6.7 billion dollars.
This sum represents the annual toll exacted by Artificially Inflated Traffic (AIT) fraud.
To uncover the dark secrets behind this staggering figure and delve deep into the issue of AIT fraud, we sat down with Tim Ward, the Vice President of Number Information Services at XConnect.
With over three decades of experience in the telecoms industry, Tim Ward brings a wealth of knowledge and insights to the table. At XConnect, he has taken the helm of the Number Information Services division, leading initiatives in sales, marketing, and product management. Under his guidance, XConnect has launched innovative services that set new standards for access to network, service, and user information.
With over 30 years of experience across the telecoms industry, Tim is a passionate advocate for establishing a level playing field across the telecoms sector. He envisions a future with common standards that ensure the highest quality of service. Tim believes XConnect has a pivotal role to play in achieving this vision. To drive this agenda forward, he collaborates with key industry stakeholders and organizations like MEF and GSMA.
Join us for this insightful conversation with Tim Ward as we navigate the complex terrain of AIT and SMS fraud, exploring strategies to protect users and telecoms in an ever-changing landscape.
Could you provide an overview of what Artificially Inflated Traffic (AIT) is and how it differs from traditional SMS fraud methods?
AIT is a term that encompasses a wide range of fraud types – artificially generated traffic, artificially inflated traffic, and traffic trashing – and is a growing trend in the telecoms industry. The most prominent involves threat actors creating bot accounts which then trigger a flood of fake requests for one-time-passwords (OTPs) or two factor authentication (2FA) requests from organizations. Fraudsters use premium rate and ghost numbers to incur inflated charges by triggering an A2P request, which is then sent via a high-cost route to rack up increased fees. This allows rogue mobile network operators (MNOs) or another rogue party, who receives revenue share, to profit from the increased charges.
The most obvious implication of AIT to service providers is financial loss. According to the Communications Fraud Control Association (CFCA), fraud costs global telecom companies $39.89 billion in revenue losses a year. Despite the traffic being fake, the organization using the service still receives a charge for the termination. A large flood of AIT can quickly drain revenues.
What sets AIT fraud apart from other traditional methods is how closely it can mimic regular user behavior. AIT is much harder to detect and protect against because of this, as service providers can’t distinguish fake traffic from legitimate requests. OTP and 2FA requests aren’t typically flagged as spam, allowing fraudsters to bypass organizations’ firewalls.
AIT involves the generation of large volumes of fake traffic through apps and websites. How do fraudsters typically exploit weakly protected web services to carry out AIT attacks?
Typically, threat actors will target poorly protected web services, such as web forms and apps that can generate A2P SMS. The traffic that they generate is sent from a user’s normal system and the messages don’t contain any abnormal content.
Attacks can be carried out via various fronts, such as a sign up requiring 2FA via an SMS or requesting a change to an existing account triggering an SMS 2FA transaction. Smartphone emulators using bots are frequently used to carry out attacks on apps, and bots are used to trigger attacks on websites.
Another example would be initiating an attack during off-peak hours as systems aren’t usually as strictly monitored. They can then begin gradually sending requests to stay under the radar.
OTP SMS (One-time password SMS) is a common target for AIT attacks. How do fraudsters trigger OTP SMS to multiple mobile numbers, and what are the implications for end users and service providers?
Fraudsters are able to trigger OTPs to multiple numbers by leveraging AI. They can generate AIT by running automated scripts or creating bots that make fake accounts or requests that trigger messages.
This has the potential to lead to the erosion of trust for SMS channels. If A2P SMS is associated as a channel synonymous with excess charges and fraud, those who use it will look for alternative channels to reach their customers, redirecting revenues to ones they deem to be more reliable.
The lack of trust in SMS as a communication channel could cause organizations to move away from using it which would have far-reaching consequences on revenues across the entire telco ecosystem. It would also cause users to move away from what is a universally used tool and either move away from 2FA entirely or move to more complicated or expensive solutions.
Given that AIT-generated traffic can closely resemble legitimate traffic patterns, how challenging is it for organizations to differentiate between AIT attacks and legitimate SMS campaigns?
It is incredibly challenging for organizations to differentiate between legitimate campaigns and an AIT attack. Threat actors are constantly evolving their methods, and only a few companies have the right protection in place.
AI systems for the most part will consider AIT normal user behavior. Without comprehensive data sets in place organizations struggle to pre-validate numbers and ensure they’re legitimate.
Are there specific industries or sectors that are more vulnerable to these types of attacks?
Big Tech companies are incredibly vulnerable to AIT attacks. Their products and services are relied upon globally by millions, which makes them prime targets for bad actors. Big Tech companies have large profit streams that fraudsters can tap into, and the size of these streams makes it less likely for fraudulent activity to be noticed. This means companies take longer to realize their profits are being drained, leading to them losing millions to fraud every year.
