Three Affiliate Fraud Metrics Every Program Should Watch

Most affiliate programs find out they were defrauded the same way: a finance review flags a payout spike, someone pulls the numbers, and a quarter of last month's commissions turn out to have gone to traffic that never had any intent to buy. By then the money is gone and the fraudster has rotated to a fresh account. The problem is not that the signals were missing. The problem is that nobody was watching the right three numbers.

Conversion rate and revenue per click tell you whether a program is growing. They tell you almost nothing about whether it is being gamed. The metrics that expose abuse sit one layer down, in the gap between raw clicks and approved payouts. Here are the three to put on a dashboard and review weekly.

Shadow-ban rate

A shadow-ban silently stops counting an affiliate's traffic without telling them. The affiliate keeps sending clicks, the system keeps serving redirects, but conversions stop accruing. Done right, it denies the fraudster the feedback loop they need to adapt. Track the share of active affiliates currently under a silent ban and watch how it trends. A healthy program sits in the low single digits. A sudden climb usually means a coordinated wave of fake accounts just signed up, or your risk-scoring thresholds drifted and started catching legitimate partners. The number you never want to see is zero on a program of any real size, because zero means nothing is being caught at all.

Fingerprint concentration

Every click that hits the edge carries a device and network fingerprint: IP, user agent, accept headers, TLS characteristics, and a cookieless click identifier. Fraud rings reuse infrastructure. A botnet running through a handful of proxy pools produces far less fingerprint diversity than a real audience does, no matter how many affiliate accounts it hides behind. Compute concentration per affiliate and across the whole program. The signals that should trigger investigation:

• A single fingerprint or narrow IP range accounting for an outsized fraction of one affiliate's clicks
• High overlap of fingerprints across accounts that are supposedly unrelated, which often means one operator running many
• A spike in conversions tied to fingerprints that produced zero clicks the prior week, suggesting injected or stuffed traffic
• Conversion fingerprints that never appear in the click stream at all, a classic sign of cookie stuffing or attribution theft

Concentration also climbs along the referral tree. When multi-level commissions are in play, a parent account can farm sign-ups whose traffic all traces back to the same origin. Aggregating fingerprint concentration up the tree, not just per leaf account, catches the operator instead of the disposable accounts beneath them.

Conversion rejection rate

Every conversion arrives as a signed webhook and is validated before it counts: signature integrity, idempotency, timing against the originating click, and a risk score on the underlying signup. The rejection rate is the share of submitted conversions your pipeline declines, and it is the single clearest measure of how much pressure your program is under. Segment rejections by reason and by affiliate. Broad, evenly distributed rejections are normal background noise, but a single affiliate whose rejections cluster on one reason, such as replayed webhook signatures or conversions firing milliseconds after the click, is showing you their method.

A rejection rate near zero is not a clean program. It usually means the validation is too loose to reject anything, and the fraud is being approved and paid.

Wire them together

These three metrics are strongest read as a set. Rising fingerprint concentration on an account, followed by a jump in its rejection rate, followed by a shadow-ban is the full lifecycle of a fraud attempt caught and contained. Seeing only one of the three move is a prompt to look at the other two. Put all three on one view, alert on week-over-week deltas rather than absolute values, and review them on a fixed cadence so the slow attacks surface alongside the obvious ones. The instrumentation to compute and export them lives in the API.