SMS fraud: protecting your business against Artificial Inflation of Traffic

Business communication takes place through various channels, including emails, phone calls, and SMS texts. Such form of communication may occasionally contain sensitive information that, in the wrong hands, may be financially rewarding. That’s why fraudsters of all kinds are always monitoring traffic to and from successful businesses – to seize the chance and blackmail businesses into paying large amounts of money. In this article, we will dig into a new and alarming fraud tactic for SMS: Artificial Inflation of Traffic (AIT). 

The threat of AIT 

To better understand the dangers of AIT, we should understand first the two main types of SMS traffic: 

Application-to-person (A2P) – which is used to deliver automated texts to intended audiences, such as marketing promotions, notifications, alerts, etc., and 

Person-to-person (P2P) – which is when two or more people engage in text-based conversations, for example: customer support agents and customers, or team members within a company. 

Artificial Inflation of Traffic (AIT) is the generation of fake traffic from legitimate websites and apps to drive revenue for SMS service providers or mobile network operators. This fraudulent model exploits A2P SMS to carry out its attacks. AIT attacks take place when fraudsters use real online services like yours to generate fake traffic using bots. An SMS service provider or mobile network operator conspires with a fraudster to pump high amounts of traffic through your service with the intention of increasing revenue. The fraudster then takes a share of the profits while you pay a 0% ROI cost.    

The fraudster does this by designing a bot that accesses your website, creates an account, and initiates a one-time password (OTP) SMS to a mobile number. The bot then repeats this process creating thousands of accounts and generating SMS to thousands of numbers. This is fake traffic that your business is compelled to pay for as a service which is not converted into real business. 

How to protect your business 

For stronger protection, you can start by identifying your level of risk. Businesses that are more exposed to higher risk are those that have weak security measures during signup and other OTP-generating activities, making it easier for bots to bypass. For example: if your website uses mobile numbers as the only signup method, you’re at high risk. 

Below are some tips on how you can safeguard your signup process as well as some monitoring parameters you can look out for to avoid being a victim of AIT. 

Protection methods 

• Include a CAPTCHA: This is the most reliable way to protect your business against bots. CAPTCHA is designed to tell humans and bots apart. While this may lengthen your signup process, you can make CAPTCHA easy and fun by using a gamification CAPTCHA. 

• Set a timer for OTP requests: By setting a timer between the last generated OTP and the next, you can delay or prevent bots from continuously generating OTP, thus eliminating unnecessary traffic. However, a smart bot can bypass this method by considering the number of seconds/minutes needed between each request. It’s best to rely on multiple protection methods for optimum results. 
• Make the signup process more advanced: The highest targeted apps/websites are those that use mobile numbers exclusively for sign up. The more fields you add (email, username, 2FA, etc.) the harder it is for the bot to use you for AIT and may even push fraudsters away. 
• Limit mobile number field to countries you operate in only: In the mobile number field, limit the country codes that can be used to only the countries you operate in. Make sure the implementation is done at the backend level as well, as fraudsters have a way to change the country code on the user interface level. 

Monitoring parameters 

After implementing the above tips, you should still watch your signups and user activity. Fraud is constantly evolving and finding ways to bypass security protocols, so some may bypass even the strongest CAPTCHA. You can set up monitors to alert you of the following: 

• Sudden increase in signups especially in new countries you’re not usually used to seeing 
• Sudden decrease in conversion rate (most fraudsters will not use the OTP, only generate them) 
• High number of signups/OTP requests from the same IP address 
• High number of signups within a limited range of mobile numbers (AIT numbers are usually fixed within a specific range of mobile numbers, for example: 01900000000, 01900000001, 01900000002, etc. or 0197604XXX1, 0197604XXX2, 0197604XXX3, etc.) 

CEQUENS is here for you 

Telecommunications fraud affects even the biggest businesses, but the high-cost nature of AIT puts SMEs at even higher risk. Please remember that it is your responsibility to manage and detect fraud before it turns into extreme financial losses. We are currently working round the clock to find a permanent solution to this issue, however, the best way to protect your service is to implement higher security measures on the application itself. 

We would also like to assure you that we work hard to detect any fraudulent or suspicious activity. That’s what makes us a leader. 

If you want to know more about AIT and how we keep our customers secure, talk to one of our specialists.