SMS-based security measures have long been powerful tools for financial institutions as delivery vehicles for authentication codes, transaction verifications, and more. But a novel attack vector is turning SMS communications into weapons against the very institutions they are trying to protect.
SMS toll fraud exploits authentication processes by tricking businesses into sending SMS messages to recipients who have no intention of verifying their identities. Instead, the attacker’s entire aim is to generate messages sent via a premium-rate carrier, after which the attacker can split the proceeds with the colluding carrier and stick the business with an outrageous bill.
This sneaky, pernicious SMS attack vector is escalating – and bad actors have the lucrative financial services sector squarely in their sights.
A tsunami of SMS toll fraud attacks
First, a quick overview of how SMS toll fraud, also known as SMS pumping, works. In this type of SMS fraud, cybercriminals use automated bots to quickly create new online accounts at scale. The unsuspecting business deploys measures to verify user authenticity, such as two-factor authentication (2FA) or multi-factor authentication (MFA). These processes send one-time passwords (OTPs) and codes via short messaging service (SMS) for these “consumers” to authenticate themselves.
Unbeknownst to the business, however, these fake accounts use premium-rate phone numbers for SMS verification. The culprits, which may sometimes include unscrupulous mobile network operators (MNOs), criminal groups, and black hat hackers, share the ill-gotten gains from these premium-rate messages and move on to their next victim.
Shortly thereafter, the unsuspecting business is hit with an outrageous bill. And because the attack isn’t discovered until long after the fraudster has moved on, the business has little recourse for recovering the lost funds.
The damages are multi-faceted
SMS toll fraud, especially automated bot-driven attacks, can cause massive damage to businesses. According to one study, SMS pumping fraud caused global losses worth more than $6.7 billion in 2021.1
The consequences of SMS toll fraud on the financial services industry extend beyond just immediate financial losses. Responding to SMS toll fraud incidents can be time-consuming and disrupt normal business operations. It may expose the impacted organization to heightened security threats, damage its reputation, and erode consumer trust.
Additionally, regulatory authorities may impose penalties on the financial institution for failing to adequately prevent fraud. Non-compliance with data protection and security regulations can attract fines, legal actions, and increased regulatory scrutiny.
Nipping SMS fraud in the bud
SMS toll fraud can be challenging to prevent while it is happening, since it is nearly impossible to retract the SMS messages once they have moved from the business to the telecom network. Automation of SMS toll fraud makes it even more challenging to detect and stop. Automated tools and scripts are easily and cheaply available, part of a larger network known as cybercrime-as-a-service (CaaS), allowing fraudsters to scale up the attacks with the least possible investment. They enable attackers to input large volumes of mobile numbers and trigger fraudulent SMS messages simultaneously and at speed.
This type of attack can overwhelm business networks, making it difficult to identify genuine users. Automation reduces the need for human interaction, which in turn reduces the probability of human errors. Attackers can adapt their automation techniques to test and exploit vulnerabilities in SMS systems. They can use this knowledge to evade detection and bypass security measures by adjusting the timing and frequency of SMS initiation to avoid rate limiting.
To protect against massive losses, financial institutions must strive to fight SMS toll fraud attempts before they can snowball into a bigger crisis. The best defense against automated SMS toll fraud, therefore, is to catch it before it begins. One of the best ways to do so is to identify bots and malicious click farms engaged in inputting mobile number details before the SMS messages are initiated.
Many organizations use traditional CAPTCHAs to stop bot traffic, but they do not get the level of protection needed against modern, complex threats. This is because today’s advanced bots can easily bypass these outdated CAPTCHAs. To meet current protection needs, businesses must consider superior bot management solutions that can identify and stop even the most intelligent bots with human-like capabilities.
Advanced fraud detection software systems leverage the latest technologies to identify suspicious activities and flag them for further investigation. Bot management solutions such as Arkose Bot Manager can combat automated SMS toll fraud attempts with great precision and without disrupting the user experience for genuine consumers.
Stay protected with Arkose Labs
Arkose Labs is at the forefront of the fight against SMS toll fraud, providing global financial institutions with long-term protection. Using a combination of advanced technologies and adaptive risk-based authentication, we accurately identify bots from human users.
Based on the real-time risk assessment, the solution serves Arkose MatchKey challenges to allow every user to prove their authenticity. Automated scripts and bots of all levels struggle to solve these adaptive challenges at scale, while persistent malicious humans continue to face challenges that keep increasing in volume and complexity. This wastes the attackers’ time, resources, and efforts, making the attack too costly to perpetrate and forcing them to give up for good and move on to an unprotected target.
Arkose Labs backs its solution with a $1 M warranty against automated SMS toll fraud. As a true partner, Arkose Labs provides 24x7 SOC support and shares data-backed insights, signals, and attributes to empower businesses to mitigate SMS toll fraud attempts as soon as they are detected. Arkose Labs leverages threat intelligence from its global database of known fraud indicators to protect against evolving fraud tactics in the long-term.
Protect your organization from automated SMS toll fraud attempts with a user-centric solution that comes with the guarantee of success. Book a no-obligation demo now.
Share The Blog
