Combat the Risks of SMS Pumping (Artificially Inflated Traffic)

A2P messaging has been growing in popularity amongst businesses looking to improve customer engagement through personalized communication. As A2P adoption has evolved, so has the threat landscape to the messaging ecosystem. The surge of SMS Pumping in recent times is an alarming trend and is a significant threat to the reliability of A2P messaging for business communication. Although it is a troubling phenomenon, the good news is that there are strategies to mitigate its effects. Read on to learn how to protect your business and customers from SMS traffic pumping fraud.

What is SMS Pumping  (Artificially Inflated Traffic)? 

SMS Pumping, also known as Artificially Inflated Traffic (AIT), is a fraudulent practice that threat actors use to generate high volumes of messages using bots or online software. Fraudsters create fake accounts to send a large number of requests for one-time passwords (OTP) via SMS. 

Attackers use automated software to enter phone numbers (fake virtual numbers or, less often, real ones) into online forms on websites and mobile applications connected to SMS systems. They can often input premium-rate numbers and choose A2P markets with high termination rates for traffic fraud to gain more profits. 

Many players may be involved in SMS traffic fraud, making it a complex problem to solve. 

Smaller Mobile Network Operators (MNO) can sometimes inflate SMS traffic to show high usage statistics, thus making a profit out of it. Sometimes, lower-tier communication providers can inflate traffic for more revenue. They can repeatedly make OTP requests and then input the OTP codes into the client’s app or website, making the transaction appear legitimate. However, since the message does not reach the MNO, they can charge their client without having to pay the MNO. In some cases, businesses can take advantage of AIT to exaggerate their customer base to show misleading growth metrics. 

What Are the Adverse Effects of Artificially Inflated Traffic?

AIT has far-reaching implications across the messaging ecosystem, negatively impacting MNOs, communication providers, and businesses. 

Financial Loss

AIT can cause staggering financial losses for businesses. Inflated traffic can exaggerate conversion statistics, resulting in businesses spending on messaging that did not serve them any purpose. Businesses can incur high costs for SMS services due to inflated traffic, which comes to light only after evaluating message volumes to estimated returns. Moreover, traffic fraud drives up the cost of SMS messaging, affecting businesses that rely on SMS for customer communications. The increased cost can, in turn, drive businesses to seek more cost-effective solutions and explore alternative communication channels, resulting in a decline in demand for A2P SMS services. 

Brand Reputation

Organizations whose messaging is compromised by AIT can suffer a loss of reputation since they can be considered non-compliant and illegitimate. Moreover, unsolicited messages can ruin user experience and erode customer trust. Since AIT has the potential to manipulate conversion statistics, it can end up diminishing the reliability of SMS, ultimately leading to businesses opting for alternative channels. The credibility of SMS as a secure messaging channel is at stake, and hence all parties should cooperate to mitigate the negative impact of SMS pumping fraud. 

How to Detect SMS Traffic Pumping Fraud?

It’s important to put measures in place to ensure that SMS pumping attacks do not go undetected. An unusual spike in SMS requests can be an indicator of inflated traffic. Similarly, a sudden increase in premium-rate numbers making OTP requests can also mean your SMS system has been compromised. Here are a few steps you can take to detect SMS traffic fraud at the earliest –

Monitor Conversion Rates

Keep an eye on the conversion rate, which is the ratio of the number of OTPs validated by users to the number of OTPs sent. If there’s an abnormal decline or increase in conversion rate, pay close attention to the numbers you are receiving requests from. 

Check for Abnormal Patterns

Monitor the frequency and distribution of SMS requests and look for deviations. For example, if messages are sent to a country where the business does not have any users, that is likely due to AIT. 

Incomplete Web Forms

Since bots or automated software fill the forms to input the phone number, the forms may be only partially completed or may contain irrelevant information. Check for invalid signups with details that look out of place. 

Identify Consecutive Number Ranges

Frequently, the inserted numbers are consecutive unrealistic number ranges, e.g., +xxxxxxxxx001 +xxxxxxxxx002 +xxxxxxxxx003, etc. Checking for this type of pattern allows for detecting SMS pumping. 

Measures to Prevent and Mitigate the Risks of Artificially Inflated Traffic

1. Choose Trustworthy Vendors

Evaluate your communication providers and only pick reputed vendors. Public companies typically undergo stricter controls on their practices and sources of revenue and hence may be more trustworthy.  

Pick vendors that signed the code of conduct by MEF. Check if the vendors are transparent and have processes to address AIT. Pick vendors that do not only offer termination of SMS OTP but also complete verification systems (such as Kaleyra Verify) that create the OTP, send it, as well as verify when it’s used appropriately to log in or confirm a transaction. 

Prefer direct routes because the longer the chain to terminate an SMS OTP is, the more opportunities bad actors have to take advantage. You can work with your vendors to maintain a list of blacklisted and suspicious IPs. Go for vendors that offer a fallback for SMS OTP through alternative channels such as email or voice, which streamlines the authentication process and ensures your customers have a seamless experience.  

2. Implement Bot-Preventing Measures Like Captchas 

You can discourage threat actors by using libraries such as BOTd or CAPTCHAs in the online forms. By making it mandatory for users to validate themselves, you can prevent bot attacks while introducing minor changes to the user experience.

3. Set Rate Limits and Delays 

Prevent users from making a number of repeated SMS requests from the same IP address or device. Set a maximum number of requests in a specific timeframe. By limiting the number of messages sent to certain number ranges or prefixes, you can safeguard your business against threat actors.   

Implement delays between attempts to ensure the same number is not inundated with messages in a short duration. Exponential delays, which involve rising time gaps between retries, can also reduce bot attacks.

4. Disable Messaging Based on Geographical Location 

If your business does not operate in certain regions, you can disable sending messages to unused countries. Although you may have a global customer base, you can identify countries where you have no users and set geo permissions to disable messages to those destinations. 

How Kaleyra Helps Address Artificially Inflated Traffic? 

Customer trust is a top priority for Kaleyra. We are committed to protecting businesses and customers from fraud and providing secure and reliable communication. We work closely with businesses to help them monitor conversion rate trends to identify irregularities. Businesses can also use Kaleyra’s volumetric analytics to quickly find any abuses related to end subscriber numbering plans (sending to number ranges). If you suspect inflated SMS pumping fraud, reach out to us, and we’ll help you immediately. Kaleyra, being a global leader in A2P messaging, is dedicated to addressing fraudulent activities promptly and maintaining a trustworthy environment for business messaging.