Safeguarding the Travel and Hospitality Industry from SMS Toll Fraud

Attackers are using bots to scale up SMS toll fraud, resulting in massive overall telecom bills for travel and hospitality companies. To protect their businesses, these companies must deploy smart bot management solutions before bots can reach the SMS workflows As the travel and hospitality industry experiences a surge in bookings worldwide, global travelers aren’t the only ones ramping up their activity. Cyberattackers are also on the move, registering massive quantities of online fake accounts in ever-increasing numbers. And it’s costing travel and hospitality companies millions of dollars in fraudulent SMS charges each year. SMS toll fraud is a hidden landmine that businesses can’t afford to ignore. Stopping this escalating threat requires an understanding of the risks it poses, coupled with advanced security measures that can proactively identify and mitigate fraudulent activity in real-time. [resource_post_by_id id="30150"]

Chasing losses: SMS toll fraud's financial aftermath

Here’s a quick review of how SMS toll fraud, also known as SMS pumping fraud or artificially inflated traffic fraud, siphons away money from the travel industry. In this type of SMS fraud, attackers rapidly create numerous online accounts, typically through the use of bot traffic. In an effort to enhance security, the targeted travel company, hotel, or other business uses verification methods such as two-factor authentication (2FA) or multi-factor authentication (MFA) to send one-time passwords (OTPs) and codes via SMS, allowing these new “users” to verify their identities. What the business doesn’t realize, however, is that the fraudulent accounts are inputting premium-rate phone numbers for SMS verification. The fraudsters, which may include unethical mobile network operators (MNOs), criminal organizations, and black hat hackers, share the ill-gotten gains from these premium-rate messages and then seek out their next victim. Not long after, the unsuspecting business receives an exorbitant bill. Unfortunately, since the attack usually remains undetected until after the bad actors have moved on, the business has limited options for recovering the lost funds. And the losses are enormous; some studies estimate SMS pumping fraud caused businesses around the world more than $6.7 billion in 2021.¹

Why travel and hospitality is vulnerable to SMS fraud

SMS toll fraud occurs across multiple industries, but detecting it can be especially difficult for travel and hospitality companies because of the extensive ways in which they use SMS to enhance customer service, improve communication, and streamline operations. This includes:

• Enrolling consumers in loyalty programs, updating them on point balances, and notifying them about rewards or discounts available
• Sharing special offers, discounts and promotions to encourage repeat bookings and boost customer loyalty
• Sending out booking confirmations with details such as booking reference numbers, dates, and contact information
• Delivering boarding passes or QR codes that suffice for printed boarding passes

The large volume of SMS messages sent can make it challenging to identify spikes in potentially fake account registration. As a result, traditional fraud detection systems struggle to detect it in real-time.

How automation is scaling up attacks

Unlike the past, where fraudsters would manually input premium-rate numbers, automation allows attackers to achieve scale without significant manual effort. They can use bots and non-human traffic to quickly input several premium mobile numbers in a few minutes, which initiates thousands of SMS messages and increases the potential returns from the attack. They can employ automation to analyze the success rates of their campaigns and tweak the tactics to maximize the returns. Further, using the knowledge on the specific times when the returns can be maximized, such as during peak travel booking seasons or when the defenses may be lower, such as weekends and holidays, fraudsters can use automated tools to schedule initiation of SMS messages from various geographic regions and in bulk to maximize their impact.

Beat SMS toll fraud with Arkose Labs

SMS toll fraud has the potential to cause severe financial, operational, and reputational damage to travel and hospitality companies. Therefore, investing in smart bot management systems is critical to fending off attacks before they can propagate. Arkose Labs is uniquely positioned to help travel and ticketing companies fight bot-driven attacks, including SMS toll fraud. Arkose Bot Manager can accurately identify and stop automated bot attacks before the SMS workflows, which prevents initiation of SMS messages in bulk without degrading the digital experience for legitimate consumers. Combining the latest bot detection technologies with the unmatched abilities of Arkose MatchKey challenges, Arkose Labs empowers travel and hospitality companies to prevent bots and malicious human click-farms from abusing the SMS workflows. Scripts and bots of all advancement levels are no match for these best-in-class challenges, and fail instantly trying to solve them. In addition, malicious humans face challenges that keep increasing in complexity. This wears the attackers out by increasing the time, effort, and investment required to continue solving the challenges. Eventually, the depleting returns render the attack financially unattractive, forcing attackers to move on to other targets. Supported by Arkose Labs 24x7 SOC support, data-backed actionable insights, global threat intelligence, and an industry-first $1M warranty against automated SMS toll fraud attacks, travel and hospitality companies can protect themselves from SMS toll fraud in the long-term. To take a look at the solution that travel and hospitality companies around the globe trust in their fight against automated SMS toll fraud, book a demo now. [resource_post_by_id id="28783"]