Twitter announced plans to tackle SMS fraud by charging users for text message two-factor authentication (2FA) from March this year. The reason? Elon Musk said the platform had been “scammed” by phone companies and was paying more than $60 million (€56m) a year for “fake 2FA SMS messages”.
Artificially Inflated Traffic (AIT) or SMS pumping is the next big thing in SMS fraud. Fraudsters create bot accounts that trigger a wave of fake requests for one-time passwords (OTPs) from businesses, which they intercept and monetize through a revenue share scheme with malicious providers or operators.
The AIT threat continues to spread. Bad actors are becoming more sophisticated and adapting to the evolving digital and mobile ecosystem. They are also exploiting how easy it is to generate massive volumes of SMS transactions.
Businesses shouldn’t have to worry about OTPs. They need their customers to trust them, and the security measures and controls they’ve put in place. Authentication methods like 2FA with OTPs are here to stay, so enterprises need to know how they can protect their customers and their messaging environment.
AIT: why fraudsters do it and how it works
Because SMS has such wide coverage, is low-cost, and doesn’t require a connection to be established – unlike voice communication – fraudsters find it an attractive weapon.
They typically generate artificial traffic by running automated scripts or bots to create fake accounts or requests that trigger messages.
Bad actors then make money by partnering with a malicious operator or provider to divert the inflated traffic and collect either termination or transit fees – which enterprises typically then need to pay for. Traffic termination comes with a high price tag, but there are other hidden costs: addressing and resolving fraud, reputational damage, the operational risk of network overload, and using additional capacity.
What can enterprises do to protect themselves from AIT?
There is no quick fix. Enterprises, operators, and providers need to work together to prevent fraud and secure their messaging ecosystem. Enterprises can also take various steps to address the risk, including:
- investing in a fraud prevention solution equipped with real-time threat intelligence to prevent fraudulent traffic,
- implementing security measures and controls at the digital service provider level to reduce the risk of service abuse, and monitoring their conversion rates,
- reinforcing security checks in the onboarding process,
- implementing controls on subscriber behavior and communication types
Enterprises who use SMS to authenticate their subscribers or interact with them – by sending notifications, alerts, reminders, and news – need protection that covers the spectrum, from monitoring traffic to blocking fraudulent messages.
To cover all bases, enterprises will need to focus on strengthening the onboarding process for subscribers, setting up basic limitations on SMS thresholds or destinations, and protecting their platform from fraudsters and bots. Top methods to protect their platform include number verification against a threat intelligence database and tracking traffic patterns. Implementing seamless controls can ensure a smooth user experience and support the business through flexible communications.
How the right fraud prevention solution can help enterprises
Our fraud solutions are uniquely positioned to help enterprises stay a step ahead of SMS fraud with advanced threat intelligence capabilities, comprehensive monitoring, next-gen technology, all finetuned and optimised thanks to an in-depth understanding of the SMS ecosystem globally. FraudGuard is an international fraud prevention service that can automatically block calls and messages to known fraudulent numbers, as well as proactively identify, investigate, and block potential new incidents.
A team of fraud experts continuously monitor, investigate, and act on fraud incidents. We enable detection of traffic pattern deviation, abnormal behavior, and use of numbers in sequence. These capabilities are backed up by our global fraud intelligence database, TrustHub. It leverages expertise and intelligence gathered about fraud attacks and uses machine learning models to detect and prevent fraud based on international traffic patterns across our entire carrier network.
We have more than 55 million numbers registered in our database and it is being updated daily. Our intelligence is further built on the SMS traffic we carry: 50 million SMS messages per day through our SMS hub and 250 million messages per day as a SS7 carrier. This is then combined with our intelligence on voice fraud as 20% of SMS attacks are related to voice fraud.
This 360° approach to fraud prevention significantly reduces the risk of AIT having an impact on your business or on your customers’ experience.
Why enterprises can still rely on OTPs as a secure verification method
Businesses today need the right expertise and capabilities for SMS fraud protection – because OTPs are here to stay. And no enterprise can risk losing the trust of their customers, or suffering the damage and cost associated with fraud that is becoming ever more rife.
The most effective solution is integrated. FraudGuard doesn’t only offer detection – it’s a complex fraud prevention service that facilitates automated and proactive prevention, support, reporting, and tracking.
As a leading SMS hub, application-to-person (A2P) aggregator, and CPaaS provider, BICS can additionally help enterprises define the policies and controls that need to be applied to the messaging ecosystem to detect abnormal activity, and the process to follow if abnormal activity is detected.
Get in touch today to find out more about how BICS’ global fraud solutions can help you tackle AIT.