The Honey Trap: Hidden Dangers of Cookie Stuffing

The online shopping revolution of recent years has resulted in rocketing growth in affiliate marketing; great news for marketers, and great news for fraudsters, who will jump on any opportunity to exploit a growth market for their own gain. 

One of the most insidious methods of affiliate fraud is known as cookie stuffing: put simply, this is a fraudulent method of manipulating affiliate tracking systems to falsely attribute conversions. 

Not only can cookie stuffing lead to financial losses, it undermines the trust and efficiency of affiliate marketing, and contributes to a general erosion of confidence in digital advertising and marketing ecosystems.

A recent, high-profile case involving PayPal-owned Honey.com has led to increased awareness among marketing departments and consumers of affiliate fraud, and of cookie stuffing in particular. 

As the market-leading ad fraud prevention platform, TrafficGuard has long warned of the dangers to advertisers - you can watch our explainer video here for a deep-dive on how it works - so this felt like a timely opportunity to outline the problem in more detail and, more importantly, look at how you can prevent it from negatively impacting your digital campaigns.   

‍

What is Cookie Stuffing?

As we’ve established, cookie stuffing occurs when fraudsters manipulate affiliate tracking systems by secretly placing cookies on a user’s device without their knowledge. These cookies then create a false trail of attribution, making it appear as if a particular affiliate or extension drove the user to a purchase or conversion. The end result? Advertisers end up paying commissions to parties that contributed absolutely nothing to the sales process.

At its most sinister, cookie stuffing exploits the trust that businesses place in their affiliate networks; they believe they are compensating affiliates who genuinely help drive traffic and conversions. By inserting cookies behind the scenes, fraudsters can claim credit for conversions they did not facilitate which creates a ripple effect whereby analytics are distorted, budgets are misallocated and ultimately, the ecosystem’s integrity is compromised and undermined. 

By understanding the mechanics of cookie stuffing, advertisers are well-placed to take proactive measures to address the issue and ensure they don’t become victims.

‍

Honey and Cookie Stuffing: A Case Study

The recent case of cookie stuffing by Honey is a perfect example of these negative consequences: but first, some background. 

Honey is a PayPal-owned browser extension marketed as a ‘coupon aggregator’ - basically, a simple way for users to find money-saving coupons while they shop. It claims to ‘find every working promo code on the internet’, though as the YouTube video that began this exposé explains, this may not be the full picture…

So how did they do it? 

Honey uses two different methods to trigger ‘behind the scenes’ referral clicks, which enable it to place a cookie and claim attribution.

‍

Method 1: The Discount Code Trick

The discount code method exploits users’ trust, and their willingness to find discounts for their online shopping. It begins innocuously enough: a user visits a website organically, intending to shop and Honey’s browser plugin then displays a notification suggesting there are discount codes available, prompting the user to click and copy the code to memory.

At this point, Honey triggers a hidden referral click in the background via an iframe. This click plants a cookie on the user’s browser without their awareness. If the user completes a purchase, the affiliate network attributes the sale to Honey, even though the user’s journey was independent of it.

The technical sleight-of-hand lies in the iframe, a hidden element that performs actions without user visibility. This mechanism ensures Honey is recognised as the referring source, redirecting legitimate attribution from the actual driver of the traffic. For instance, a shopper navigating an eCommerce site, and planning to make a purchase, might interact with Honey.

The extension initiates an iframe click, falsely claiming that Honey directed the user to the site, allowing it to earn a commission from the sale. The user, unaware of this background process, unknowingly legitimises the fraudulent attribution.

‍

Method 2: The Promo Code Application

This method involves even more underhand and aggressive tactics. A user lands on a retailer’s website through organic or paid search and begins engaging with the site. So far, so innocent. Honey then prompts the user to “activate” a promo code, presented as a helpful feature to encourage interaction, and this is where the fraud begins. 

