SMS fraud is a form of telecommunications fraud that exploits the mobile messaging system for financial gain. It can take many forms – SMS toll fraud, smishing, malware spreading, and more – but what they have in common is bad actors using SMS workflows to perpetrate crimes. As one of the most commonly used messaging channels among businesses and consumers, with an estimated 23-27 billion text messages sent every day,1 overloaded SMS pathways are a lucrative target for misuse.
The Versatile SMS
Individuals, businesses, governments, and other organizations use SMS extensively in many different ways. Not only is SMS a widely accessible communication channel, it is also fast and cost-efficient, making it a popular choice for varied communication needs. Some of its versatile uses include:
- One-on-one or group text messaging among individuals
- Business communication with customers, clients, and employees
- An extra layer of security for online accounts through two-factor authentication (2FA) or multi-factor authentication (MFA)
- Customer notifications of new products, promotional offers, and discounts
- Customer service support
- Mobile banking and payment notifications
- Appointment reminders
- Updates, reservations, and itineraries for the travel and hospitality industry
- Delivery status, tracking information, and estimated delivery times for e-commerce companies
- Charitable donations and fundraising campaigns
- Emergency alerts in cases of natural disasters
Its ubiquity and simplicity make SMS an integral part of business communication strategies, and opting out of using SMS would be impractical because of risks that would pose to revenue streams and new business opportunities. Organizations must, however, keep abreast of the novel attacks that cybercriminals are creating to exploit SMS traffic.
Types of SMS Fraud
In addition to the traditional abuse of SMS channels for smishing, identify fraud, deceptive offers, and malware distribution, attackers are increasingly colluding with mobile network operators (MNOs) for automated SMS toll fraud, also known as SMS pumping or artificially inflated traffic fraud.
Here’s a quick look at the numerous ways attackers exploit SMS:
- SMS Toll Fraud: Also called artificially inflated traffic (AIT), SMS pumping, or International Revenue Share Fraud (IRSF), this is when bad actors trick businesses into sending text messages to premium-rate numbers under their control, resulting in disproportionately inflated telecom bills. Attackers collude with MNOs to exploit business SMS workflows and trigger initiation of massive volumes of SMS messages to premium-rate numbers, and share the illegitimate revenues so generated.
- Fake Notifications: Through fake alerts and warnings, notifications about promotions or discounts, and fraudulent offers from what appear to be popular apps or services, attackers instruct recipients to act immediately, such as sharing bank account information to receive prize money.
- Malware Distribution: Attackers lace SMS text messages with links or attachments that, when clicked, install malware on the recipient's mobile device and facilitate data stealing or spying on the user.
- Smishing (SMS Phishing): Fraudsters send text messages purportedly from a legitimate organization that contain malicious links and play on the psychology of the recipient. For instance, smishing messages urge consumers to take urgent actions lest they miss out on losing access to an online account. Once clicked, these links redirect the user to fake or clone websites and lure them into sharing sensitive personal and financial information, such as login credentials, credit card details, or social security numbers.
- Identity Theft: Fraudsters use SMS fraud for identity theft schemes by impersonating a consumer using stolen personal information or login credentials. They may send phishing messages to steal login credentials or use SMS to bypass two-factor authentication by convincing victims to provide the codes sent to their phones. They may even resort to credential abuse to send phishing messages to the victim’s network and trick them into sharing personal details.
- SMS Spoofing: Attackers exploit bulk service messages or alert notifications to mimic genuine messages by spoofing or changing the sender information in a text message so that the recipient sees an alphanumeric text instead of a mobile number.
- SIM Boxes: Known as “gray route traffic machines,” SIM boxes are devices that use prepaid person-to-person (P2P) SIM cards to control premium application-to-person (A2P) traffic. Since the price of each SMS on these cards is lower than direct A2P, it allows attackers to make significant financial gain.
