Your guide to fighting SMS fraud: artificially inflated traffic and beyond

Banned symbol and messaging symbols

For companies that use SMS messaging as part of their overall brand, marketing, and customer engagement strategies, maintaining the integrity of the SMS ecosystem is vital. Most brands and platforms work hard to ensure their own compliance with best practices and regulations.

Unfortunately, fraudsters have discovered a wide range of ways to steal from both sides of the ledger—the companies and their customers. Artificial Inflation of Traffic (AIT) fraud cost brands $1.16 billion in 2023, according to an Enea white paper; Elon Musk revealed in a 2022 interview that Twitter had lost $60 million per year due to AIT.

For consumers, the picture isn’t any better; in 2022 alone, SMS scams cost consumers $330 million in the US—more than double the amount lost in 2021.

Fighting SMS fraud is in everyone’s best interests. The Mobile Ecosystem Forum (MEF) has identified fourteen SMS fraud types, classified into four main categories: 

  • Identity theft: SMS Phishing (Smishing), SMS Originator Spoofing, and Access Hacking
  • Data theft: SIM Swap Fraud, SMS Roaming Intercept Fraud, SMS Malware (SMS Hacking)
  • Network Manipulation: MAP Global Title Faking, SCCP Global Title Faking, SMSC Compromise Fraud
  • Commercial Exploitation: Artificial Inflation of Traffic (AIT), Message Trashing, Spam, and other network or system manipulation

This guide will look at some of the most common types of SMS fraud and provide some tips to keep brands, platforms, and consumers secure within the SMS messaging ecosystem.

What is Artificial Inflation of Traffic (AIT) fraud?

Artificial Inflation of Traffic (AIT) is a form of SMS fraud in which bots generate automatic texts from the brands, often using triggering 2-factor authentication texts or one-time passcodes from the brand’s website, for the purpose of misappropriating the message fees and sharing money with colluders.

AIT fraud is typically less visible to consumers and end users than other forms of fraud because the messages exist within the broader SMS ecosystem and don’t end up as “spam” messages on consumer devices. However, this form of fraud is rapidly increasing, especially outside of the US and Canada; according to Enea and Mobilesquared, nearly 5% of international SMS traffic in 2023 was artificially inflated traffic.

AIT fraud can cost organizations millions of dollars in direct costs, as Elon Musk revealed in the above interview. In a recent episode of The State of Messaging Podcast, Simeon Coney, VP of Business Development at Enea, clarified the damage that bots can do on a platform such as Twitter.

“Our first thoughts are that those bots are creating tweets,” he said. “But those bots can also be used for other things. And in this case, they can be used to generate new password reset requests or new login requests with those OTP messages, all of which ends up generating a message. Now the question, of course, is why are they doing that?”

Coney points out that “there’s actually a lot of money and cost associated with delivering messages.”

“If I’ve got an army of bots under control, I can use them to generate messages to anywhere in the world, and I can actually gain money as a result of every single message being generated and delivered there.”

Sometimes also called SMS pumping fraud, AIT fraud requires the help of a mobile network operator (MNO), who is collecting the messages fees from brands who are unwittingly paying for this inflated traffic.  

The MNO is either operated directly by the fraudsters, allowing them to collect the fees directly, or the MNO sends a portion of the SMS fee to a smaller subscriber generating this inflated traffic. In the second scenario, the larger MNO may only be aware that this subscriber generates a lot of SMS traffic, and may not be aware that it’s caused by fraudulent behavior.

Telecom and cybersecurity firm Enea has identified six different forms of artificially inflated traffic that impact different places along the SMS ecosystem chain. All these forms of AIT involve fraudsters who have control over at least one point in the SMS journey where the fraudster can divert the costs associated with SMS generation and delivery into their own pockets.

Because this form of fraud is well hidden under the guise of legitimate SMS traffic and does not pose the same risks to end consumers , it doesn’t get the same media attention as, for example, smishing. For brands, platforms, and carriers, however, it’s vital to pay attention to anomalies in the journey or delivery chain and make sure that costs of texting line up with expectations and outcomes.

What is smishing?

As the “younger sibling” of phishing, smishing (a combination of “SMS” and “phishing”) works in broadly the same way as this older form of fraud—just on a newer platform.

In the past, fraudsters used deceptive emails and fake phone calls to trick recipients into revealing sensitive information or performing malicious actions. These bad actors have now expanded their tactics to include text messages.

End users and consumers might receive a text that looks legitimate—something that says it’s from a brand or organization they recognize. It might include an urgent notice or request, or it may promise something exciting or include an enticing offer. Often these SMS messages include a link or attachment that may contain malicious software or direct the recipient to a fraudulent site.

“There are certainly the types of attack that are designed about immediacy and urgency,” says Coney. “Your package is held up, you have to click here to release it; your account’s been locked, click here to make an action. Those are things designed to get people to do something without too much thinking.”

