Minimising the risk of AIT fraudTopic: SMS
26 July 2023
Business messaging involves various partners, networks, gateways, and protocols to ensure messages reach their intended destination. Given the complexity of this chain – and the ongoing threat from fraudsters – maintaining safety and trust calls for vigilance and collaboration at every stage.
One fraudulent scheme, called Artificially Inflated Traffic (AIT), is of growing concern and something we all need to take steps to minimise and prevent.
What is Artificial Inflation of Traffic (AIT)?
AIT (or SMS traffic pumping) is a type of fraud that generates high volumes of fake traffic via mobile applications or websites. Fraudsters can take advantage of a phone number input field to receive a one-time passcode (OTP), an app download link, or anything else via SMS. Without adequate safeguards and controls in place, attackers can inflate traffic, sending SMS to a range of numbers controlled by a specific mobile network operator (MNO) and receive a share of the revenue generated. AIT, along with grey routes and SMS phishing, are key risks within the business messaging ecosystem. And while operators and users bear the brunt of financial losses incurred by AIT, the relationship you’ve built with your customers – and the credibility of your organisation – can also suffer.
We often input our mobile number when we need to set up an online account. We might then receive a one-time password (OTP) to verify that number and complete our onboarding. While fast and easy sign-ups are great for businesses and for consumers, fraudsters can attempt fake sign-ups and scam businesses for the cost of SMS.
This is just one example of Artificially Inflated Traffic or AIT
How can you tell if AIT fraud is happening across your accounts?
You will notice a spike in messages sent to a block of adjacent numbers and often to remote destination countries. If you’re sending SMS for a one-time passcode (OTP) use case, you will notice that verification cycles are incomplete. However in both cases, you may not become aware of this activity until sometime after the event.
What we’re doing to protect you
With the right tools and technologies in place, there are ways to detect, reduce and mitigate AIT fraud. At Esendex, we’re committed to delivering the highest standards of accountability and are proud to be ISO27001 certified. We work continuously with customers to reduce the risk of fraud through:
Pattern detection/ real time monitoring:
· using various metrics and data analytic tools, we work to detect any anomalies including identifying possible AIT fraud
· multi-factor authentication
· when we, or a partner, detect possible AIT fraud, we work quickly to confirm it, block it and report back to customers
· reduce players to maintain a shorter trust chain
· continuously analyse send and destination country activity by account
maintain a register of known high-risk SMS send destinations
we support our customers and share in-country information about the threats associated with fraudulent practices, current legislation and best practice and the dangers of poor procurement processes.
What can you do to minimise risk?
Consumers are understandably anxious about data privacy and security, but also want faster and easier access and connectivity to brands and businesses. So how can you as a business manage these conflicting expectations without taking undue risk?
Use tools/technologies at your disposal
· Multi-factor authentication: making small changes to your user experience such as ensuring that users confirm email addresses before enrolling in 2FA can deter automated scripts and bots
· Use CAPTCHA and similar tools to block fraudulent bots on mobile number collection forms
· Limit your account to send to countries you operate within
· Speak to your Esendex account manager about setting-up payment thresholds to limit any potential liability
· Consider using sub-accounts to split SMS OTP sends away from other messaging. This reduces the likelihood of AIT traffic remaining undetected within high-volume marketing accounts
· Set rate limits for example, 1 message per x seconds per same number range/prefix
· Monitor your conversion rates. If you notice conversion rates starting to drop, especially in an unexpected country, it could be worth reviewing as it can be an indicator of AIT fraud.
You’re not alone
Spotting fraud and mitigating against it, is a collaborative effort between networks, and your team and ours. We are proactively and continuously looking at ways to keep our systems and solutions safe, so messages are sent and received as intended.
With dedicated teams of product, traffic and compliance specialists in every country we operate, help is always close at hand, so please reach out to us if you have any immediate concerns.