- SIM Swapping: By social engineering mobile carriers or customer service representatives, attackers transfer a victim's mobile phone number to a new SIM card, under their control. This allows them to intercept SMS-based 2FA codes and gain access to victims’ accounts.
- SMS Spam: With SMS spam, attackers distribute their malicious text messages en masse.
The Far-Reaching Consequences of SMS Fraud
SMS fraud can have a significant negative impact on consumers and organizations. In 2022, consumers in the US lost more than $8.8 billion to fraud, with SMS smishing registering a 30% increase over the previous year.2
In addition to direct monetary losses, SMS fraud adversely affects operational efficiency, increases the burden on customer support, and erodes consumer trust. Organizations may need to invest in additional security measures, which not only add a financial toll but can degrade user experience. Inability to protect consumers may result in negative publicity, further impacting new customer acquisition as well as exposing the business to regulatory and other legal ramifications.
Bot-driven SMS toll fraud, in particular, can hugely swell the phone bills of an organization by scaling up fraudulent sending of SMS messages to premium-rate numbers. And with little recourse available to mitigate the loss after SMS initiation, businesses are left with no option but to absorb the financial blow.
How to Protect Against SMS Fraud
SMS firewalls are widely used to protect mobile networks from spam, fraud, and phishing messages. AI-driven firewalls have superior detection capabilities and can also help reduce false positives.
One of the most important protections businesses should consider is implementing a smart bot management solution, such as Arkose Bot Manager. By placing this early in the funnel, on the login or account creation flow, companies prevent bot traffic from reaching the SMS initiation stage, thereby preventing fraud and saving on telecom bills.
Other protection methods include:
- CAPTCHAs: CAPTCHA challenges have traditionally been used to determine whether a user is human. However, with bots acquiring human-like capabilities, and legacy CAPTCHAs still stuck in outdated technology, they provide sub-par protection. Instead, businesses must look to implement smart CAPTCHAs like Arkose MatchKey for superior protection against the most advanced bots.
- Web Application Firewalls (WAFs): Use WAFs to filter and monitor HTTP traffic between a web application and the internet according to the defined rules to minimize friction for genuine user accounts.
- Rate Limiting: Limit the number of SMS messages any single user can request within a specified duration, such as per minute or per hour. Stop automated scripting attacks launched from specific devices with client IP rate limiting.
- Geo Restrictions: Set up geographical restrictions to block SMS traffic from regions where business is not present.
- Bot Detection: Deploy efficient bot detection solutions that leverage the latest technologies to accurately identify and stop bots, thereby preventing SMS fraud from achieving scale.
Arkose Labs’ Approach to Fighting Automated SMS Toll Fraud
To prevent automated bot attacks, including SMS toll fraud, leading businesses across the globe trust Arkose Labs’ innovative approach to fraud prevention. Businesses use Arkose Bot Manager to intercept bots before they can reach SMS workflows, preventing them from triggering mass dissemination of SMS texts.
Arkose Labs triages incoming traffic and uses hundreds of digital parameters to assess the real-time risk associated with each user. This assessment informs the proprietary challenge-response authentication mechanism, which presents appropriate Arkose MatchKey challenges when suspicious sessions are detected.
While genuine users may not even encounter a challenge and cruise along their digital journeys, the same is not true for automated traffic bots, scripts, and malicious human users or click farms. Bots of varying advancement levels cannot clear these challenges and fail instantly. This is because Arkose MatchKey challenges are built to outsmart even the most intelligent bots, making them the toughest CAPTCHAs on the market. Persistent malicious users encounter challenges of increasing complexity, until cybercriminals give up because the attack has become financially non-viable.
Arkose Labs’ unique layered approach ensures long-term protection. To further augment its partners’ fraud detection capabilities, Arkose Labs shares data-backed insights, the latest threat intelligence from its global client network, and a responsive 24x7 SOC support. It’s all backed by a $1M warranty against automated SMS toll fraud.
Learn more about how Arkose Labs can help your business combat SMS toll fraud.