Artificial inflation of traffic scams are on the rise, siphoning revenue away from companies almost imperceptibly. Awareness of how they work and taking the proper precautions can help defend against them.
As if there weren’t enough issues for CISOs and other senior security leaders to contend with, from intrusions to vulnerabilities to ransomware, another threat is lurking that is virtually invisible, can damage a company’s reputation, break customer trust, and quietly siphon away revenue — the artificial inflation of traffic (AIT) scam.
Also known as SMS traffic-pumping scams, AITs are a form of cybercrime in which cybercriminals identify targets with a non- or low-protected phone number input field that distributes one-time passcodes (OTPs), app download links, or other content via text messages. They’re insidious and they’re on the rise.
Here’s how they work, according to Roger Albrecht, partner and co-leader of cybersecurity with global technology research and advisory firm ISG:
“What makes AIT scams challenging is that they can be hard to detect and prevent, as they often involve sophisticated techniques to mimic real user behavior,” says Nigel Gibbons, director and senior advisor at security consulting firm NCC Group. “They also pose a significant financial threat to advertisers, content providers, and telecoms that may end up paying significantly for worthless traffic or engagement.”
Many factors are contributing to an increase in AIT scams. The most basic driver is the potential for financial gain, Gibbons says. Whether it’s through inflated ad revenues, increased inter-carrier compensation, or higher fees for influencers, the potential rewards for successful AIT scams can be substantial.
And the escalating costs of application-to-person (A2P) SMS services have made the profit potential of AIT scams increasingly enticing to cybercriminals, Albrecht says. “Some cybercriminals even utilize the proceeds from AIT schemes to fund legitimate SMS traffic, leveraging the profitability of AIT to offset costs.”
The development of more sophisticated bots and software makes it easier for fraudsters to mimic real user behavior and avoid detection, Gibbons says. And these systems are being commercialized as software-as-a-service solutions and made available to non-technical users and traditional organized crime gangs.
Additionally, AIT fraud presents difficulties in identification due to its lack of regulation within common SMS agreements and regulatory frameworks, Albrecht says. “This allows AIT to circumvent MNO’s firewalls, as one-time passcodes used in AIT scams are not typically flagged as spam or prohibited content.”
AIT scams can lead to financial losses for app developers who unwittingly facilitate fraudulent activity. Increased traffic from the scam can result in inflated costs for SMS services or revenue-sharing agreements, impacting the app’s profitability, says Albrecht. In February, Elon Musk claimed Twitter lost $60 million a year due to AIT-based scams.
Consequently, Twitter removed two-factor authentication (2FA) via text because of these attacks, except for verified Twitter Blue users, to save money by limiting 2FA SMS use to subscription customers only.
AIT is a problem for businesses because it raises the A2P costs at the expense of the enterprise, says Lee Suker, head of authentication and number information at Stockholm-based Sinch. Not only that but sending too many one-time passcodes to consumers drives mistrust and can ultimately reflect poorly on a company’s reputation. In addition, cybercriminals exploit the infrastructure provided by MNOs to carry out their fraudulent activities, resulting in revenue being shared with the cybercriminals, according to Albrecht. As SMS rates continue to rise, businesses may seek alternative authentication methods, reducing the demand for A2P SMS services and causing revenue loss for MNOs.
AIT scams can also have a detrimental effect on the reputation of businesses, Albrecht says. When users receive multiple OTPs that they didn’t request, it raises doubts about the legitimacy and compliance of the organizations involved.
“This can lead to a loss of trust from customers who may question the integrity of the affected apps and the MNOs associated with the fraudulent activities,” Albrecht says. “The negative perception and potential negative publicity resulting from such scams can cause a decline in user confidence and adversely impact the reputation of the businesses involved.”
While it may not represent a direct attack or intrusion into a system or network, AIT fraud impacts not just the marketing department or the bottom line but an entire organization. That means it’s important for CISOs and chief security officers CSOs to be vigilant for the signs of AIT fraud because they play vital roles in protecting their organizations’ information and assets, Gibbons says.
“AIT is a direct threat to these responsibilities and can have serious consequences,” Gibbons says. “As such, it’s something that should be on the radar of every CISO and CSO because [these attacks] can have a financial impact on your company, increase reputational and security risks, and affect data integrity, regulatory compliance and customer relationships and trust. Given these reasons, it’s clear that AIT fraud falls within the purview of CISOs and CSOs.”
Not only can AIT scams result in significant financial losses for an organization, but they can also interfere with compliance with data privacy and security laws, says Avani Desai, CEO of Schellman, a cybersecurity assessment firm. “As the CISO is responsible for managing and mitigating financial risks related to cybersecurity, this becomes a risk they need to mitigate,” she says.
And to ensure the integrity of SMS communications and protect against AIT scams, CISOs and CSOs should prioritize the security of their companies’ mobile channels by implementing strong controls, monitoring systems, and user verification processes, according to Albrecht. And they need to improve the collaboration with app developers and MNOs to share information, best practices, and countermeasures to combat AIT scams collectively.
“By staying informed about emerging threats, such as AIT scams, CISOs and CSOs can proactively assess risks, implement appropriate controls, and allocate resources to mitigate the financial and reputational impacts of these scams,” Albrecht says.
Mandy Andress, chief information security officer at Elastic NV, agrees that CISOs should be concerned about these types of scams. Traffic pumping isn’t taking advantage of a security flaw, per se, but it is concerned with taking advantage of how easy it is to create new accounts, she says. And attackers could leverage that process for different types of malicious activities, depending on the service availability.
“From a security perspective, the focus would be on the authentication and the new account creation process and not relying solely on SMS — which has been proven to be the most insecure — and instead use multifactor authentication or other approaches,” Andress says. “This would take away the ability for this type of scam to be successful and at the same time help to improve the security for your customers in their accounts.”
This is often a complex process that requires a multifaceted approach that involves detection, prevention, and response strategies, Gibbons says. No single strategy is completely foolproof — the key is to build a strong, multilayered defense that includes:
Yale Fox, a member of the Institute of Electrical and Electronics Engineers, offers these best practices to mitigate mobile SMS AIT fraud:
As technology continues to evolve and new forms of AIT fraud emerge, staying informed and up to date is fundamental, according to Gibbons. Continuous learning, adaptability, and vigilance are key to staying one step ahead of the fraudsters.
“AIT fraud is a complex, pervasive issue that poses significant challenges for businesses, consumers, and society as a whole,” Gibbons says. “However, by understanding the risks, taking proactive measures, and working together, these risks can be mitigated to create a safer, more trustworthy digital environment.”
Linda Rosencrance is a freelance writer/editor/author who has written about information technology since 1999.
Sponsored Links