A Comprehensive Guide to Affiliate Compliance

a-comprehensive-guide-to-affiliate-compliance

A Comprehensive Guide to Affiliate Compliance

In the dynamic landscape of digital marketing, affiliate programs have emerged as a potent strategy for companies to expand their reach, drive sales, and increase revenue. 

Affiliate marketing avoids some of the biggest problems of other kinds of advertising.  An advertiser buying pay-per-click traffic must worry about click fraud and other low-intent traffic.  An advertiser buying cost-per-impression display ads must worry about invisible ad loads, uninterested users, and untargeted traffic.  Affiliate marketing avoids these problems.

While avoiding the biggest risks of other forms of advertising, affiliate marketing nonetheless comes with its own pitfalls. Seeking to get paid for work they haven’t done, adept scammers can erode the profitability of an affiliate campaign. Marketers hope for good intentions by all involved, but scammers can have the worst of intentions.  And malicious affiliates can bring remarkable technical sophistication, including novel means to conceal their misdeeds, often surpassing the understanding of the companies they target. 

This guide presents the world of affiliate compliance, with a focus on the deceptive tactics of attackers. By diving into affiliate abuse, its effect on businesses, and strategies for detection and prevention, this guide aims to empower advertisers to supervise their affiliates.

Affiliate Marketing Compliance

The essence of affiliate compliance is knowing what you’re looking for – what kinds of misconduct must be caught.  We therefore begin with a library of abuses.

Cookie Stuffing

Cookie-stuffing lets an affiliate get paid even if users never actually click the affiliate’s link to the advertiser.  Traditionally, advertisers pay affiliates when a user navigates to the affiliate’s site, clicks a specially-coded link to the advertiser’s site, and subsequently completes a purchase at the advertiser’s site. With each click of an affiliate link, a cookie is deposited on the user’s system, enabling the advertiser to track the user’s origin and allocate the commission to the respective affiliate. In many programs, a 30-day return window allows affiliates to receive credit if the user returns to make a purchase within the specified timeframe. 

In cookie-stuffing, affiliates manipulate an advertiser’s tracking systems to get paid without a user clicking from the affiliate’s site to the advertiser’s site. Through this method, these affiliates implant cookies onto the users’ systems without the user clicking (and also without the users’ consent or acknowledgment). As a result, cookie-stuffing affiliates reap commissions from unsuspecting users’ purchases without genuinely promoting the merchant.  And the traffic is entirely nonincremental – sales that would have occurred even without the affiliate’s (supposed) effort.  This is low ROI for the merchant.

Affiliates can stuff cookies in several different ways.  Some use JavaScript to instruct the user’s browser to load an affiliate link.  Others use IFRAMEs, a HTML command that causes one page to load another page within it – useful for a complex site, but also an easy way to load an affiliate link.  

For affiliates creating content in WordPress, plugins such as CPA Redirector, CookieFire, and Chocolate Chip Cookie Stuffer help affiliates stuff cookies directly within a WordPress site. These plugins also include features designed to conceal misconduct so advertisers are less likely to notice.

Particularly aggressive cookie-stuffers invoke affiliate links not when users browse a cookie-stuffer’s web site, but merely when users browse other web pages that include banner ads.  First, a cookie-stuffer buys banner ads through an ad network or ad exchange.  Where a normal banner ad merely shows an image, a cookie-stuffer’s banner ad also invokes an affiliate link and sets affiliate cookies – though does this silently, as a user merely browses an unrelated web site.  To the user, the ad looks unremarkable.  But if the user happens to buy from that advertiser within the designated return-days period, the advertiser pays the cookie-stuffer a referral fee as if it had caused or referred the purchase.

