Enterprises No Longer Need to Wait for Telecom to Solve SMS AIT

What is AIT (Artificial Inflation of Traffic)?

Application-to-person (A2P) SMS messaging remains one of the most common methods of business-to-customer communication, especially for security codes, marketing, and notifications. However, this channel is increasingly abused by fraudsters who create bot accounts on various platforms. These bots trigger massive volumes of fake SMS traffic by sending requests for OTPs or security codes that are never used. 

This artificial inflation of traffic (AIT), also known as SMS traffic pumping or artificially generated traffic (AGT), leads to substantial financial losses. In some domains, SMS traffic pumping fraud has become a systematic business model, openly promoted and supported by fraud networks. Any business that sends significant amounts of international SMS is almost certainly being targeted.

How Does AIT Affect Enterprises?

In 2023, Mobilesquared estimated that between 19.8 billion and 35.7 billion fraudulent AIT messages were sent globally. These fraudulent messages resulted in up to $1.15 billion in OTP delivery costs alone.

AB Handshake’s research supports these figures, indicating that approximately 33-38% of all business messaging SMS traffic is flagged as AIT, with top brands experiencing between 30% and 60% of generated traffic In 2023, Mobilesquared estimated that 80% of all OTP requests were fraudulent.

Do you know how many of your users are fake? Contact us for a free evaluation and take control of your SMS traffic.

Banking websites, e-commerce platforms, social media sites, and travel and delivery apps are among the most targeted businesses. However, the impact of AIT fraud on enterprises is far more profound than that. Here are some hidden challenges:

Rising Costs Per User

• OTP Delivery Costs: AIT fraud inflates the cost of delivering one-time passwords (OTPs), which is typically around 20 cents per SMS. If the passwords are sent to fake users – often attracted via ads – the costs surge. This may result in companies paying thousands or even millions of dollars in delivery fees for services that should cost a fraction of the price, significantly increasing the financial burden.

Extra Time Spent Analyzing Misleading Metrics

• Distorted Analytics:  Since bots must create accounts to trigger OTP requests, the number of registered users appears to increase, misleading businesses into thinking they’re acquiring new customers. However, these fake registrations don't translate into real revenue, leading to a drop in average revenue per user (ARPU). Teams waste time and resources interpreting this data, making adjustments to marketing strategies or product features based on false trends. This leads to inefficiencies and stalls growth as decisions are made on unreliable metrics.

Investigations into OTP Delivery Failures

• Unnecessary Testing: When a number of SMS are sent, and no new users register, or when there are suddenly a lot of new users (from bots that can register in the app), but those new users don't convert to paying clients, various teams might assume that there is an issue with the application itself. They often conduct unnecessary product tests and reviews of delivery mechanisms or user journeys to figure out fail points, thinking the issue is technical. However, this is ultimately a waste of time and resources because the real problem lies in fraud, not system failure. 

Lost Resources Spent on Customer Acquisition for Bots

• Ineffective Customer Acquisition: AIT fraud leads companies to invest in customer acquisition strategies, only to attract bots instead of real users. This results in wasted marketing budgets and resources aimed at engaging users who don't exist, driving up acquisition costs without delivering real value.

How Does AIT Work?

Fraudsters manipulate SMS traffic using various techniques to artificially trigger messages such as sign-ups, OTPs, and 2FA codes, leading to inflated costs for businesses. Here are a few methods used to generate artificially inflated traffic (AIT), falling into two broad categories: bot-driven and non-bot methods.

Tactics Used to Inflate SMS Traffic: 

Bot-Based Attacks:

Automated systems and scripts generate high volumes of SMS traffic with little to no human involvement:

Amplification Bot Generation: Bots exploit fake accounts and service vulnerabilities to trigger mass SMS messages from within a brand’s system, ensuring that every step in the messaging chain profits from the inflated traffic. 

Puppet Consumer Exploitation: Malware, hacked apps, and social engineering techniques are used to make real end-user devices unknowingly generate SMS traffic, disguising fraudulent activity as legitimate engagement. 

Fake vs. Real Numbers in AIT Fraud 

Fake Numbers: Fraudsters generate OTP requests using nonexistent or recycled numbers, leading to message delivery failures. However, businesses are still charged for these undelivered messages.

Real Numbers (SMS Trashing): Attackers use real phone numbers to request OTPs and other SMS messages, only to discard them immediately. Since the messages are technically reported as delivered, this method is harder to detect, making businesses believe the traffic is legitimate while incurring unnecessary costs.

In many cases, these fraudulent activities go unnoticed for long periods, leading to escalating costs for businesses that pay per SMS sent. This results in financial losses, reputational damage, and a drain on both technical and human resources.

Current Solutions to Prevent AIT

Preventing SMS pumping fraud requires advanced detection, prevention, and protection strategies, yet current methods come with notable limitations.

• CAPTCHA: This approach, when combined with multi-factor authentication, helps distinguish real users from bots. However, it can be easily bypassed by sophisticated bots and adds friction to the user experience.
• Email 2FA: Email-based two-factor authentication adds a layer of security, but it is often perceived as spammy and tends to complicate the user experience.
• Firewalls: Firewalls can block malicious traffic and protect against attacks, but they have high false positive rates, frequently blocking legitimate users and affecting usability.
• Number Validation: Verifying numbers can catch some fraudulent activity, but only 25% of fraudulent SMS use invalid numbers, while 75% involve valid numbers that are “trashed” in the SMS delivery chain. Number intelligence services will not detect the majority of artificial traffic. 

The root problem remains unaddressed by these solutions—fraud is driven by incentives in the SMS traffic itself. Effective detection requires telecom expertise and a solution that works on a global scale.

How Does AB Handshake Combat AIT? 

At AB Handshake, we utilize award-winning, advanced AI-powered detection to safeguard enterprises from AIT (SMS pumping fraud). Our system analyzes over 200 behavioral parameters in SMS traffic, sending real-time API requests to allow legitimate messages and block fraudulent ones. AI Shield uses a combination of self-learning and supervised learning, becoming increasingly effective as it adapts to evolving fraud tactics.

Seamless Integration

AI Shield integrates on-premises or in the Cloud, connecting via AB Handshake's API. This ensures quick, secure, and flexible deployment within existing systems.

AB Handshake’s AI Shield detects all fraudulent SMS attempts and blocks them based on the business's predefined policies. This gives enterprises full control over their security, eliminating reliance on telecom operators and avoiding vendor lock-in.

Proactive Fraud Prevention

Enterprises do not need to wait for carriers to protect them from AIT. AI Shield evolves with real-world fraud patterns, providing enterprises with a scalable and reliable defense against AIT fraud. By implementing their own detection and prevention strategies, businesses can eliminate fraudulent traffic, regain control over their operations, and protect their revenue and user experience.

Take control of your security—schedule a demo to see how AI Shield protects businesses from artificial SMS traffic.