Staying Ahead of AIT: How to Protect Your Account From Artificially Inflated Traffic
In this blog post, you can learn more about Artificially Inflated Traffic (AIT) and what you can do to protect yourself against it.
The use of A2P SMS messaging by businesses today is more widespread than ever before, with SMS being used for a wide range of beneficial purposes including mass communication, notifications, reminders, marketing, alerts and security.
Unfortunately, the threat landscape has also evolved. The latest threat is Artificially Inflated Traffic (AIT), also known as Traffic Pumping, where fraudsters generate artificial traffic via OTP (one-time-passwords) SMS messages. This is neither spam nor phishing, which is what usually comes to mind when talking about fraudulent SMS traffic.
A few years ago, Artificially Inflated Traffic was a small threat, but today AIT is the hot topic in the telecom industry, with a focus on what can be done to curb it. Talks of AIT even reached the mass media when Elon Musk announced that Twitter (now X) was losing as much as $60 million a year due to bot-generated SMS traffic.
That being said, the risk of being hit by AIT is fortunately still low. However, due to the scale of the scam, which can run into tens of thousands of euros, it’s important to be aware of the threat and take precautions.
How does Artificially Inflated Traffic (AIT) work?
In short, the artificial traffic is created by bots requesting a sign up/login flow on a website for OTP codes using mobile numbers that the scammers have a financial incentive to generate traffic to. This is not due to leaked API keys or a security flaw in GatewayAPI, but due to the fact that the fraudsters have been able to exploit a vulnerability on a website to generate the many SMS messages.
AIT scams typically unfold in the following way:
- A fraudster constructs or acquires a bot that can generate fake accounts.
- The fraudster finds a vulnerable flow and unleashes the bot, which then triggers OTP messages to a series of mobile numbers, e.g. a series of 10,000 mobile numbers, which the fraudster has a financial incentive to drive traffic to.
- The fraudster claims the revenue.
- This scam can then be repeated over and over again.
As the owner of the account from which the OTP messages are sent, you will most likely bear the financial responsibility when the systems register the messages as delivered. It is often the case that the SMS messages are sent to mobile networks in remote countries where the cost per SMS is high, which also means that the cost can quickly add up.
Examples of flows where OTP messages are included
Below you can see examples of common uses of OTP SMS messages, giving you an insight into the contexts where OTP messages are used on a daily basis to create value for businesses and end-users. Unfortunately, it is in these flows that fraudsters often strike if security is inadequate.
- Verifying new user registrations: When a new user attempts to create an account, they may be asked to enter their phone number. An OTP is then sent to this number. The user must enter this code on the website to complete the registration process. This helps to combat fake accounts and fraud.
- Access to accounts: OTP messages via SMS can help users restore access to their account if they have forgotten their password. When the user chooses to reset their password, the system can send an OTP to their registered phone number. The user must then enter this code to verify their identity and continue with the reset process. This helps to ensure that only the correct user can reset the password.
- Voting systems: For online polls, which can include anything from popular TV shows to voting in a housing association, organizers can send an OTP via SMS to each participant to ensure that each person only votes once.
- A medical practice can use OTPs to verify patient identity when booking online appointments or accessing health information. This ensures that only the legitimate patient has access to their own information, providing an extra layer of security.
- Validating user reviews: If a business has an online platform where customers can leave feedback or review products, they can use OTP via SMS to verify the identity of the reviewer. When a customer submits a review, a one-time code can be sent to their phone number. The customer must then enter this code to confirm their review. This can help the business ensure authentic and trustworthy reviews.
- Payment gateways: When a user makes an online transaction, payment gateways can use OTPs sent via SMS to confirm the transaction, increasing security.
How can you protect yourself from AIT?
Scams are becoming more and more sophisticated in all industries as the years go by. Just take a recent example with Spotify, where scammers swindle Spotify and artists via AI-generated songs and bots that afterwards play their AI-generated songs. This type of fraud didn’t exist just a few years ago.
While there is no specific strategy to combat all forms of AIT, companies and organizations can take certain preventative measures that can significantly reduce the risk of an attack. We’ll go through them below.
Geo Permissions tool
To effectively protect your GatewayAPI account from abuse, we strongly recommend that you use the Geo Permissions tool available in your GatewayAPI dashboard. This ensures that your account can only send SMS messages to approved countries.
You can choose to block SMS traffic to all countries except those to which you actually send messages. This approach is especially relevant if you control the SMS broadcasts yourself and have full control over where they are sent to.
If, on the other hand, you have a SaaS service or an IT platform where SMS communication is integrated and you have customers all over the world, it can be difficult to predict which countries SMS messages are sent to. In this case, you may instead consider allowing all countries except for certain high-risk countries.
Read more about how to set up Geo Permissions in our FAQ section. Please note that this feature is only available for the REST API.
Adding reCAPTCHA, hCAPTCHA or KeyCAPTCHA
You can also insert reCAPTCHA (I’m not a robot), hCAPTCHA (select all images with traffic lights) or KeyCAPTCHA (assemble the puzzle) on the flow from which the OTP message is generated to prevent bot activity and automated abuse.
This will of course add a bit of friction, which doesn’t always sit well with the marketing or sales department when it comes to sign up flows. However, it can be done in a way that doesn’t significantly impact the user experience.
Set up restrictions and time delays
You can set up restrictions in your own system to guard against repeated requests from identical IP addresses, devices or phone numbers by setting a maximum number of requests per second/minute/hour.
The use of time delays, where the time interval between allowed entries increases exponentially, is also something that can effectively put an end to bot activity.
How do you detect AIT?
It is possible in some cases to nip AIT in the bud. It’s common for fraudsters to carry out small broadcasts to begin with, and then hit the accelerator – often on weekends or after work hours when you’re not as vigilant.
Scammers can also keep it going for longer periods of time, gradually sending out messages at a level that stays under the radar, like the Twitter example.
We recommend keeping an eye out for the following:
- Track the conversion rate on the OTP messages: Keep an eye on how many people enter the code that was sent. A drop in the conversion rate may indicate that you need to be extra careful.
- Check if consecutive number series are used: Fraudsters have often acquired number series, which means that the entered numbers will typically be identical except for the last digits, e.g. +4542688353, +4542688354, +4542688355, +4542688356.
- Look for suspicious patterns: Are many messages being sent to countries where your company has no users? Are messages being sent at times when no messages are normally sent? Or have you seen an increase in traffic without being able to explain why? Again, this could be a sign that you need to be extra careful.
Focus on potential threats
We constantly monitor the threat landscape and make sure to inform you of new potential risks. We have zero tolerance for SMS fraud of any kind and are continuously working on developing new tools.
In addition, we continuously do our best to set up credit limits that match the usage on the specific GatewayAPI account, which can help reduce the damage significantly. It’s a delicate balancing act, as with all new initiatives we must ensure that we do not disrupt legitimate SMS traffic.
If you suspect that your account has been exposed to AIT fraud, please contact us immediately. We do our best to respond quickly to fraud, both for your safety and to maintain trust in the A2P SMS industry as a whole.
About the author
Mathias is a specialist in SMS routing and has his finger on the pulse of everything happening in the SMS industry. He is also Regional Sales Director in Germany and is on a first-name basis with all our major business customers and partners globally.