Other aggressive cookie-stuffers use (supposed) image files to invoke affiliate links.  On online discussion forums, a user posting a comment can often include an image – nominally a picture to be embedded within the post, such as a product or an emoticon.  As the URL of the supposed image, cookie-stuffers instead supply an affiliate link (or a URL that redirects to an affiliate link).  When a browser encounters this image tag, it diligently follows the URL and reads and processes cookies even if the image itself fails to load. Receiving a web page rather than an image, the browser shows a broken image icon or a canvas-like blank space.  But users have no reason to notice that, not to mention understand its significance.  As usual this is totally nonincremental traffic for the advertiser – the advertiser gets no genuine advertising benefit, nor any additional sales.  But the affiliate can claim commissions.  By targeting the right users in the right forum, cookie-stuffers can use this traffic to increase their earnings significantly.  Imagine stuffing an Expedia cookie at a travel forum (where many readers are likely to shop at Expedia), or a Gap cookie at a clothing forum (where many readers are likely to buy clothes).

The biggest cookie-stuffers have collected revenues well into the double-digit millions of US dollars per year.  It’s an alarming practice for its simplicity, its scale, and frankly its success.

Malware and Adware

The terms malware and adware encompass a range of nefarious programs, including spyware, pop-ups, and pop-unders. What sets these programs apart is their functionality; they often infiltrate users’ computers without explicit knowledge or permission. Once installed, they track users without consent.  And they often funnel traffic toward affiliates, often at the expense of honest affiliates who adhere to ethical practices. 

While malware and adware programs vary, overall their tactics are focused on economic gains.  Tracking users’ activity is usually a big part of their plan: Knowing what a user is doing provides key insight on what ads the user would respond to.  Put generously, malware and adware use targeting to target users more precisely.  Of course if their practices are nonincremental for advertisers, are contrary to advertiser or network rules, or are otherwise improper, the targeting is nothing to celebrate.  Too often, the targeting entails ads or browser windows invoke affiliate links without a user click, that cover an advertiser’s site with its own affiliate links, or that otherwise take payment that is not properly earned. 

Malware and adware disrupt the trust that is necessary for efficient commerce. They’re also terrible for honest affiliates: Those who diligently adhere to ethical practices find themselves at a disadvantage as their efforts are overshadowed by the manipulative tactics of malware and adware publishers that claim commission they haven’t fairly earned.

Domain parking and typosquatting

Domain parking is the practice of buying domains not for immediate use, but for advertising or potential future sale.  Most advertising experts view this as an acceptable practice.  That said, not every advertiser wants to pay for its offer to appear on a parking site; advertisers reasonably say they pay a premium for legitimate, high-content sites.  So ads on a parking site can be seen as unwanted.  And if a contract disallows such placements, affiliates and other partners must not do so.

Typosquatting is a subset of domain parking, focused on acquiring domain names that are confusingly similar to major businesses’ trademarks. For instance, in the case of legitimate domain www.example.com, typosquatting variations could be wwwexample.com, exampl.com, or xample.com. 

Typosquatting is profitable because users make typographical errors – “typos” – as they type domain names.  Ordinarily, if a user requests a nonexistent domain, the user will be brought to an error message generated by the user’s browser or network.  But if a typosquatter has registered such a domain in advance, the user then sees the typosquatting site. For users originally seeking the merchant’s website, the inadvertent landing at a typosqutting site provides fertile leads – users who may well convert if sent onwards to the merchant they were trying to reach all along. 

To monetize their typosquatting domains, most typosquatters use pay-per-click advertising. They partner with major ad platforms such as Google Adsense for Domains.  Often, the top ad on a typosquatting site promotes the company the user was trying to reach – giving the user a one-click path to that destination, and perhaps giving the illusion of legitimacy. Below this ad, a typosquatting site typically shows ads for competitors.

For an advertiser, PPC ads on typosquatting sites are a mixed bag.  On one hand the advertiser does reach a user who is genuinely interested.  And if the cost is sufficiently low, the advertiser may view this as a good deal even if it knows exactly what is occurring.  On the other hand, the advertiser may be alarmed by the underlying illegality – the misuse of the advertiser’s trademark.  If the advertiser thinks that domain should have been its domain, rather than being registered by a typosquatter, the advertiser may realize it could have gotten that site’s traffic for free – without paying for every click, without having to outbid others, without being beholden to the typosquatter or ad network. 

