A common method to steal a conversion is to inject an “affiliate click” right after the initial click. The injected click will declare that the user came from the fraudulent publisher looking to steal the conversion.

In terms of specific data points, we look for a click that happened right after an initial one where the affiliate publisher is different.

Often because the 2nd clicks comes in between the initial click and the conversion, the time to conversion will show trends that it is shorter than usual.

Examples of how this is possible is e.g. through the use of malware that detects a click on a known affiliate campaign link. It will quickly send a 2nd click in the background to steal the potential conversion.

The user is often a valid one and therefore there will be little the advertiser can do to identify fraud from post-conversion metrics.

Where click injection often focused on a user that already clicked on an affiliate link, click flooding focuses on injecting clicks on as many users as possible.

The reasoning behind this approach is that some users will eventually convert (organically). Upon conversion, due to the user having a cookie from the initial (fraudulent) click it will be attributed to the fraudulent affiliate rather than convert organically.

The ration of click to conversion (CVR) on a per affiliate basis is much lower than usual. Also the tendency is to have no relation between the click and the conversion (i.e. the time to conversion is kind of uniformely distributed across time).

Another method is that often users are shuffled across affiliate campaigns through malicious redirectors.

Examples of how this is possible is e.g. through the use of malware that detects a click on a known affiliate campaign link. It will quickly send a 2nd click in the background to steal the potential conversion.

The user is often a valid one and therefore there will be little the advertiser can do to identify fraud from post-conversion metrics.

This method isn’t based on gaming the attribution system but instead relies on sourcing fake conversions from a pool of incentivized users. This can be automated or not (often not).

The pool of devices per affiliate is much more limited than normally (e.g. only a few devices are used). Often the OS / Browser version is older than usual too.

Finally the relationship between the click and the conversion is quite predictable (e.g. consistently 2-3 minutes elapsed in between the click and the conversion).

This is often done through an organized group of individual that own/rent a fixed pool of devices. They will operate the device manually or automatically, often rotating IPs to avoid easy fraud detection filters.

Maintaining this pool of device is costly and therefore the device are often cheap and not maintained up to date (os/browser version).

The user is often labeled as invalid as there is very little (if any) engagement associated with the user.