How to Prevent Affiliate Fraud: Complete Guide for SaaS

The Scale of the Problem

Affiliate fraud is not a minor nuisance. Industry estimates suggest that approximately 10-15% of affiliate-driven transactions involve some form of fraud or policy violation. For a SaaS company doing $50,000/month in affiliate-attributed revenue, that could mean $5,000-$7,500 in fraudulent commissions paid out annually if left unchecked.

The damage goes beyond direct financial loss. Fraudulent affiliates inflate your acquisition metrics, distort your understanding of which channels actually work, and consume support resources when their low-quality referrals churn or dispute charges. Worse, if legitimate affiliates discover that fraud is tolerated, they lose trust in your program and leave.

The good news is that affiliate fraud follows predictable patterns. Once you understand the common attack vectors, you can build (or use) systematic defenses that catch the vast majority of fraudulent activity before commissions are paid. Prevention is dramatically cheaper than detection after the fact.

Common Fraud Types

Understanding each fraud type is the first step to building effective defenses. Here are the most common schemes that target SaaS affiliate programs, roughly ordered by prevalence.

Self-referrals

The simplest and most common form of affiliate fraud. An affiliate creates an account, generates their own referral link, then signs up for your product using a different email through that link. They earn a commission on their own purchase. More sophisticated versions use multiple accounts, VPNs, and different payment methods to avoid detection.

Why it matters for SaaS: With recurring commissions, a self-referral generates ongoing fraudulent payouts every billing cycle. An affiliate paying $49/month and earning 25% commission is effectively getting a permanent $12.25/month discount, funded by your affiliate budget.

Cookie stuffing

Cookie stuffing is a technique where an affiliate places tracking cookies on a user's browser without the user actually clicking a referral link. This is done through hidden iframes, invisible images (1x1 pixels), JavaScript redirects, or browser extensions. When the user later makes a purchase, the affiliate gets credit despite contributing nothing to the sale.

Cookie stuffing is particularly insidious because it steals attribution from legitimate affiliates or organic traffic. You end up paying commissions for customers you would have acquired anyway. The technique was famously used at scale by eBay affiliate Shawn Hogan, who was convicted of wire fraud for a cookie-stuffing scheme that generated over $28 million in fraudulent commissions.

Click fraud and click injection

Click fraud involves generating artificial clicks on affiliate links to inflate click counts and, in some cases, steal attribution from other affiliates. Click injection (common in mobile) involves monitoring device activity and injecting a click just before a conversion event, taking credit for organic installs or purchases.

For SaaS companies, click fraud typically manifests as unusually high click volumes with extremely low conversion rates from specific affiliates. The affiliate is not generating real interest but rather trying to claim credit for a small percentage of organic conversions that happen to follow one of their many fake clicks.

Fake leads and disposable emails

Affiliates generate fake signups using disposable email addresses (services like Guerrilla Mail, Temp Mail, or 10-minute email) to inflate referral counts. In programs that pay per signup (rather than per payment), this directly generates fraudulent commissions. Even in programs that only pay on purchases, fake leads waste your marketing resources and distort your funnel metrics.

Churn-and-resubscribe schemes

In recurring commission programs, a fraudulent affiliate refers someone (or themselves) who subscribes, earns the commission, then the customer cancels. After the refund window passes, the same person resubscribes through a new referral link, generating another commission. This cycle can repeat indefinitely with different email aliases.

Trademark bidding and brand sniping

Affiliates bid on your brand name in Google Ads, capturing search traffic that was already looking for your product. They route these visitors through their affiliate link and claim commission on conversions that would have happened organically. This is not technically fraud in all programs (some allow brand bidding), but it is a pure value extraction that costs you money without generating incremental customers.

Forced clicks and redirect chains

Some affiliates embed referral links in URL shorteners, redirect chains, or even browser extensions that force-redirect users through affiliate links before reaching the target website. The user never intentionally clicks the affiliate link. Some browser toolbars automatically inject affiliate codes into URLs when users visit specific websites.

Detection Methods

Effective fraud detection combines automated monitoring with manual review. No single metric catches all fraud types, but a dashboard tracking the right signals will surface most suspicious activity.

Conversion rate anomalies

Legitimate affiliates typically have conversion rates between 1-10%, depending on the channel and audience quality. An affiliate with a 0.01% conversion rate (many clicks, few sales) is likely generating fake clicks. An affiliate with a 90% conversion rate (almost every click converts) is likely engaged in self-referral or referring only pre-committed buyers.

