A Fraud Prevention Primer: 3 Types of Messaging Fraud and How to Stop Them
Messaging-based fraudulent activity has gone global, and the potential outcomes — lost revenue, tarnished reputations, and customer churn, for a few examples — are the stuff of nightmares. Active measures to fight it are crucial, but with so many bad actors leaning on a rapidly growing playbook of attack methods, messaging fraud prevention starts to look like a game of cat and mouse. As soon as you manage to stop one attack type, two more spring up in its place.
With more customers preferring to speak to businesses via messaging-based communications, ignoring their preferred channels in the name of avoiding fraud is not an option. Fortunately, mitigation becomes a lot easier with the right knowledge and partnerships in place. Let's examine some of the most prevalent types of messaging-based fraud and ways businesses can pump the brakes via active fraud prevention measures.
1. Artificial inflation of traffic: A growing enterprise concern
Fraud can take many shapes, and the attacks bad actors carry out can generate illicit revenue in many ways. One example is artificial inflation of traffic (AIT), also known as SMS pumping, a multi-modal fraud method that can pass by completely unnoticed without the right measures in place.
Exact methods vary from business to business, but the basic idea is scarily simple: Fraudsters lean on illegitimate accounts to send waves of messages to a business's customers. Though customers don't receive the messages — they are usually intercepted beforehand to keep users from complaining about spam and alerting the business to the activity — the traffic appears legitimate at a glance, forcing the enterprise to pay large sums for the traffic that occurs on their network.
Like the methods attackers use, the motivations to carry out AIT vary from attack to attack, but the primary goal is almost always financial gain or harm to the victimized business's budget. For example, small global mobile network operators may be in on the scheme because the illicit messages that pass over their network create huge boosts in revenue, according to CSO.
How to stop it
AIT is part of a broader range of application-to-person (A2P) fraud activity. Real-time fraud defense offerings that alert companies and allow contextual blocking of certain types of traffic are essential. Live dashboards that spell out threats in real-time and allow human assets to analyze and take quick remedial action will only become more important as A2P techniques like AIT evolve.
2. Grey route fraud: An evolving A2P threat
Another type of A2P fraud, grey route fraud, utilizes person-to-person (P2P) channels to send messages that are actually A2P in nature. By utilizing illicit SIM boxes or other means, such as compromised or unethical call centers, fraudsters can exploit the lower relative costs of P2P messaging and bypass verification methods that would otherwise keep their activity in check. This allows smishing messages (attacks through SMS messaging) and other non-legitimate traffic to reach customers at scale and with relative ease.
Grey route fraud comes with heavy costs for network operators, other impacted businesses, and their customers, and attackers have increasingly pushed the method of late-to-drain money from legitimate providers — we're talking figures in the billions. Then, there are fines from carriers themselves, which can be $10 per message or higher — a figure that can add up to thousands per hour when bulk messages are sent over inappropriate channels.
How to stop it
Grey route fraud is notably hard to stop because it is difficult to recognize in the flow of legitimate P2P traffic. Companies must use legitimate messaging channels for marketing to avoid spam classification; fraud prevention tools with built-in recognition and spam filtering are also an important part of the fight.
3. Smishing: attackers abuse known exploit in new worrying ways
Customers are more receptive to legitimate SMS business communication than ever, but they're also warier of fraud — and it's fair to say they're sick of the fraudulent messages cluttering their inboxes. According to the Federal Communications Commission, complaints about spam texts are indicative of a serious problem; extremely high open rates compared to other channels (such as email) make the format perfect for scammers phishing for new victims, per the Federal Trade Commission.
Smishing can be used to infect devices with malware and trick legitimate users into giving personal details, which can lead to account takeover attacks and other illicit activity. The advent of A2P-based fraud only deepens the threat, resulting in texts that appear legitimate to the unaware victim but aren't — customers who recently placed an order with a business may receive a legitimate-looking tracking email, for instance, only to find they've been scammed.
Like other forms of SMS-based fraud, smishing can be difficult to detect on the enterprise side due to the perceived legitimacy of the messages being sent. The methods fraudsters use are always evolving, requiring constant vigilance and active fraud prevention measures that can adapt to the quickly changing threat landscape.
How to stop it
With smishing, complacency is the enemy. Tools that allow the fraud prevention approach to be refined and adapted to new attempts — via location, account-level measures, and other means — are the only way to achieve an acceptable level of safety for your business and customers. For example, messages APIs that utilize two-factor authentication any time personal information is transmitted can be a substantial help as precise methods used by scammers mutate and change over time.
Stay safe from fraud with the right partner
With attacks growing in scale, complexity, and methodology, it's important to have systems in place that not only change as the landscape does but also stay a few steps ahead.
Explore Vonage Fraud Defender, and see what we can do to keep some of your most important communications secure.