Other typosquatting sites use affiliate programs to directly monetize typo domains.  Typically, when a user reaches a typosquatting site, an affiliate will immediately redirect the user through to the site the user was plainly trying to reach.  For the user, this is a good experience – ending up where he wanted, without an extra click or even a delay.  But for the advertiser, this can be a bad deal.  A smart advertiser thinks about the alternative – the prospect of taking the domain from the typosquatter, who had no proper right to it under law.  If the domain were held by the advertiser itself, and not by the typosquatter, there would be no need to pay an affiliate fee for every sale routed through the typo domain.

A final twist of typo domains is the prospect that if a user objects, the typosquatter will send the traffic elsewhere.  Suppose Expedia objects to its affiliate link appearing on expendia.com, a typo of expedia.com.  What ad will Google show instead?  Perhaps an ad for Priceline, a major competitor.  So too in the world of affiliate traffic: If Expedia complains about a typosquatter sending traffic to Expedia’s affiliate program, the typosquatter may send the traffic to some other travel tool.  Ultimately, an aggrieved advertiser needs to do more than complain; it should insist on the transfer of the domain from the typosquatter to the advertiser, to serve as a defensive registration that avoids further advertising expenses.

In both PPC monetization and affiliate monetization, advertisers are challenged by the information presented in standard dashboards.  Common tools report how many clicks came from what source, at what price, yielding what sales.  But the tools rarely indicate what the plausible alternative might be – what the advertiser could reasonably expect if it didn’t pay.  The tools certainly don’t flag that the traffic came from a typo domain illegal under US law and prohibited by domain registration rules.  As a result, many advertisers don’t think carefully about even the existence of typo domains, not to mention their harms.

Misleading Shopping Apps

Misleading shopping apps lure users with the prospect of financial benefits. Often positioned as helping users save money, shopping apps claim to provide discounts, cash back, and/or charitable contributions across a range of online shopping platforms. Shopping apps hold themselves out as win-win nature, where users benefit from monetary benefits, while affiliates profit from referring purchases.  Whether or not users and affiliates benefit, advertisers should be thinking about whether these practices benefit them – and if not, why spend marketing budgets in this way?

Upon downloading shopping apps, users typically receive a browser extension that remains present throughout their online browsing. The extension springs to life when a user accesses a site where the shopping app perceives some opportunity to quote-unquote “help” the user, or in any event to get paid.  

In one common scenario, a shopping app checks the price of the product the user is buying, then searches for better deals at other retailers.  For users this could be a great deal, though we’ve often seen it malfunction.  A user considering a Schwinn 26” mens bicycle (at, say, US$400) probably won’t be impressed to see that a Schwinn 26” wheel is available for $60 – yes, that’s much cheaper, but then again it’s just a wheel rather than an entire bicycle.  Meanwhile, for advertisers, this kind of competitive offer raises questions of fairness and just deserts.  If company A just bought an expensive paid search ad from Google, should B cover A’s site with an offer for its own deal, even if B does in fact sell the same thing for a couple dollars less?  This might sound like a good business to B, but if B does this to A, then A will do it back to B – and next thing they know, they’ll both be paying fees to whatever shopping plugin delivers the popup.  Adware popups first prompted these considerations two decades ago, and trusted merchants largely decided they didn’t want to advertise through adware and popups – in our view, a wise decision.

Other shopping plugins encourage users to click a button to “activate savings” – which, as a practical matter, means invoking an affiliate link and setting affiliate cookies.  If the shopping plugin shares some of the affiliate commission with the user, the affiliate and user are both better off.  But the merchant is plainly worse off.  The user was already at the merchant’s site.  The shopping plugin’s “referral” was a user already there – hardly a genuine source of value.  No wonder many merchants object. 

Shopping plug-ins have a particularly negative consequence for other affiliates.  Consider a standard affiliate promoting an advertiser via a web site, blog, YouTube, or social media.  Once a user clicks that affiliate’s link to the advertiser’s site, the affiliate counts on its referral being tracked properly.  If a shopping plugin intercedes with an offer—“click here to save”, or similar—the first affiliate won’t get paid despite undeniably referring the sale.  Concerned affiliates often call this “stealware,” and their anger has grown so acute that it has led to more than a dozen lawsuits.

