Raiffeisen Bank’s Russian division recently completed a comprehensive investigation into its digital acquisition channels, uncovering a sophisticated affiliate marketing fraud scheme that had been artificially inflating the bank’s marketing expenses. By leveraging advanced data streaming and big data analytics, the bank identified that certain affiliates were using browser extensions to hijack traffic sources, effectively claiming commissions for organic and paid search traffic that the bank had already secured. The investigation, conducted in partnership with the analytics firm OWOX BI, has highlighted a growing vulnerability in the Cost Per Action (CPA) marketing model, where technical loopholes allow dishonest actors to rewrite attribution cookies in real-time.
The financial sector has long been a primary target for affiliate fraud due to the high commission rates associated with banking products, such as credit cards and loan applications. For Raiffeisen Bank, the red flags appeared when the marketing department noticed a significant divergence between acquisition costs and actual revenue growth. Despite a surge in traffic attributed to CPA (Cost Per Action) networks, the bank’s bottom line remained stagnant. Furthermore, internal monitoring systems detected an unusual pattern of session breaks occurring while customers were in the middle of filling out digital application forms. These technical glitches, combined with the rising costs, prompted a deep-dive analysis into the integrity of the bank’s traffic attribution.
The core of the suspected fraud involved "attribution theft" facilitated by malicious or grey-area browser extensions. According to the investigation, users who had installed certain "discount" or "coupon" extensions were being targeted during the checkout or application process on the Raiffeisen website. When a user reached a critical stage in the application, the extension would trigger a pop-up window offering a discount or a promotional code. If the user interacted with this pop-up, the extension would execute a background script to refresh the session and rewrite the traffic source data in the user’s browser cookies. This maneuver ensured that the affiliate associated with the extension was credited with the "Last Click," thereby redirecting the commission from the original source—such as organic search or a paid Google search campaign—to the fraudulent affiliate.
To combat this, Raiffeisen Bank moved beyond the standard limitations of traditional web analytics. While the bank utilized Google Analytics, the standard version of the platform often relies on sampled data and lacks the granular, hit-level detail required to detect millisecond-level changes in traffic sources. To bridge this gap, the bank integrated the OWOX BI Pipeline to stream raw, unsampled data directly from their website into Google BigQuery. This cloud-based data warehouse allowed the bank’s analysts to process vast datasets in near real-time, providing a transparent view of every user action, including the exact timestamp of every page view and session change.

The chronology of the investigation followed a rigorous three-step technical process. The first stage involved the collection of raw hit-level data. By bypassing the standard processing delays of Google Analytics, the bank was able to capture the actual timestamp of each "hit" or interaction. This was crucial because it allowed analysts to track the sequence of user actions across multiple sessions with absolute precision. In a typical scenario, a user might visit the bank’s promotional page via a paid search ad (CPC). If a fraudulent extension intervened, the data would show the initial CPC session ending abruptly and a new session starting almost instantaneously from a CPA source, even though the user never left the page.
In the second stage, the team focused on data processing and filtering. The analysts established a specific set of criteria to identify "robbed" transactions. They looked for instances where a user had two distinct sessions recorded on the same URL within a window of less than 60 seconds. Under normal browsing conditions, it is highly improbable for a user to manually close a session and restart a new one from a different source while staying on the exact same application page. By filtering for these specific parameters—same Client ID, same page path, and a change in traffic source within one minute—the team was able to isolate the fraudulent hits.
The third stage involved the generation of comprehensive reports that mapped these anomalies back to specific affiliate partners. By importing the processed data from Google BigQuery into visualization tools and pivot tables, the marketing team could see exactly which affiliates were responsible for the source substitution. The data revealed a stark reality: certain partners were systematically "robbing" traffic from organic search and the bank’s own paid search (CPC) campaigns. The reports provided the IDs of each customer whose session had been hijacked, giving the bank the empirical evidence needed to confront the CPA networks.
The results of the analysis were immediate and financially significant. Raiffeisen Bank identified two major affiliate partners who were consistently acting in bad faith. By terminating its relationship with these dishonest webmasters and adjusting its contracts with CPA networks, the bank was able to significantly optimize its marketing budget. The funds that were previously being siphoned off by fraudulent commissions were reallocated to high-performing, legitimate channels. Furthermore, the bank’s technical team was able to address the session breaks that were frustrating users, leading to a smoother application process and a higher conversion rate for legitimate customers.
From a broader industry perspective, the Raiffeisen case serves as a warning for the digital marketing landscape. Affiliate fraud is becoming increasingly sophisticated, moving away from simple "bot" traffic toward "cookie stuffing" and source rewriting that mimics human behavior. As browser privacy settings evolve and third-party cookies are phased out, the battleground for attribution is shifting toward the client-side environment, where browser extensions and local scripts operate with significant autonomy.

The implications for the banking and insurance sectors are particularly acute. Because the customer journey for financial products is often longer and involves more sensitive data, the cost of a single acquisition can range from dozens to hundreds of dollars. This high "bounty" creates a powerful incentive for bad actors to develop scripts that can intercept a lead at the final moment of conversion. For large institutions, the loss to such fraud can amount to millions of dollars annually if left unchecked.
Industry analysts suggest that the solution lies in "First-Party Data" and server-side tracking. By moving the attribution logic away from the user’s browser and onto the company’s own servers, firms can make it much harder for extensions to manipulate source data. Additionally, the use of big data tools like Google BigQuery allows for "forensic marketing"—the ability to look back at the granular history of a transaction to ensure its legitimacy before a commission is paid.
Dmitriy Berezin, Head of Online Sales at Raiffeisen Bank, noted that the project was not just about cost-cutting, but about gaining a deeper understanding of the customer journey. He emphasized that in a competitive digital environment, the ability to distinguish between genuine engagement and automated manipulation is a core competency for any modern marketing team. Victoriia Pashchenko, a Web Analyst at OWOX BI who assisted in the project, highlighted that the transparency provided by raw data is the best defense against the "black box" nature of many affiliate networks.
In conclusion, the collaboration between Raiffeisen Bank and OWOX BI demonstrates that while AdTech fraud is evolving, so too are the tools available to combat it. By adopting a data-first approach and demanding hit-level transparency, the bank successfully protected its marketing investments and ensured that its acquisition strategy remained based on true performance rather than technical deception. The case underscores a shift in the role of the web analyst from a mere reporter of traffic to a digital auditor responsible for the financial integrity of the company’s growth engines. As the digital economy grows, the implementation of such rigorous data validation processes will likely become a standard requirement for any organization operating at scale in the CPA space.







