The Impact of AIT (Artificially Inflated Traffic) Fraud on Mobile Authentication

November 2023

Mobile Identity

Rosie O'Connor

Research Analyst

As we discuss in our latest mobile authentication research, AIT is a method utilised by fraudulent actors or by competitor businesses to unlawfully derive revenue from the business messaging traffic they process.

This occurs when a fraudster designs fake accounts using a bot which triggers the use of an OTP SMS to mobile numbers. From this, the fraudster can partner with a rogue party in order to intercept the inflated traffic, meaning it is not terminated to the mobile subscriber, enabling the fraudster to take revenue share from the operator.
 
This can be damaging to the operator revenue, as the interception removes the ability of the OTP SMS to deliver to the end user, then both the fraudster and rogue party claim a revenue share from the traffic. This process is then repeated in order to further inflate revenue, which mobile authentication operators would otherwise monetise on. This is a particularly common method of fraud in relation to long distance locations, as international destinations with high delivery costs will then yield the most revenue.

The rise in AIT fraud can be particularly damaging for potential operator revenue from MFA and OTP SMS traffic, as it is increasingly difficult to detect whilst still in abundance. A key influencing factor of this fraud is the use of AI to better enable AIT to mimic patterns in human traffic; thus making detection near impossible for operators and enterprises.
 
Factors influencing the growth in AIT include:

• Increase in A2P SMS Costs: Fraudsters have increased incentive to deploy such attacks with the increase in profit potential from AIT.
• AI Influencing its Undetectable Nature: As AIT is not regulated under existing SMS regulations, it is more able to bypass firewalls as OTPs are not considered as spam.
• Revenue Opportunities for Providers: Involved parties want to remain competitive in the market by generating more traffic through fraudulent means.

It is not only revenue losses that operators and enterprises face in light of this type of fraud, but reputational damage will also occur, as the spamming of such OTP SMS messages which users did not request can deem an organisation as illegitimate or untrustworthy. Being branded with such a reputation will drive potential and existing customers away from the business itself, in turn further impeding its revenue opportunities.
 
For businesses to attempt to combat this, there are some protective strategies that can be adopted, such as monitoring large volumes of randomised messages and OTP SMS conversion rates, limit the number of SMS requests on the same IP address, and utilise tools to block bots. Businesses should also focus on exploring the vulnerabilities within technologies before deploying them, in order to mitigate against potential fraud from such vulnerabilities.