Trademark bidding and Violations of Paid Search Policy

A final set of rogue affiliates violates an advertiser’s paid search policy by bidding on the advertiser’s trademarks.  Often, affiliate program rules prohibit affiliates from bidding on terms trademarked by the company, and often also on the names of key suppliers and distributors. Nevertheless, attackers flout this rule, tempted by the lucrative profits they could get by combining low-cost PPC traffic with high revenues from affiliate payments.  

The starting point is that a rogue affiliate opens an account with a search engine – usually Google Ads, but also other search engines – and creates a campaign targeting an advertiser’s name and other trademarks.  The affiliate’s landing page is usually an immediate redirect through to the advertiser’s site.  Thus, if a user searches for the advertiser’s trademark, the user might receive a search ad from this affiliate.  And since the ad sends the user to the advertiser’s normal landing page, users might click, end up in the right place, and never realize that an entirely unrelated company had gotten between them, the search engine, and the advertiser.

For the advertiser, trademark bidding is a bad deal on multiple levels.  One, trademark bidding asks an advertiser to bid against itself.  Every additional advertiser in the ad auction drives up the price, taking funds directly from the advertiser’s bottom line.  Two, many advertisers carefully control the text in their ads – targeting based on season, product inventory, geography, and more.  A rogue affiliate wouldn’t know these campaign parameters, and would present an ad contrary to the advertiser’s intentions.  Three, when a rogue affiliate bids on other terms, such as the trademarks of suppliers, distributors, and competitors, the rogue affiliate can prompt complaints to the advertiser.  Even if the advertiser explains that an affiliate was responsible, partners may not accept that – especially in light of FTC caselaw finding a company responsible for the actions of its marketing affiliates.

Against this backdrop, rogue affiliates employ increasingly sophisticated methods to conceal their violations from advertisers.  First, rogue affiliates widely use negative Geo Targeting.  Affiliates often anticipate that an advertiser will search for violation from its corporate headquarters.  Public sources make it easy to find out where a company is based, and modern ad platforms make it easy to negative target a particular region (meaning not serve ads to users there).  By avoiding showing ads in places where merchants are more likely to monitor, rogue affiliates can avoid detection. 

Second, rogue affiliates use dayparting.  A rogue affiliate might reasonably expect an advertiser’s marketing staff to work during the business day, not weekends, evenings, or nights.  By setting ads to appear at the times when marketing staff aren’t checking, a rogue affiliate can similarly evade detection.

Third, rogue affiliates disguise their display URLs.  Both to avoid detection and to increase conversion rates, most rogue affiliates want their ads to appear with a domain name matching the ultimate advertiser – companyname.com, not myaffiliate.com.  Other rogue affiliates embrace disposable domain names – changing their redirect servers often, as frequently as daily, so an advertiser struggles to keep up.

Finally, rogue affiliates employ increasingly tricky redirects.  Investigators can’t just right-click a search engine ad to find out where it leads.  But the trickiest affiliates do even more to conceal their link destinations.  In this way, rogue affiliates prevent marketing staff from easily figuring out what a given link does, not to mention which affiliate is responsible.

Affiliate Marketing Fraud Detection and Prevention
Crafting a Comprehensive Contract

A well-drafted contract – be it Terms of the Service, Affiliate Terms, a policy addendum, or similar – is the cornerstone of a secure and trusted affiliate program. Such a contract should set clear rules for affiliates – stating what is permitted in affirmative terms, as well as ruling out specific tactics that are not allowed. 

For an affirmative statement of what is allowed, we suggest language like “Acme accepts affiliates who send legitimate, user-initiated, visible traffic indicating genuine intent to visit Acme’s site.”  

Specific practices may call for other affirmative requirements.  For example, some advertisers require affiliates to indicate that their affiliate links are, indeed, advertisements.  When affiliates post reviews, advertisers often require affiliates to indicate that they are paid affiliates and are paid for traffic referred through their links.

