Collaborative approaches to international SMS security
In the golden age of international SMS, this is what used to be the typical scenario:
Brands leveraged one-time password (OTP) verification to provide a user-friendly and secure way of authenticating their customers. Meanwhile, operators were able to reap the benefits of this increased activity. A win-win scenario.
Unfortunately, in parallel to this growth, a new threat has quickly gained velocity: Artificially Inflated Traffic (AIT).
AIT, also known as SMS pumping, has overtaken other threats in the international messaging ecosystem in just two years, surpassing even grey routes in 2023.
The relative recency of AIT means that it is not as well understood as more established threats, adding to its severity. Our recent research on the state of transactional fraud found that only 36% of CPaaS and CCaaS enterprises had even heard of AIT and less than a third considered it a threat to their business.
But the threat is very real and affects everyone from enterprises to operators to consumers.
Simply put, AIT is a type of SMS fraud generated by bots. There are two main types of AIT as identified by the Mobile Ecosystem Forum (MEF):
AIT that defrauds businesses by generating large numbers of fake users all requiring OTP SMS verification. The fraudster makes directly or indirectly a profit, and the business bears the cost for all the OTP SMS requests.
AIT that defrauds MNOs by generating fake messages and repeatedly sending them to virtual numbers controlled by the fraudster, leading to an outpayment. The fraudster profits from this as the cost of the outpayment is higher than the cost of sending the message.
While AIT has been building since 2019, 2023 marked a significant turning point for AIT fraud’s impact.
Firstly, in March, Elon Musk announced that X, formerly known as Twitter, would start charging users for SMS two-factor authentication (2FA) to combat the staggering $60 million lost annually due to AIT.
Mobile network operators (MNOs) haven’t been spared either. They’ve estimated that their losses in international SMS traffic linked to AIT fraud reached $4.7 billion in 2023 alone (Source: Mobilesquared).
This represents a 16% drop in revenue, without taking into account revenue loss from other fraud types, such as grey routes (Source: Mobilesquared).
These financial losses are accompanied by serious reputational damage. Without effective solutions to curb the growth of AIT, brands will seek alternative channels to SMS, leading to a decline in A2P SMS revenue for operators.
We’re already seeing this decline with 2024 showing a sharp drop in brand spend on international SMS authentication traffic.
Chapter 2 | Understanding the market conditions that benefit AIT
Chapter 3 | The economic, operational, and reputational impact of AIT on brands and operators
Chapter 4 | What brands and operators can do to combat AIT, together