Track conversion rates per affiliate and flag outliers in both directions. Set automated alerts when an affiliate's conversion rate falls outside two standard deviations from your program average.

Time-to-conversion patterns

Legitimate referrals typically show a distribution of time between click and conversion: some buy immediately, most take hours or days, some take weeks. Fraudulent patterns often show suspicious clustering: all conversions happen within seconds of the click (automated self-referral) or all happen exactly at the end of the cookie window (attribution theft).

Refund rate by affiliate

If customers referred by a specific affiliate have a significantly higher refund rate or churn rate than your average, that affiliate is either sending low-quality traffic or running a churn-and-resubscribe scheme. Track 30-day, 60-day, and 90-day retention rates segmented by referring affiliate. Any affiliate whose referrals churn at 2x or more the average rate warrants investigation.

Email domain analysis

If a high percentage of signups from a particular affiliate use disposable email domains, free email services, or follow suspicious patterns (sequential characters, similar formats), this suggests fake leads. Maintain a blocklist of known disposable email providers and flag signups from these domains.

Geographic clustering

Legitimate affiliates typically refer customers from diverse geographic locations consistent with their audience. If all conversions from an affiliate come from the same IP range, the same city, or the same region, it suggests self-referral or a coordinated fraud ring. Cross-reference the affiliate's stated location with the geographic distribution of their referrals.

IP Monitoring and Geolocation

IP-based fraud detection is one of the most effective tools in your arsenal. It catches the majority of self-referral attempts and provides valuable signals for detecting coordinated fraud.

Same-IP detection

The simplest IP check compares the affiliate's IP address with the IP addresses of their referred customers. If an affiliate and their referral share the same IP address, it is almost certainly a self-referral. This single check catches the majority of unsophisticated self-referral attempts.

IP proximity clustering

More sophisticated fraudsters use different devices on the same network, VPNs, or proxy services. Check for IP addresses in the same /24 subnet (the last octet differs but the first three match). Check for multiple referrals from the same IP range within a short time window. Flag clusters of conversions from known VPN or data center IP ranges.

Geolocation mismatches

Compare the stated location of the affiliate with the geolocation of their referrals. An affiliate claiming to be a US-based blogger whose referrals all come from IP addresses in a different country warrants investigation. This does not automatically indicate fraud (the affiliate might have an international audience), but combined with other signals it strengthens the case.

Device fingerprinting

Beyond IP addresses, device fingerprinting uses browser characteristics (user agent, screen resolution, installed fonts, timezone, language settings) to identify unique devices. If the affiliate's device fingerprint matches the device fingerprint of their referrals, it strongly suggests self-referral, even if the IP addresses differ (e.g., using a VPN for the referral while using direct connection for the affiliate account).

Velocity Checks

Velocity checks monitor the rate at which events occur and flag patterns that exceed expected limits. They are particularly effective at catching automated fraud and burst-pattern attacks.

Click velocity

Set thresholds for maximum clicks per hour and per day from a single affiliate link. A legitimate blog post might generate 50-200 clicks per day during peak traffic. An affiliate generating 10,000 clicks per hour is almost certainly using automated tools or bots. Set automated alerts at 3-5x the typical daily click volume for your program.

Conversion velocity

Similarly, monitor the rate of conversions per affiliate. If an affiliate who normally generates 2-3 conversions per month suddenly generates 20 in a single day, flag it for review. Legitimate spikes do happen (a viral post, a popular YouTube video), but they should be verified before commissions are paid.

Signup-to-payment velocity

Track how quickly referred users move from signup to payment. In most SaaS products, the typical time is hours to days, with some taking weeks. If all of an affiliate's referrals convert from signup to payment within minutes, it is a strong signal of automated self-referral. The fraudster is automating the entire signup and purchase flow.

Multi-account creation velocity

Monitor the rate of new affiliate account creation from similar IP ranges, email patterns, or device fingerprints. Fraud rings often create multiple affiliate accounts simultaneously to distribute their activity and avoid per-affiliate detection thresholds. If five new affiliates sign up from the same IP range within an hour, they are likely the same person.

Hold Periods and Approval Workflows

Hold periods are the single most effective structural defense against affiliate fraud. By delaying commission payouts, you create a window in which fraudulent activity can be detected and reversed before any money leaves your account.

How hold periods work

A hold period (also called a lock period or maturation period) is the delay between when a commission is earned and when it becomes eligible for payout. During this period, the commission is visible to the affiliate but marked as "pending." If the referred customer refunds, churns, or is flagged as fraudulent during the hold period, the commission is reversed.

