Many businesses and Textlocal customers use SMS to better secure their web forms or app through two-factor authentication or one-time passwords. Many users of business SMS will be familiar with the more well-known forms of spam attacks such as fake missed delivery messages and similar phishing attempts.
To further protect our customers, we wanted to highlight a prevalent form of fraudulent attack the SMS industry is trying to combat.
Artificially inflated traffic – What is it?
Artificially inflated traffic or AIT is when large volumes of SMS traffic are generated through fake form completions that require SMS one-time passwords e.g., sign-up forms.
Fraudsters use bots to make multiple sign-up attempts that will in turn generate two-factor authentication messages to numerous mobile numbers. While the messages are not actually delivered to a handset, the volume of service calls is real. This inflated SMS traffic financially benefits the attacker while having a detrimental financial impact on the application owner or business.
How to help prevent AIT?
It’s important to note that AIT attacks are not due to security risks within Messenger or the wider SMS networks and applications.
However, these attacks are difficult to differentiate for providers like us, and to better ensure your own security, we recommend the following:
- Ensure all forms utilize CAPTCHA – using a recognised, secure CAPTCHA every time someone completes an action that triggers an SMS pin code helps to prevent bots from sending repeated requests.
- Set a limit on the number of one-time password requests per IP address.
- Consider an SMS delivery exclusion list for countries you don’t service – our team can help set up a block on sending SMS to countries that are not relevant to your business.
- Understand what the ‘normal’ SMS OTP conversion rate is – monitoring the volume of one-time password requests and knowing the average for your business can help to raise the alarm when usage goes above this threshold.
Together with networks and aggregators, the team at Textlocal is doing all we can to raise awareness of the potential pitfalls for businesses when it comes to AIT. We highly recommend that our customers take time to implement some or all of these prevention methods. If you have any questions or would like some additional support, our team are always on hand to help.