Upon activation, Honey opens a hidden browser window and generates a referral click. This action, invisible to the user, functions solely to place a tracking cookie. After the cookie is placed, the window automatically closes without the user’s knowledge, leaving no trace of the fraudulent activity.

Consider a scenario where a user reaches a checkout page after navigating the site organically. Honey’s browser extension prompts the user to activate a discount code. When the user complies, a referral click attributes the purchase to Honey, depriving the original traffic source such as Google Ads or SEO of credit. This tactic not only steals attribution but also inflates Honey’s perceived contribution to the conversion.

By understanding these methods, it quickly becomes evident how cookie stuffing undermines the affiliate marketing ecosystem, shifting legitimate earnings from ethical participants to fraudulent actors. 

‍

The Broader Impact of Cookie Stuffing

Cookie stuffing is more than just a deceptive tactic; it has far-reaching consequences for businesses, affiliates, and consumers alike; aside from the immediate financial losses, it creates systemic issues across the marketing ecosystem. 

Advertisers allocate substantial budgets to affiliate marketing, expecting genuine conversions. By redirecting these funds to fraudulent entities, cookie stuffing inflates costs and diminishes returns. Over time, this undermines confidence in affiliate marketing as an effective channel. 

Furthermore, the practice pollutes analytics by misattributing conversions, making it difficult for businesses to understand user behaviour and optimise campaigns. Inflated metrics from fraudulent affiliates often lead to misguided investments in ineffective channels, compounding the financial losses.

Affiliate networks are built on trust and mutual benefit, so cookie stuffing naturally creates tension between advertisers and affiliates. Legitimate affiliates suffer collateral damage - losing revenue while advertisers question the reliability of their partnerships. 

Over time, this degrades the quality and sustainability of affiliate programs. Additionally, consumers, though often unaware of cookie stuffing, may face indirect harm. Businesses attempting to offset fraudulent commissions might increase prices, inadvertently penalising their customers. Intrusive practices by browser extensions also erode trust in digital interactions, damaging brand loyalty.

From a legal and ethical perspective, cookie stuffing violates industry standards and can lead to significant repercussions. Businesses engaging in or failing to prevent such practices risk regulatory penalties and reputational harm. 

Increased scrutiny from regulators and industry watchdogs adds further pressure, pushing businesses to adopt transparent and compliant practices. The Honey example neatly illustrates the kind of reputational harm that can befall a business that engages in these deceptive practices. 

Addressing these broader implications is essential to restoring trust and integrity in digital marketing.

‍

The Tip of a Large Iceberg

Perhaps the most concerning aspect of the Honey furore, is that while this high-profile example has brought this issue to many marketers’ attention, it’s clear that most don’t realise the sheer scale of the problem. Cookie stuffing is huge and widespread, and due to a combination of the lack of awareness and understanding - plus the fact that affiliate marketing is a growing sector in marketing - this fraud is happening on a large scale, and going mostly undetected. 

Spending on affiliate marketing is expected to continue to grow at pace, and we can expect fraud to increase exponentially alongside it.

Source: Yahoo Finance

Another case in point: in January 2025, a proposed class action lawsuit in the US was filed by content creators against Capital One Financial Corporation and two of its subsidiaries. The claim alleges that sales commissions due to the content creators have been ‘systematically stolen’ by Capital One Shopping, a browser extension that operates in the same way as Honey.com in searching for coupons that can be applied to a shopper’s cart.

Capital One Shopping is accused of ‘silently and invisibly’ removing the affiliate marketers' cookies at the point of checkout and replacing them with its own tag to take credit for the sale.

This highlights another key benefit to fraudsters of cookie-stuffing: because affiliate marketers are usually paid at the point of conversion, it makes it far easier for fraudsters to operate under the radar. 

