The risk is real. The scriptng language does not provide a way to confirm money has been paid. It only asks for the money and assume it was paid. So affiliate vendors have this "loop hole". But the risk is only of someone getting a product and the creator not getting paid. So if you make items that sell for low or moderate amounts, it may not be the grave a risk. You can probably spot the fraudulent activity after the fact and take action (disable/ban/AR). But if you sell big ticket items or have large number of affiliates and/or affiliate sales, then you may want to consider having an additional safeguard.
You can also avoid this kind of problem by screening your affiliates. That's why some people charge a fee to affiliates to join their program. It helps minimize the scammers who are looking for easy pickings.