Affiliate models, fraud, and why CPL needs a tougher spine
By Simon Delaney • 20 August 2025
TL;DR
- CPL (cost per lead) is where fraud concentrates because it's the first point you touch people's data and most programmes aren't built to verify and control that data properly.
- CPM/CPC are cheap to fake at scale; CPA/CPS can look clean yet still hide attribution theft without click binding and short windows.
- You need verification and fraud detection working together on a purpose-built affiliate flow, with S2S (server to server) signed click IDs and sensible attribution windows.
- Sub-networks are where fraud clusters; without placement transparency and sub-publisher disclosure you're buying blind.
Who this is for
You buy affiliate traffic and care about what becomes a sale, not just what becomes a form submit. You want fewer junk leads and more revenue without rebuilding your stack.
Payment models set the incentives
Payment triggers shape behaviour. CPM (cost per thousand impressions) pays when a pixel loads, which encourages printing impressions. CPC (cost per click) pays on the click, so automation leans into that event. CPL (cost per lead) pays when a form is accepted, which invites stolen or synthetic details if you don't verify. CPA/CPS (cost per acquisition or sale) pays when a transaction clears, pushing abuse into last-click hijacks and transactions that unwind later. The earlier the payment sits in the journey, the cheaper it is to fake. The thread that ties this together is people's data and how you verify it. The closer you are to a person with real intent, the less likely it is to be fraud.
What we actually saw, at scale
We ran affiliate traffic to Clear Energy Switching (a brand we built to generate leads for energy brands in the UK) to two destinations built and hosted in Databowl:
https://clearenergyswitching.com/
https://clearenergyswitching.com/amazon-voucher/
Supply came from more than thirty publishers and affiliates, with a deliberate bias towards direct publishers. Leads flowed straight into call centres, competing with Meta, Google and the client's own site. We kept fraud detection on at impression and click, bound every payable event to a signed S2S click ID, used reCAPTCHA and tamper traps, and ran real-time email domain and MX checks, deduplication, velocity rules and address hygiene, with weekly placement and sub-publisher reviews. The pages remain hosted in Databowl; fraud detection and verification are currently turned off because the campaigns are no longer active.
Evidence block (counts only):
Accepted: 102,088
Rejected: 19,104
How rejects clustered:
Duplicates across partners or time
Phone not contactable or invalid (network responses such as absent or unknown subscriber, dead number, call barred)
Email not deliverable (domain or MX failures)
Policy or gating (for example, geo constraints that didn't match the offer)
Bot or tamper signals (reCAPTCHA failures, hidden-field triggers)
Syntax anomalies associated with automation, plus occasional provider or system faults
Direct publishers produced the best quality (and we shifted all budgets towards them) and the lowest fraud; sub-networks carried the highest risk and needed tight caps or exclusion. Protections were strong enough that we effectively ran on CPA with the client while paying CPL for traffic.
Verification is not fraud detection
They solve different problems and you need both. Verification proves contactability and ownership at the point of capture: email domain and MX checks, deduplication, velocity and address hygiene, plus phone verification where the journey can tolerate it. Fraud detection stops non-human or manipulated activity before it reaches your form: always-on IVT at impression and click, anomaly detection, tamper traps and honeypots. Without verification you pay for plausible junk; without fraud detection you drown the form and force verification to carry everything.
Why CPL needs a tougher spine
CPL feels close to a person, which makes teams hesitate to reject it. A list of leads looks valuable because it looks human, but a lead is only an opportunity until it's contactable and tied to a valid click within a sensible window. Treat identity and provenance as non-negotiable: no valid signed click ID, no payable lead. Keep attribution windows short to limit last-second hijacks, and reconcile returns and complaints before releasing payment.
Sub-networks and the transparency penalty
Fraud clusters where opacity and arbitrage enter the chain. If a partner can't provide placement disclosure and stable sub-publisher IDs, you're buying blind. In practice that shows up as missing or spoofed referrers, sub-publisher IDs that appear and disappear, mechanical timing patterns, geo drift against UK and EU targeting, and creatives you never approved. Make pass-through IDs and proof of placement a condition of payment, reserve the right to audit log-level data where money changes hands, and walk away if disclosure isn't possible.
How to run CPL without funding fraud
The programmes that work share the same spine. Know your sources and refuse undisclosed placements. Keep IVT on so impressions and clicks are filtered before they touch your form. Bind every lead to a signed S2S click ID and reject anything that can't be matched within a reasonable window. Verify people's data in real time with email domain and MX checks, deduplication, velocity and address hygiene, adding phone verification where the journey allows. Keep attribution windows short and block toolbars and coupon injections from last-second hijacks. Pay on terms that reflect reality, with hold periods long enough for cancellations and complaints to surface and clawbacks written into contract. Onboard by graduation: cap new sources, then grow on quality rather than volume, with weekly placement and sub-publisher reviews.
Choose your operating point on purpose
There's a real trade-off between blocking fraud and keeping false positives low. Stricter rules stop more abuse but can turn away some legitimate leads; softer rules approve more volume but pay for more bad traffic. Pick the operating point deliberately, track appeals and outcomes, and publish thresholds so partners understand what "good" looks like.
Contracts, consent and proof
Write transparency into your contracts: placement disclosure, sub-publisher IDs, proof of placement on request, and audit rights. Keep evidence of consent with each lead. Double opt-in reduces complaints and helps you defend the programme. Fraud thrives in grey zones; clear permission and clean data flows make abuse harder and easier to confront.
A checklist worth keeping
Do we know where ads ran and which sub-publishers were involved
Are impressions and clicks screened for IVT in real time
Is every lead verified and deduped before it hits the CRM
Do conversions only pay if they match a secure click identifier
Are attribution windows short and are returns reconciled before payment
Are new sources capped and reviewed until they prove quality
References
Media Rating Council. Invalid Traffic Detection and Filtration Standards. https://mediaratingcouncil.org
IAB Europe and DoubleVerify. Media quality and fraud benchmarks. https://iabeurope.eu and https://www.doubleverify.com
AppsFlyer. State of Mobile App Fraud 2023. https://www.appsflyer.com/resources/reports
IAB. Lead generation definitions and guidance. https://www.iab.com
ASA and CAP. UK advertising guidance. https://www.asa.org.uk and https://www.cap.org.uk
Acronyms and shorthand used
CPM: cost per thousand impressions
CPC: cost per click
CPL: cost per lead
CPA/CPS: cost per acquisition / cost per sale
IVT: invalid traffic
GIVT / SIVT: general / sophisticated invalid traffic
S2S: server to server
ASA / CAP: UK Advertising Standards Authority and Committee of Advertising Practice
GDPR: General Data Protection Regulation