In affiliate marketing, **last-click attribution** is the default rule. Whichever partner owns the last click before a purchase gets credited with the sale. While simple to implement, this model opens a massive loophole: **last-click hijacking**.
Last-click hijacking occurs when a rogue affiliate forces a redirect or drops a cookie in the final moments of a user's purchase flow. This steals credit from organic traffic, search ads, or other affiliate creators who actually brought the customer to your store. Let's look at how to protect your conversion attribution.
How last-click hijacking works
This type of fraud targets customers who are already at the bottom of the purchasing funnel:
- A user has loaded their cart and is entering credit card details.
- A browser extension, third-party script, or malware on the user's device triggers a background request to the merchant's store via an affiliate redirect link.
- This background request completes within milliseconds, dropping a new tracking cookie.
- The checkout is completed. Because the hijacked cookie is the newest one, the affiliate system awards them the commission.
This is often executed so fast that the customer experiences zero visual interruptions, while the merchant pays out a commission for a sale that was already fully complete.
Why traditional firewalls can't block hijacking
Because the redirect happens entirely inside the customer's browser, network-level protection (WAFs) cannot identify it. To the server, it looks like a legitimate customer navigated to the checkout page using a new referral link.
Blocking hijacking requires real-time, client-side monitoring to track **attested clicks**—making sure that a cookie is only credited if a user actually clicked a physical link on the publisher's site with genuine intent.
How BotRefund blocks last-click hijacking
BotRefund monitors checkout behavior for timing anomalies and automatic script execution.
If the platform detects that a referral link was loaded after a customer had already added items to their cart or entered checkout—without any active window switching or normal user navigation—it flags the transaction for review or holds the commission. This ensures that only partners who drive real acquisition get paid.
Frequently Asked Questions
What is last-click hijacking?
It is a fraud method where an affiliate drops a new cookie in the last seconds of the purchasing process, overriding the original referral source to steal commission.
How do affiliates force background redirects?
They use browser extensions, adware, or hidden tracking scripts loaded on third-party sites that trigger invisible iframe calls to the merchant's affiliate link.
What is an attested click?
An attested click is a verified physical interaction by a human user (such as mouse release or tap) that proves a referral link was loaded with human intent rather than being automated by a script.