The basic concept of smishing is the same as phishing calls: fraudsters use deception to trick recipients into providing personal information or clicking on malicious links. The only difference is the use of SMS as a medium.

Though smishing has been around for many years, fraudsters are constantly refining their techniques and using enterprise technology to increase their reach. Recently, they have begun using call centers as a hub for triggering smishing attacks and therefore successfully reaching a much wider range of victims than ever before. This means that it is no longer just end-users that are at risk, but enterprises and operators themselves, too.

The increase in volume is reflected in the numbers: BICS counted 345 million smishing messages in Europe between January 2023 and May 2024.

The Mobile Ecosystem Forum (MEF) defines two main types of Artificially Inflated Traffic (AIT). First, AIT can be used to defraud a business by creating bots which pretend to be users and send out one-time password verification (OTP) via the business’ messaging account to certain numbers controlled by the fraudster, who can block the artificial traffic when it hits the network node. The fraudster then makes a profit directly or indirectly from the messages while the business loses revenues.

The second AIT fraud type targets mobile network operators (MNOs) directly by sending repeated messages to virtual numbers controlled by cybercriminals to generate an outpayment. The fraudster makes a profit as the cost of sending the messages is lower than the outpayment.

The impact of AIT is now so severe that it is often cited as the biggest threat to A2P SMS monetization, surpassing grey routes or even smishing.