As to specific tactics not allowed, there’s usually a list:

  • Invalid traffic, forced clicks, cookie-stuffing, IFRAMEs, popups, popunders, spam, junk mail, bulk mail, and the like.  An affirmative statement of acceptable traffic probably already rules these out, but diligent advertisers add a negative approach too, listing the names of specific tactics and technologies that must not be used.  If an affiliate is found to use a method listed by name, a finding of violation is particularly straightforward.
  • Trademark bidding – not allowed.  Furthermore, leading advertisers often specify negative keywords that must be added to PPC Campaigns – such that if a user mentions those terms, even in combination with other terms, no ad may appear.  Alternatively, some advertisers simply ban all paid search – concluding that their in-house teams can run paid search campaigns more effectively than affiliates.  A hybrid approach allows only the most trusted affiliates – such as those with years of good behavior, a known location, and a strong reputation – to engage in search advertising.
  • Restrictions on use of incentives.  May an affiliate give its users cash, points, sweepstakes entries, or anything else in exchange for clicking a link or making a purchase?  Many advertisers say no.  The concise instruction “No incentivized traffic” nicely rules out all of those and more.
  • Objectionable content.  Few advertisers want to be associated with content that many readers find objectionable, such as adult material and hate speech.
  • Catch-alls. Many advertisers include an additional prohibition on other marketing tactics that harm a brand or are otherwise outside the norm. 

With these rules in place, it’s time to think about payment terms.  Realistically, once funds are paid out to an affiliate, it’s usually hard to get them back.  (Litigation might be economically rational for the largest disputes, if the perpetrator can be found and is in a country with a well-functioning legal system.  None of this should be presumed.)  We often encourage advertisers to consider paying more slowly.  Of course affiliates do want to be paid promptly; no one can sustain an indefinite “float” awaiting payment.  But for a rogue affiliate, any paying delay has the additional problem of increasing a merchant’s opportunity to uncover a violation – which, the rogue affiliate knows, is a genuine risk.  Conversely, a legitimate affiliate should usually be willing to accept a slight delay, or even a substantial delay, in exchange for slightly greater payment in due course.  With legitimate affiliates more patient than rogue affiliates, delay differently discourages the rogue affiliates – and this change, alone, can help clean up an affiliate program.

Reviewing Affiliate Applications

Some advertisers “auto-approve” affiliates – literally without a human laying eyes on an application.  We don’t recommend this approach.  Human review, at the outset, can identify many affiliates whose tactics are slippery or worse.  

If for some reason human review at the outset truly isn’t possible, an advertiser could consider reviewing each affiliate when it first achieves (say) $100 of sales or first earns $10 of commission.

Whenever review occurs, it should cross-check multiple sources of evidence.  For example, what web site did the affiliate list on its application to the advertiser’s program?  Then compare that with the web sites seen in the Referer headers of the traffic the affiliate is actually sending.  We like similar comparisons of street address, phone number, bank details, and IP geolocation.  Multiple discrepancies suggest something amiss.

Abuse Monitoring

Ultimately the best way to keep a program clean is to look for, catch, and eject violators.  VPT is proud to offer automation that helps advertisers do exactly this.  VPT’s lab tests adware and malware to see what offers those programs show.  We test shopping apps to check both how they get installed and what they do.  Our crawlers scour the web – from a range of devices, in a range of geographic locations – to see which sites stuff which cookies, and to see what trademark ads are served where.

Affiliate violations can be complicated.  But we present our findings in self-serve dashboards, making it easy for advertiser staff to see what we’ve found.  And for those who want to dig into the details, we bring the heat: We provide screen-capture video, screenshots, and packet logs proving the problems we uncover.  

At VPT, we’re big believers in accountable online marketing.  We want to see the web thrive, and we want to see advertisers enjoy unmatched ROI on their ad campaigns.  Paying big money to legitimate affiliates requires cutting off cheaters, and it is our pleasure to help sophisticated merchants do so.  Get in touch to see how we can help.

Post Tags :
Prev Post

Next Post

Visible Performance Technologies (VPT) develops technologies and services to detect affiliate fraud and abuse and protect global brands.

Services

Copyright © 2025. All rights reserved.