SMS Toll Fraud

An In-depth View of SMS Toll Fraud in the e-Commerce Industry

October 26, 20236 min Read

An In-depth View of SMS Toll Fraud in The e-Commerce Industry

Attackers use bots to input premium rate mobile numbers at scale and trigger artificially inflated SMS traffic for massive illicit financial gain. To prevent criminals from reaching the SMS flow before the attack begins, e-commerce platforms need to deploy smart bot management solutions.

Also known as SMS pumping or artificially inflated traffic fraud, SMS Toll Fraud refers to cybercriminals exploiting this popular communication channel for illicit financial gain, often by using premium rate numbers and deceptive tactics. Fraudsters use bots to input premium rate mobile numbers en masse to trigger high-priced SMS messages and collude with some corrupt mobile network operators (MNOs) to receive a share of the illicit earnings.

Globally, there has been a surge in businesses using SMS with its usage expected to reach nearly 3.5 trillion by 2023.1 It is also estimated that the global A2P SMS market will likely be worth $65 billion by 2028.2 As a result, SMS Toll Fraud can significantly compound the problems for ecommerce platforms that are already reeling under a deluge of fraud.

Arkose University: SMS Toll Fraud Masterclass
Arkose University: SMS Toll Fraud Masterclass

Scale of SMS Toll Fraud and the role of automation

e-Commerce platforms use SMS to enhance customer communication, improve consumer account security, and streamline operations. There are several ways that e-commerce platforms use SMS, such as:

  • user authentication at registration, password reset and account recovery
  • payment authorization
  • order and payment confirmations
  • sharing order status updates
  • Delivery notifications
  • Promotional offers
  • Discounts
  • Abandoned cart recovery
  • Refund updates
  • Seeking feedback
  • Customer support

This has caught the attention of attackers, as they have found a rather unsuspecting attack vector that is easy to manipulate—but difficult to detect.

Already poised to lose nearly $48 billion dollars by 2023 to fraudulent activities, ecommerce platforms must realize the additional challenge that SMS Toll Fraud poses.3 Growing cross-border e-commerce transactions and increasing reliance on SMS for customer authentication, transaction confirmations, and order status updates, make these platforms attractive targets for fraudsters.

The scale of the attacks and the ensuing losses from SMS Toll Fraud can vary depending on the size or region of the e-commerce platform. Although regulatory bodies and telecommunications authorities have been taking steps to address SMS fraud, such as setting limits on premium-rate messages and increasing penalties for fraudulent SMS practices, artificially inflated traffic fraud (AIT) continues to rise. This is because some regions may be more susceptible to SMS Toll Fraud due to global variation in telecommunications infrastructure and regulatory oversight.

Attackers manipulate e-commerce platforms to generate thousands of SMS messages quickly by providing international or premium rate mobile numbers. They also resort to automated fake account creation to execute SMS scams. To achieve scale, attackers use bots and automated scripts that can input premium mobile numbers and create AIT, which triggers expensive SMS messages en masse.

Blocking users is no solution

Once an SMS message is triggered, it leaves the internet realm to enter the telecom network, leaving the e-commerce platform with no effective method to retract the SMS texts sent out. Even cloud-based security solutions can do little to mitigate the loss. This effectively means that the e-commerce business is left to bear financial losses in the form of inflated telecom bills.

It is often these bloated bills that raise suspicion about unscrupulous activity on the platform. This sets the ball rolling to identify the lacunae in the platform that attackers exploit to execute SMS Toll Fraud attacks. When e-commerce platforms realize the SMS flow has been targeted, they either block users with the international numbers or suspend the use of SMS. Both these scenarios are undesirable, as blocking any user could potentially mean loss of revenue from a genuine user, and suspending the use of SMS may adversely impact the ability to communicate with their consumers.

Instead of taking such drastic steps, e-commerce platforms must look to prevent the misuse of SMS flow by identifying signs of bot traffic and stopping them before initiation of SMS messages.

Use smart bot management solutions to beat intelligent bots

To combat SMS Toll Fraud, e-commerce platforms may consider employing identity verification methods to ensure that users are who they claim to be. They must try to prevent fake account creation attempts and use advanced authentication methods, such as biometric authentication, in addition to SMS-based verification.

Many e-commerce platforms use CAPTCHAs to stop automated bot attacks, but in vain. CAPTCHAs are no longer effective in preventing automated bot attacks, as they have failed to keep pace with the advanced human-like capabilities that intelligent bots have acquired. These bots can interact with defense mechanisms that require more nuanced interaction and pass on the attack baton to human attackers when deterred. CAPTCHAs, on the other hand, continue to languish in their outdated technology, which renders them ineffective in providing the level of security that modern ecommerce platforms need.

Even measures like rate limiting are prone to manipulation as attackers time their attacks when the defenses are low, such as during weekends or holidays.

To effectively protect their SMS workflows from automated SMS Toll Fraud, -commerce platforms need technology-driven bot management solutions that can accurately identify malicious non-human traffic, without disrupting the digital journeys of genuine consumers.

How Arkose Labs can help e-commerce businesses

Arkose Labs works closely with e-commerce platforms to identify and stop malicious bots even before they can reach the SMS workflows. Using advanced technologies and targeted friction, Arkose Labs stops bots and malicious human click farms from initiating SMS messages.

Even the most advanced bots and scripts instantly fail when faced with Arkose MatchKey challenges, the strongest CAPTCHA in the business. Persistent malicious humans face incrementally complex challenges, which delays completion of attacks. In view of the depleting returns due to the need to invest more time, effort, and resources to complete the attack, the attack becomes financially non-viable. Attackers are left with no choice but to give up for good and move on to another target.

In addition to 24x7 SOC support, data-driven actionable insights, and raw signals, Arkose Bot Manager comes with the assurance of $1 M warranty against stopping automated SMS Toll Fraud attempts.

Book a demo now to see this smart solution in action and learn how you, like several Fortune 100 companies using Arkose Labs, can avoid SMS Toll Fraud and inflated telecom bills.

Protect Your Business from IRSF: How Arkose Labs Stops SMS Toll Fraud
Protect Your Business from IRSF: How Arkose Labs Stops SMS Toll Fraud