How to detect cookie stuffing

One way advertisers will notice it is when conversation rates are too high or too low, an abnormality that could clue them in depending on the techniques used by the fraudsters. 

Cookie stuffing unfortunately won’t disappear tomorrow morning. So in the meantime, here are the different ways fraudsters may be dropping cookies so you can better watch out and protect your commission.

Where does cookie stuffing come from?

Iframe cookie stuffing

You might be familiar with iframes, which are commonly used to embed HTML code into an existing HTML, such as embedded an ad, a video, or interactive elements within a web page. 

Vendors may ask an affiliate to embed an iframe to their website in order to load affiliate URLs. Watch out: third-party code can include those infamous cookie stuffers that will load your iframe with affiliate cookies. 

Thankfully, iframes are pretty easy to read - pay close attention to the code before embedding it within your pages, and you should be safe.


You’re familiar with pop-ups by now. They are commonly used to entice subscribers or promote offers and grab your user’s attention. 

Pop-up extension tools are something to look out for in order to protect yourself from affiliate fraud - they can be loaded with cookie stuffing code, published by cookie stuffers to scam unsuspecting publishers. 

Simply keep a close eye on the pop-up extensions you plan on installing to your CMS to make sure they’re not stuffed with cookies (and not the good kind).

Image and stylesheets stuffing

CSS can be used to render an affiliate URL as an image on a website. Your user’s browser won’t be able to display the image, seeing as the source link won’t redirect to an image stored on your website database, but the browser will attempt to follow the link anyway, which in turn will load the cookies onto your user’s browser. 

Watch out for blank spaces or broken images, which can be a sign that image stuffing techniques have made their way onto your webpage. Avoiding unknown CSS library files while rendering your pages can also help in protecting yourself against fraudulent files. 

In short, keep a close eye on your files, make sure you get your hands on legitimate code and extensions, and monitor your pages. 

Implementing basic security measures like https / SSL, an iron clad password manager and a no-logging VPN can help protect your site against intrusion. 

If you host a forum, keep in mind that the most interactive parts of your website might be the most vulnerable. Only allowing plain text to be publishing on your forum in order to avoid <img> variables is another technique you can put in place to avoid having your cookies stolen. 

In the end, the best way to protect yourself against cookie stuffing in affiliate marketing is by building habits you should already consider anyway: checking your content often and implementing proper security measures.


From the blog

Discover more blog post about media buy, adult traffic and more.