The gig economy has transformed how we work and live. Unfortunately, this applies to bad actors as well.
The global volume of the gig economy is projected to reach $873 billion in 2028, up from $355 billion in 2021.1 This vast scale of growth provides cybercriminals with enormous opportunities to exploit gig economy platforms for financial gain, including via a ubiquitous communication method: short message service (SMS).
Use and Abuse of SMS Messaging
Gig economy platforms use SMS in various ways to facilitate communication, coordination, and engagement among gig workers, clients, and the platform itself. For example, they send verification codes to users through SMS for multi-factor authentication (MFA) at registration or login touchpoints. They also use SMS messages to notify workers about available new jobs, offer customer support, send reminders about upcoming jobs, and more.
But much of that SMS traffic isn’t going to legitimate users.
Last year, nearly 6% of all SMS messages were sent to artificially generated traffic. This figure swells to anywhere between 30% and 60% for top brands.2
The sheer variety of ways that digital platforms use SMS makes it an attractive attack vector. Attackers leverage the instant and direct nature of SMS to deceive users into sharing personally identifiable information (PII) and exploit the gig economy platforms. They employ various tactics to exploit SMS messaging, including:
- impersonation for phishing
- creating urgency of action on limited-time deals
- deceptive payment messages
- fake job offers
- surveys
- malicious links for account takeover
- fake verification codes
One particular type of SMS fraud is notably on the rise: SMS toll fraud.
The Explosive Growth of SMS Toll Fraud in the Gig Economy
In SMS toll fraud, cybercriminals use bots to rapidly create fake accounts through online forms linked to SMS systems or by requesting OTPs via websites or mobile apps. These bots input premium-rate phone numbers for SMS authentication and promptly cease activity upon verification. The bad actors – often colluding telecoms, criminal organizations, and black hat hackers – then split the profits and move on to their next target.
Unfortunately, SMS messages are irreversible once sent, leading to a surge in telecom expenses for affected businesses.
Several factors are fueling the rise of SMS toll fraud in the gig economy. First, the gig economy is almost completely digital and driven extensively through mobile apps, which expands the attack surface for cybercriminals. Secondly, it operates in a relatively less regulated environment, which can lead to inconsistent security practices to combat cyberthreats. And thirdly, because SMS is an immensely popular way for gig economy platforms to verify new users, attackers are exploiting this communication channel for illegitimate financial gain that often runs into millions of dollars every month.
Tech-Driven Solutions to Fight SMS Abuse
SMS toll fraud goes by multiple names, including SMS pumping and international revenue share fraud (IRSF). But no matter what you call it, when executed at scale using bots and automated scripts, SMS toll fraud can wreak havoc on impacted platforms, causing financial, operational, and reputational damages to the attacked platform. And since businesses have little recourse after SMS messages have been sent to fraudulent accounts, protection starts with preventing fake account signups in the first place.
This means gig platforms must ensure effective bot detection that stops large-scale, automated bot attacks before initiation of SMS messages.
Legacy solutions such as CAPTCHAs cannot efficiently fight this sophisticated attack type, because outdated CAPTCHAs have not kept pace with the evolution of bots. Businesses must choose fraud detection software that leverage advanced technologies to detect and prevent fraudulent SMS activities.
Arkose Labs is the partner of choice for several Fortune 500 companies for a user-centric approach to fraud prevention. Arkose Bot Manager analyzes several digital parameters to accurately distinguish bot traffic and malicious humans from genuine users, stopping the bad actors early in their tracks. Instead of blocking identities that cannot be clearly categorized as “good” or “bad,” Arkose MatchKey challenges offer them an opportunity to prove their authenticity. This ensures no revenue-generating consumer is stopped, while maintaining user account security for genuine consumers on P2P websites and apps.
Leveraging the global threat intelligence from a vast network of clients, Arkose Labs can identify and flag suspicious activity before it can affect the incumbent business, which means long-term protection from new and evolving threats. Arkose Labs also offers 24x7 SOC support and shares digital insights, attributes, and signals that empower clients to mitigate risks as soon as they are detected.
Maintain a trustworthy gig platform and offer your users a safe and meaningful digital experience. Get a glimpse of how Arkose Labs fights automated SMS toll fraud attempts when you book a demo now.
Share The Blog