A TrafficGuard analysis of the UK website of a major global food retailer, with more than 7m customers worldwide, revealed some stark findings:

Over the month-long period of our audit which saw just under 8000 conversions in total, more than 30% were found to be impacted by some form of invalid traffic or malicious intent 

• Approximately 5% of conversions were found to be invalid and needed to be reversed
• Approximately 15% of conversions were flagged as anomalous or non-transparent and required further investigation
• More than 15% of conversions were found to have multiple paid interactions or partners throughout their journey

Of the invalid conversions, 25% were found to be impacted by cookie stuffing, diverting the retailer’s ad budget away from high-quality referring partners. 

We also discovered that users were being incentivised to interact with the retailer’s advertising to generate conversions in exchange for financial rewards. These conversions - in this case purchases - were later cancelled or reversed, leaving the retailer to foot the cost. 

Anomalous or non-transparent conversions are those that, while not definitively fraudulent, require further analysis. A good example of this is ‘anonymous engagement’ - when key referring details are masked or purposely distorted by the affiliate partner.

Multiple paid interactions mean that the advertiser could be paying for the PPC placement several times over for the same user before they finally convert, draining the ad budget and diverting spending away from genuine engagements.

‍

How TrafficGuard Detects and Prevents Cookie Stuffing in Your Campaigns

As you might have inferred by now, cookie stuffing and affiliate fraud are sophisticated, complicated, and require advanced tools capable of identifying and neutralising fraudulent activities in order to mitigate them.

TrafficGuard provides equally sophisticated solutions designed to protect you from this form of digital fraud. Our technology combines real-time monitoring, detailed analytics, and proactive measures to safeguard attribution integrity - going beyond cookie stuffing, to protect against invalid traffic in all forms. 

TrafficGuard continuously monitors click patterns across your campaigns, analysing every point of interaction across affiliate traffic - including click timestamps, IP addresses, and user behaviour - to identify anomalies suggesting fraudulent activity. For instance, if a referral click is generated moments before a purchase without preceding engagement, TrafficGuard flags it as suspicious. This level of granularity ensures fraudulent activities do not go unnoticed.

Beyond detection, TrafficGuard validates click paths to ensure every attributed conversion aligns with a legitimate customer journey. Examining the origin and sequence of clicks, distinguishes genuine referrals from fraudulent ones, preventing attribution to unethical actors. When fraudulent patterns are detected, TrafficGuard blocks unauthorised clicks in real-time, safeguarding your campaigns from financial losses and preserving attribution accuracy.

TrafficGuard also offers transparent reporting, providing detailed insights into click paths, referral sources, and fraud detection statistics. These reports empower you to make informed decisions and strengthen your affiliate strategies. Additionally, the platform seamlessly integrates with existing affiliate networks and tracking systems, minimising operational disruptions while enhancing fraud protection.

Insights into incrementality and contribution analysis give you a full funnel and affiliate partner view, while cost-benefit analysis and CAC reporting ensure that you are optimising effectively. 

TrafficGuard ensures that attribution remains with genuine traffic sources, such as Google Ads or organic search, preventing unnecessary expenditures and protecting your marketing budgets.

‍

Why Addressing Cookie Stuffing Matters

Accurate analytics are the cornerstone of effective marketing strategies. By preventing cookie stuffing, you can ensure data reliability, enabling you to optimise campaigns, improve customer experiences, and drive sustainable growth. Supporting ethical affiliates by combating fraud levels the playing field, encouraging innovation and fair competition. Ethical affiliates are essential for sustaining a robust and dynamic marketing ecosystem.

Moreover, transparent and ethical marketing practices enhance brand reputation, fostering trust among customers and partners. Adhering to legal and ethical standards not only protects you from penalties and reputational damage but also signals a commitment to responsible marketing practices. 

Addressing cookie stuffing is both a technical necessity and a strategic imperative for maintaining transparency and trust in digital advertising.

For more information about how TrafficGuard can safeguard your digital campaigns: request a demo or start a free trial today: https://www.trafficguard.ai/company/contact-us

‍