Growing fraud could kill SMS as a business platform

Nearly 5% of global SMS traffic is fraudulent, putting strain on the widely used application-to-person (A2P) messaging ecosystem, a new report has found.

Enea and messaging intelligence specialist Mobilesquared have found that artificial inflation of traffic (AIT) is now so pervasive in the SMS world that between 19.8 billion and 35.7 billion fraudulent messages were sent in 2023.

The study also underscored the substantial financial toll of AIT, with brands incurring costs of US$1.16-billion.

AIT involves the generation of fraudulent A2P (application-to-person) SMS traffic through various deceptive methods, such as bots and counterfeit messaging. The practice not only leads to financial losses for many of those in the message ecosystem. but also undermines the integrity of genuine mobile messaging for brands’ communication with their customers.

AIT fraudulent messages now account for a notable portion of total international SMS traffic (4.8%), eroding trust and reliability in these mobile messaging services.

This family of fraud types is prompting major brands to shift away from SMS to alternative communication channels, thereby threatening the viability and profitability of the ecosystem.

Despite the significant impact that AIT is having on the A2P SMS industry, there is still no consistent or comprehensive definition for AIT or detailed descriptions of the various methods that threat actors deploy. This is a major obstacle to understanding and combating it.

Attack types

Based on its own threat intelligence in combination with industry sources, Enea has identified a taxonomy of six different AIT abuses, covering AIT injected into the message path at brands, communications platform-as-a-service (CPaaS) providers, and aggregators.

To quantify the problem, Enea has worked with Mobilesquared to highlight the full impact AIT is having across the industry. According to the report, the three AIT attack types having the greatest impact on the market are:

• Counterfeit fabrication AIT: Traffic injected in transit by an aggregator.
• Amplification bot generation of AIT: Traffic created by triggering one-time passwords and other message-generating triggers at brand websites and services.
• Masquerade parasite generation of AIT: Traffic injected through accounts created at a CPaaS provider.

“Understanding the profound impact of AIT on A2P messaging is essential for safeguarding the integrity of our A2P communication ecosystems,” said Simeon Coney, Enea vice president of business development, in a statement.

“AIT not only inflicts significant financial damage but also erodes trust in A2P messaging platforms, a cornerstone for brand-consumer interactions. [There is an] urgent need for a unified industry response to accurately define and tackle these deceptive practices.”

Mobilesquared chief messaging officer Nick Lane said: “The [Covid-19] pandemic accelerated brand adoption of SMS, but the rise of AIT, and the abuse of brand-spend relating to authentication and one-time passwords in particular, will set the A2P SMS industry back years, if indeed it will ever recover from the turbulence it has experienced over the last 12 months.

“This should not be the case, as brands continually tell us that SMS remains the best channel. As an industry, we just need to find improved and enhanced methods of protecting it,” he said.  – © 2024 NewsCentral Media

Get breaking news alerts from TechCentral on WhatsApp