One thing I always tell people is that iGaming operators don’t have it as easy as you might think. Not only are they in a highly competitive market, but they’re also under constant pressure from national regulators. Responsible gambling, AML, strong KYC and other territory-specific requirements make it challenging to operate compliantly.
To make matters worse, they’re a common target of fraudsters. Constant attacks such as account takeover (a.k.a credential stuffing), chargeback fraud and bonus abuse mean that the risk teams have to remain alert, prepared, and well-equipped at all times.
But one form of fraud is particularly damaging, and that’s affiliate fraud. Let’s see why it happens, why it hurts so much, and how to prevent it at your iGaming company.
How Affiliate Marketing Works in iGaming
While there are different ways to promote an online casino, affiliate marketing has earned its status as one of the most effective. SEO, PPC, media advertising, exhibitions and other offline activities should also be part of the bigger strategy, but in terms of ROI, affiliate marketing tends to give the best results.
Unfortunately, iGaming companies cannot legally advertise on Google or Facebook. This is why they rely on 3rd party affiliates to bring traffic to their site. These affiliates are then paid using a variety of models, depending on which actions their referred users perform on the site.
The Inherent Risks of Working with Affiliates
Your goal as an iGaming operator is to bring traffic to your page, and the risks of using a third party affiliate vary depending on the kind of payment model you offer them.
Without a doubt, the riskiest is the pay per lead or cost per acquisition model. Unscrupulous affiliates will exploit it to generate fraudulent traffic with bots, who can be sophisticated enough to onboard automatically, going through all the right steps to trigger a reward.
The PPC (pay per click) model is just as unreliable, as malicious affiliates will send traffic towards your site without the users’ consent. There’s no shortage of options here, from malicious browser extensions or links hidden under your browser text and images (pop-under).
Of course, it’s easy to catch bad traffic when your bounce rates go up and KPIs remain too low. But more sophisticated bots could also register accounts, deposit and even go for free spins or matched bonuses, thereby crossing over into bonus abuse territory.
Revenue share models are just as susceptible to abuse. If you give the players a share of your revenue, it opens the door to player collusion. High-value players can bond together and take huge risky bets against the casino. Their individual losses will be limited and under control, but potential profit will be huge – and certainly damaging for your business.
The key point to remember is that your affiliates will know exactly how to trigger the rewards. You’re essentially giving them a guidebook on how to perform affiliate marketing scams, which is why trust and vigilance are of the essence.
The First Solution: Proper Traffic Monitoring
The good news is that isolating bad affiliates shouldn’t be too hard. New customers coming from a referral will have an ID, and you should deploy systems to slice and dice that data.
Within the SEON Sense platform, for instance, the Affiliate tab lets you clearly identify the quality of your affiliates. You can sort them based on the number of conversions they brought to your business, or the percentage of approved vs. declined onboarded users.
Which is useful in and of itself, but still begs the question: How do you acquire and filter user data to automatically decide what makes them good or bad for your iGaming platform? The answer: data enrichment, specifically thanks to device fingerprinting.
Enabling Device Fingerprinting
In fraud prevention, the more data you have about your users, the better. And the key for iGaming operators, who tend to automatically onboard users, is to enrich data as soon as people land on your website.
Which is why one of the most important sources of intelligence you can tap is probably device fingerprinting. Put simply, it is designed to scan the configuration of software and hardware from the user and identify their connection with what we call hashes.
These hashes are effectively user IDs, and they offer a surprisingly clear picture of who the users are. This is true whether they clear their cache, switch browsers, use incognito mode, or rely on emulators and spoofing tools – a practice that often points to bot usage.
SEON’s solution, whose progress I’ve been monitoring for some time, was developed with Gabor Gulyas (from Panopticlick). And as far as I can tell, it is one of the most complete device fingerprinting solution on the market, working with real-time data to help you answer questions such as:
- Have they appeared on the site before?
- Do they switch devices too often?
- Is the software they use suspicious?
- Do they use emulators like FraudFox, AntiDetect, Kameleo, Linken Sphere or MultiLogin?
- And more importantly: are they likely human or bots?
For a list of all the parameters SEON’s Device Fingerprinting tool can aggregate, you can read our dedicated post here.
And don’t forget that device data enrichment is only one of the tools in your arsenal, however combining it with social media lookup, IP, email and phone analysis, you can build the most complete profile of your players, before they even reach the withdrawal stage.
Analyzing User Behaviour
Thanks to device fingerprinting and other data enrichment tools, you can get a good idea of who users are. But the other key element is to confirm suspicions users by looking at their behaviour.
In the world of fraud detection, this is done by feeding data through risk rules, which output risk scores. For instance, you could have a rule that increases risk if the user connects with an email address from a free domain. Another one could increase risk if they use a VPN.
You also need to look at their actions on your site, specifically using velocity rules. These work with more complex parameters, for instance, the number of connection attempts per minute, or how fast the fields are filled.
Here again, I was pretty impressed by how SEON leverages the power of Machine Learning. It’s entirely possible that some fraudulent patterns may be invisible to even the most astute risk managers. But by feeding your user data (both historical and current) to their engine, the algorithm can help suggest rules that highlight suspicious behaviour.
What you get is an invisible security layer that understands how CPA fraudsters behave, before they get to deposit and abandon their account. You can then automatically reject their sign up attempts, even if you’re working with very few user fields, and the bare minimum to meet KYC requirements.
Controlling the Withdrawal Stage
One of the greatest challenges you might face is dealing with an affiliate who brings you a mix of good and bad traffic. Your incentive is of course to onboard as many players as possible, but how can you ensure the bad ones slip through the net?
The answer is to take control of the withdrawal step. The same sophisticated risk rules that stopped bots in their tracks can also be applied to block players who are about to cash out their virtual chips.
And while you might already have a risk team on the case here, a tool like SEON’s gives you plenty of options to improve your detection accuracy, and to tailor the rules to how your specific casino does business.
Using custom attributes that were unique to their iGaming operations, for instance, SEON customers improved withdrawal automation from 60 to 90%.
This is a huge time saver for the risk team, who can refocus manual efforts on less clear-cut cases, and decrease fraud rates across the board.
SEON for Complete iGaming Fraud Protection
iGaming operators can have a complex relationship with their affiliates. They may need them to bring new players to the site, but they also know that affiliates have strong incentives to bring as much traffic as possible, without vetting its quality.
Which is why, unfortunately, the burden of monitoring and controlling the traffic is on the operators. The good news, however, is that thanks to fraud prevention platforms like SEON, you have all the tools at your disposal to mitigate risk based on your specific business model.
And best of all, the same tools used to block bots and collusion players before they onboard can also prevent bonus abuse, account takeover, and credit card fraud. Enriching data will let you know which leads are genuine or not in order to optimize bonus spend – and of course your revenue.