AIT Fraud Protection

A graphic featuring a hand holding a smartphone next to a laptop with a text overlay mentioning "the one time password problem" and a call to action button reading "read now".

The AIT problem

One of the key topics and discussion points that has been ever present at many of the industry events I have attended this year is Artificially Inflated Traffic (AIT), also known as SMS pumping.

AIT fraud is not new but it is continuing to rise sharply and can affect any business, large or small, that uses A2P SMS for verification via one-time passcodes (OTPs) or to communicate and engage with its customers.

AIT even appeared in mainstream news earlier this year when Elon Musk said that Twitter lost $60 million per year due to AIT and subsequently removed all SMS-based identity verification (OTPs). Other global brands are also starting to withhold payments from their SMS aggregators and mobile networks in an attempt to cover their fraud exposure.

So what is AIT fraud? And what can be done to prevent it?

AIT exploits SMS messages delivering one-time passcodes (OTPs), which are most often used for verifying customer mobile phone numbers during the registration process, including location and age checks. In the Twitter example, fraudsters generated fake SMS OTPs by creating a huge number of bot accounts. The fraudsters then received a share of the revenue generated, paid to their complicit partners — often based in high-cost, faraway destinations.

There is a certain irony with AIT in that, despite the cost associated with this type of fraudulent traffic, many companies in the telco ecosystem can be a potential beneficiary. Additionally, whilst enterprises are usually the victims of this type of fraud, there are a few who use it to boost their own subscriber base to demonstrate growth.

However, in the longer term, AIT is leading to reduced trust in SMS for delivering OTPs, revenue loss for enterprises, and lower volumes damaging the industry. The Communications Fraud Control Association (CFCA) estimated that AIT resulted in losses of over $6.7 billion in 2021.

But all is not lost and there are ways that SMS aggregators, mobile network operators and enterprises can help detect and prevent AIT.

At TMT ID we have developed a global numbering and fraud prevention solution — TeleShield — which can help to:

Identify the line type allocated by the local regulator, and only send SMS to mobile numbers.
Provide a real-time check of the caller ID (or A Number) to check if it’s an invalid number.
Confirm if a number has been assigned to a subscriber and is therefore active.
Block premium rate numbers.
Use machine learning to detect unusual spikes in activity, whether in the timing of messages, volume of messages, location, or blocks of adjacent numbers.

Enterprises can also help by detecting bots using CAPTCHAs and monitoring OTP conversion rates. They could also use alternative methods to SMS-based verification, including passwordless authentication such as TMT ID’s Authenticate service. This method of proving possession of a mobile phone number does not need A2P SMS or OTP — and therefore stops AIT as well as improving security and making life easier for customers.

It is critical that enterprises, SMS aggregators and operators all work together to help prevent this type of fraud and protect the industry from financial losses. The loss in trust and reputation for SMS as a channel will also cause volumes to sharply decline as enterprises move to OTT channels and other verification services.

Key terms associated with AIT fraud

To better grasp the mechanisms of Artificially Inflated Traffic (AIT) fraud, it’s essential to understand the terminology commonly associated with these deceptive practices:

Click farms: organised groups of low-paid workers, often from economically disadvantaged regions, employed to simulate authentic online activity. These workers perform tasks such as registering accounts, manually clicking on ads, streaming music, watching videos, completing online forms, or engaging with websites in other ways to mimic genuine traffic.
Bot traffic: non-human, automated traffic generated by bots to replicate human-like online behaviour. Bots are commonly used to create fake clicks, views, and interactions on a massive scale, deceiving businesses and inflating engagement metrics.
Artificial impressions: falsified views, clicks, or interactions on digital content created to manipulate analytics, mislead advertisers, or artificially enhance the apparent popularity of online content.
Click fraud: a fraudulent practice involving the use of bots, scripts, or click farms to repeatedly click on ads, links, or other content. The objective is to inflate click metrics artificially, forcing businesses to incur higher costs for engagement that lacks real value.
View fraud: a tactic similar to click fraud, in which fake views are generated on ads or digital content. Fraudsters aim to inflate viewership metrics, misleading advertisers and stakeholders into believing the content is gaining traction.
Impression fraud: a scheme designed to boost impression statistics by falsely increasing the number of times an ad or piece of content is displayed. Businesses are misled into paying for these inflated impression counts, which do not reflect genuine user activity.
Conversion fraud: a more sophisticated form of AIT fraud where actions resembling genuine user conversions — such as making a purchase or submitting a form — are simulated through methods like impersonating real users, tampering with cookies, or deploying bots, scripts, and conversion farms. The aim is to inflate conversion metrics, creating a false impression of user engagement.