Smishing can be a short-term or one-time fraud, or it can be an opening or opportunity for a more in-depth scheme. A short-term fraud might ask the consumer to click on a link or image to “verify” information, allowing access to the consumer’s private information or data.

In long-term scams, a consumer might receive an innocent text that appears to be a wrong number or seems like a friendly request. When the consumer replies, the fraudster uses the opening to manipulate the consumer into giving away data or money.

“This can span things like social engineering—you know, trying to encourage people to respond to initial contact,” says Coney. “Following a trend of creating a conversation that leads to either information theft or getting them to buy goods and services or provide financial payment for something.”

A 2022 piece from The Wall Street Journal recounts how one woman lost more than $1.6 million to a scam artist who played on her “basic decency” and “loneliness.” Sometimes called “pig butchering,” this kind of fraud relies on “fattening” a victim’s cryptocurrency account before clearing it of legitimate funds that were deposited.

What can brands and platforms do to combat SMS fraud?

For brands and CPaaS providers, AIT and other SMS fraud can result in huge costs—some directly to the bottom line, but others in the loss of trust and confidence in the brand itself. When consumers and end users can’t trust the texts they receive from brands, they will opt-out of text—and perhaps opt-out of business with the brand entirely.

Every legitimate actor along the SMS journey can contribute to keeping the ecosystem clean and stopping fraud and abuse wherever possible. Here are a few steps brands and platforms can take to help prevent SMS fraud from their positions:

Keep it real

Brands should ensure that all SMS messages are clearly labeled and consistently branded. If links are included, try to make sure they have some identifiers that clearly mark them as part of the brand. In addition, brands can remind end users and consumers periodically that they will not ask for identifying information over text, OTP, login information, passwords and educate these end users on how to identify the brand’s texts to help build trust.

Likewise, platforms need to make sure they can validate the organizational identity of the brands they provide messaging to. You may hear this validation referred to as KYC (know your customer) best practices. It provides the foundation for registration and compliance across messaging channels. 

Conduct audits

If there is a sudden rush of OTP (one-time passcode) requests from sequential phone numbers, it’s possible those numbers are all controlled by a fraudster. Brands should be aware that a sudden increase in this kind of volume is a potential red flag that indicates fraud.

CPaaS providers can also watch for these rapid increases in volume and work with their customers to audit OTP requests.

Audits for AIT and other fraudulent activity can uncover significant abuse. Under Musk’s leadership, Twitter (now X) conducted audits and uncovered nearly 400 telcos that were involved in the AIT scheme. Musk directed Twitter staff to “cut off any telco that’s got fraud above 10 percent.”

Take the (temporary) hits

For some brands or platforms, cracking down on AIT fraud or other forms of fraud that artificially inflate the user base or volume can mean a temporary hit to the brand. Increased rigor on this topic may discourage certain businesses from using the platform. 

But while it may look like the company has lost business or users for a short time, the net effect will be more accurate SMS conversion rates, a more engaged user base, and ultimately, a stronger and more trustworthy brand. And of course, potential savings for the bottom line!

Account Security

Perform regular reviews of your CPaaS account, users provisioned, assigned access and user rights to change settings. Verify users’ permissions are set correctly and are following strong password standards.

Enable SSO (single sign-on) on your CPaaS account,  that will allow you to Bring your Own Identity Provider (BYOIP).  Enabling this feature will allow for centralization of account management, monitoring and multi-factor authentication.

With increasing attacks towards APIs, validate that the API credentials are properly secured and follow best practices. The use of bearer authentication is recommended over basic auth if supported by the client.

Make fraud more difficult to commit

Much of the fraud in the SMS messaging ecosystem is conducted, at least in part, by bots. A simple way for brands to combat a bot army is to implement a CAPTCHA form, a Bot Management Solution or other verification that an OTP request is coming from a legitimate end user, not a bot.

Coney also recommends that brands work closely with their CPaaS providers and platforms to carefully consider other options for keeping fraud out of the ecosystem—for example, limiting SMS messages from certain locations in the world.

“Are you looking at source IP addresses for folks using your services?” he says. “You know, is that typically your customer base?”

He suggests that CPaaS partners can help brands reduce risk and exposure. “Your CPaaS partner can help provide levels of protection … by helping control spend to known high-risk destinations or looking for anomalous levels of traffic to unusual destinations for your account.”

SMS marketing remains one of the most powerful engagement tools brands have for connecting with consumers and growing their business—but only if it remains trustworthy. Coney’s ultimate advice to brands is to choose partners who will keep the SMS messaging ecosystem safe, protect their customers and partners, and ultimately give a better experience for everyone.

“We’re creating so many great relationships here now between brands and customers,” he says. “Let’s build on that.”

To learn more about SMS messaging and how Bandwidth can help you grow your brand and your business—while minimizing fraud!—contact us.