Cookie stuffing fraud sounds like stuffing cookie dough with harmful sugar substitutes. Nothing could be further from the truth. Also called cookie dropping, this is an illicit process in which affiliate fraudsters use third-party cookies on users' browsers to manipulate the origin of web traffic.

‍

Media Rating Council, a nonprofit organization that manages accreditation for media research and rating purposes, classifies cookie-stuffed traffic as Sophisticated Invalid Traffic (SIVT). It is more difficult to detect SIVT, and therefore requires "advanced analytics, multi-point corroboration/coordination, significant human intervention, etc., to analyze and identify." 

‍

Cookie stuffing is also commonly found in affiliate marketing. It hinders merchants and publishers from effectively making and collecting payments intended toward encouraging shoppers to make informed purchases. In this article, we will go through the common methods used by fraudsters to drop said cookies, along with the implications of affiliate fraud on businesses, end-users, and the entire advertising industry. 

‍

Methods of Cookie Stuffing

iFrames

Also called inline framing, this is when an HTML page is embedded within another HTML page. It is meant to embed ad placements within a page. However, when the code is implemented without careful inspection of parameters, library files, etc., it could be made to automatically drop cookies on the user's system once the affected page is loaded.

‍

Image or Pixel Stuffing

This method of stuffing can either take the form of either several tiny images blending with the background of a portion of a webpage or a seemingly regular-sized image. Also known as pixel stuffing, the ad or an entire website is placed inside a tiny 1x1 or 0x0 pixel using an iframe that makes them invisible to the human eye.

‍

JavaScript animations 

JavaScript can be used to create animations on a webpage by calling gradual changes through a timer. These animations can be used to redirect a user to different sites. The code could also be written to stuff cookies in-between multiple redirects without the user knowing, which is what fraudsters do. 

‍

Browser plugins

It is paramount that sites should only read their own cookies — ones they created — because cookie contents are such sensitive information. Nefarious browser plugins, however, make cookie stuffing possible by enabling the extraction and modification of targeted websites' cookies. This would allow fraudsters to force clicks from WordPress sites, disrupting chaos, and causing payment hurdles. 

‍

Effects of Cookie Stuffing

Merchants or Affiliate Businesses

When a fraudster manages to get ahold of a site's cookies, and unless the merchant manages to somehow become aware of it, the game is about over. The merchant loses money to unearned commissions, faces chargebacks, and risks losing its reputation with each passing day. 

‍

In the same light, when merchants are paying publishers for website clicks and end up reaching irrelevant people due to cookie stuffing, they aren't getting what they paid for. There are numerous ways that those clicks mess up analytics — most notably website hits, but also bounce rate. 

‍

Merchants might even grow wary of partnering with publishers altogether. But then they would be missing out on an excellent opportunity to get the much-needed exposure their business deserves, all because of cookie stuffing.

‍

Publishers 

Legitimate publishers work hard to provide informative and engaging content for their audience, and it takes years of dedicated work for one to become an authority in their respective fields. It is ill-fitting for fraudsters to shamelessly take credit for a traffic source that should belong to a particular publisher. Then again, ethics is the last thing on the minds of these bad actors. 

‍

Additionally, publishers have a lot to lose in terms of their reputation and the trust between them and merchants. Even if a publisher isn't actively involved in unethical behavior, stuffed cookies associated with their sites can still have severe direct and indirect consequences.

‍

End users

Cookie placement without valid and compliant GDPR cookie consent violates GDPR laws. Globally, similar privacy laws protect customers' data. Unfortunately, affiliate fraudsters don't care about such violations, and cookie stuffing serves as a convenient way to get away with their misdoings. As long as there is inadequate awareness about the effects of data breaches in the populace, cookie stuffing could be even more drastic.

‍

Advertising industry

Digital ad fraud erodes the efficacy of all advertising operations everywhere. With cookie stuffing, fraudsters simply barge into ad networks and pillage the funds of legitimate companies. 

‍

Advertising agencies and businesses that depend on running web ads to promote their products and services have not been properly tackling ad fraud, even as it keeps getting more sophisticated every year. Many are aware of cookie stuffing, for instance, but think it's not a big deal or simply tag it as a cost of doing business.

‍

Digital advertising, however, does not work unless products are safely marketed to real people. Cookie stuffing, done at the behest of fraudsters, is but one type of fraud that continues to reduce the effectiveness of ads across the web.‍

‍

Conclusion

There is a growing number of ad fraud prevention tools, each more refined to tackle a distinct category of fraud. Most of these frauds that were barely detectable a few years ago can now be identified and eliminated by many of today's advanced ad fraud prevention tools. While cookie stuffing is an old and pernicious form of affiliate fraud, businesses, agencies, and advertising networks can now confidently combat it and safeguard their brands.

‍