A recent example of how Big Tech is at risk can be seen within the hit on X (formerly known as Twitter), in which its CEO, Elon Musk, reported that the platform lost $60 million a year due to AIT fraud. According to Musk, 390 telcos used bot accounts to pump 2FA SMS texts repeatedly, causing massive losses for the social media giant.
The largest tech companies are constantly under attack from bad actors as they’re such lucrative targets, and AIT is a challenge that will continue to impact more businesses if it isn’t addressed.
As AIT continues to evolve, what are the key technological and security challenges that telecommunications providers and organizations face in detecting and preventing this type of fraud?
AIT is difficult to identify as it’s not regulated under common SMS agreements and regulations. This means it can bypass MNO firewalls, because OTPs aren’t considered spam. The development of sophisticated bots and software is making it much easier for bad actors to mimic user behavior and remain undetected. These systems are being made widely available to cybercriminals as software-as-a-service (SaaS) solutions for purchase.
Without a solution to analyze the traffic requesting these passcodes, it’s impossible to determine its origin, and therefore whether it is legitimate or not. This means AIT will continue to go undetected and uninhibited.
Could you elaborate on the concept of “gray routes” and their connection to AIT? How do these routes contribute to the growth of AIT attacks?
A gray route is a route by which traffic enters a network that is not sanctioned by the MNO. It is less expensive, or in some cases free, because it does not fairly compensate the telecom providers that facilitate it.
These routes are illegal in some regions because even though they are not properly monetised, the telecom providers are still paying for signaling and network maintenance for this traffic.
These routes carry untrusted, potentially fraudulent traffic, including artificially inflated traffic. The presence of gray routes therefore provides a channel for fraudsters to inflict harm to organizations’ revenue streams.
It’s crucial that companies close down these gray routes, or they won’t be able to achieve their full revenue potential. The right data sets allow organizations to implement direct routing of their A2P messaging traffic, giving them new competitive advantages. Direct routing gives them control of gray route traffic while reducing transit fees.
XConnect specializes in phone number data intelligence services. How does XConnect contribute to combating AIT and other forms of SMS fraud? What solutions or technologies do you offer to address these challenges?
In today’s challenging telecoms environment, tackling AIT and other forms of SMS fraud are high on the agenda for businesses looking to optimize their business messaging operations.
To ensure organizations can remain competitive and deliver messages with confidence, they need proper systems in place for traffic validation.
Our Global Number Range (GNR) and Mobile Number Portability (MNP) data solutions verify if a number belongs to a valid number range and whether it is in the correct format (correct length, country code etc) and checks whether a number has been recently ported. This allows organizations to determine the validity and routing of a number before OTP or 2FA responses are sent out. Our customers are typically seeing that 10% of requests can be eliminated as fraudulent or incorrect numbers.
Having dependable data solutions in place enables companies to save costs, drive trust, and ensure they are maximizing efficiency within their messaging operations. Organizations gain the ability to execute their outbound message services with accuracy – the first time, every time.
In your experience, what are some of the most surprising or innovative tactics you’ve seen fraudsters use to artificially inflate SMS traffic, and how do these tactics challenge traditional detection methods?
Threat actors are constantly evolving their attack methods for bigger pay-outs. In line with modern trends, the latest tactics that we are now witnessing involve leveraging AI to carry out more rapid attacks.
By implementing AI, cybercriminals are able to artificially inflate traffic on a much larger scale. Creating bots allows them to make requests using thousands of numbers in a short period of time while masquerading as a normal user to avoid detection.
According to recent findings, AIT is projected to be a leading threat in the messaging landscape. Looking ahead, what strategies and innovations do you believe will be essential to stay ahead of AIT attackers and protect users from these fraudulent activities?
Fraud in messaging is a challenge that is here to stay, and companies cannot afford to remain passive. Deploying trusted numbering data to detect and assist in the mitigation of AIT is essential in the growing threat landscape.
Using GNR and MNP data enables companies to focus on the interactions that matter by rapidly pre-validating numbers before systems respond to OTP, 2FA, and other A2P requests.
Pre-validating the traffic in their systems enables them to minimize damaging losses. Implementing solutions like these, along with analytics-based solutions, will ultimately restore trust within the industry and reduce the costs associated with fraud.
Lastly, looking beyond AIT, what other trends or shifts do you foresee in the landscape of SMS fraud? How might organizations prepare for these changes and proactively adapt their strategies?
Bad actors are continually developing their methods of attack and this extends beyond AIT. Robotexts are a growing challenge for telcos. Just like with robocalls, it’s possible for fraudsters to mask their number and imitate a familiar company or government agency.
They will leverage these messages to prompt a response from their victims, such as clicking on a link they have sent, which they can then use to steal valuable and personal information. Also known as “smishing”, hackers have turned to this method as spam filters have made it harder to send false emails, and victims are much more likely to click on a text message.
This issue needs to be addressed. If companies are not aware of these tactics and don’t have the proper validation solutions in place, fraudsters can exploit and deplete their revenue streams. In order to restore trust in telecoms, companies must take a proactive stance and prepare themselves for the inevitable risk of future fraud attacks.