Recommended hold period length

For SaaS products, a 30-60 day hold period is standard and effective. This covers your refund window (typically 30 days) and gives you time to analyze conversion quality. Shorter hold periods (14 days) work for products with short refund windows and low fraud risk. Longer hold periods (90 days) are used by programs with higher fraud exposure or enterprise-level contracts.

Manual approval for high-value conversions

For conversions above a certain dollar amount (e.g., annual plans or enterprise deals), require manual approval before commissions lock. This adds a human review step for the transactions where fraud would be most costly. Your team reviews the customer account, verifies the purchase is legitimate, and approves or rejects the commission.

Graduated trust levels

New affiliates start with longer hold periods and manual review. As they build a track record of legitimate referrals, reduce their hold period and move to automatic approval. This creates a merit-based system where trusted affiliates enjoy faster payouts while new and unproven affiliates face higher scrutiny.

Technical Countermeasures

Beyond monitoring and policies, several technical measures can prevent fraud at the system level.

Server-side click validation

Instead of relying solely on client-side JavaScript for click tracking, validate clicks server-side. Check the referrer header, validate that the request comes from a real browser (not a bot), and verify that the affiliate link is being loaded in a visible context (not a hidden iframe or 1x1 pixel).

Duplicate conversion prevention

Implement database-level unique constraints that prevent the same customer email from being attributed to multiple affiliates or the same transaction from generating duplicate commissions. This is a common source of accidental overpayment in custom-built systems that lack proper idempotency handling.

Disposable email blocking

Maintain a list of known disposable email providers and block or flag signups from those domains. This prevents fake lead generation and eliminates the most common tool used in self-referral schemes. Several open-source lists are available with 5,000+ disposable email domains.

CAPTCHA and bot protection

Add CAPTCHA (like Cloudflare Turnstile or Google reCAPTCHA) to your signup flow. This prevents automated account creation, which is a prerequisite for large-scale self-referral schemes. Invisible CAPTCHA solutions provide protection without degrading the legitimate user experience.

Referral link expiration

Set expiration windows on referral tracking cookies. A 90-day cookie window is standard, but for high-fraud-risk programs, shorter windows reduce the opportunity for cookie stuffing. Any attribution cookie older than your window should be ignored.

Cross-referencing payment data

When a payment arrives via webhook, cross-reference the payment method (last four digits of card, billing address, payment email) against known affiliate payment details. Matching payment information between the affiliate account and the referred customer is a strong indicator of self-referral. This check should flag for review, not automatically block, since shared addresses or family members are legitimate scenarios.

Building vs. Buying Fraud Protection

Every SaaS company faces a build-vs-buy decision for fraud protection. Custom-built solutions offer maximum control but require significant ongoing investment. Purpose-built affiliate platforms include fraud detection as a core feature.

The cost of building in-house

A comprehensive fraud detection system requires: IP logging and analysis infrastructure, device fingerprinting, velocity monitoring with configurable thresholds, hold period management, manual review workflows, disposable email detection, automated alerting, and ongoing maintenance as fraud techniques evolve. Realistically, this is 2-4 months of engineering time to build and requires continuous updates.

Most SaaS companies significantly underestimate this investment. The initial implementation might take a few weeks, but fraud techniques constantly evolve, and your detection system needs to evolve with them. Without dedicated attention, fraudsters will find and exploit gaps.

What purpose-built platforms provide

Affiliate tracking platforms that include fraud detection have a significant advantage: they learn from fraud patterns across all their customers. When a new fraud technique appears in one program, the detection is updated for all programs. This collective intelligence is impossible to replicate in a single-company solution.

Refgrow includes comprehensive fraud protection as a core feature across all plans. The system implements IP monitoring for self-referral detection, velocity checks on clicks and conversions, configurable hold periods with automated refund handling, duplicate conversion prevention at the database level, and manual approval workflows for flagged transactions. These protections are active by default, requiring no additional configuration.

A pragmatic middle ground

If you are building your own affiliate system for technical reasons, prioritize these fraud protections in order of impact:

1. Hold periods (blocks the majority of fraud by delaying payouts)
2. Same-IP detection (catches unsophisticated self-referrals)
3. Duplicate prevention (prevents accidental overpayment)
4. Disposable email blocking (prevents fake lead generation)
5. Velocity monitoring (catches automated and burst-pattern fraud)
6. Device fingerprinting (catches sophisticated self-referrals)

Implement them in this order: each step provides incrementally less protection but more implementation complexity. Most small-to-medium programs can operate effectively with just the first three.

Related Tools and Resources