SMS is the top communication channel for consumers. Organizations worldwide use it to interact and engage with their audiences. But while it’s gaining in popularity, fraudsters seek new ways to profit from its vulnerabilities. Learn here five types of SMS fraud that could put your company at risk.
Did you know that 90% of people open a text message within three minutes of being received? Texts have great benefits for business communication. They have a response rate of 45 per cent compared to email’s 6 per cent. And even more tellingly, people respond to a text message within 90 seconds — by contrast, they respond to emails within 90 minutes.
But the problem is that fraud is an increasingly pervasive issue in mobile communications. As A2P SMS grows fast, more hackers are looking to take advantage of it.
What is SMS Fraud?
According to a Mobile Ecosystem Forum report, fraud is a “wrongful or criminal deception, intended to result in financial or personal gain, against an individual or organization.”
SMS Fraud takes place when fraudsters use text messages as a channel to reach their targets. There are several objectives of SMS Fraud. It can be data theft, identity theft, or system manipulation. The ones who lead them are criminal workforces who organize and coordinate a plan targeting large enterprises to gain maximum profit.
Most organisations believe this type of fraud has consequences only for the final users, the ones who receive the text message. The truth is that it can impact directly or indirectly all parts of the business SMS communication chain, from the end recipient and the originator to the orchestrator and provider.
Today fraud schemes are vast, wide-reaching, and costly. According to Fraud.com, “only 14% of businesses can fully recover from unauthorized transactions and other fraudulent activities.”
Let’s dive into the most common SMS fraud to be aware of them and know how to take action.
Common Types of SMS Fraud
The Mobile Ecosystem Forum has identified, defined, and mapped 14 fraud types. Here we’ll focus on the five most common types of SMS fraud to understand how they work before the attack occurs.
SMS Phishing
SMS Phishing or Smishing is a type of mobile messaging fraud in which fraudsters send SMSs to end recipients simulating they are a trusted party, and invite them to click a fraudulent link to gain access to online systems, accounts or data.
This type of fraud is on the rise. In 2021, the US lost $44 billion thanks to smishing. Even with more tech-savvy end recipients, the numbers continue to be concerning. In 2022, smishing attempts increased by 69% worldwide.
That’s because fraudsters create messages that look and feel legitimate. However, there are some red flags end users can consider before clicking the link, such as strange URLs, missing punctuation, and typographical errors.
Massage Trashing
In message trashing fraud, the target is the originator of the message. Fraudsters try not to deliver a validly formatted business SMS message with valid content intended to be sent to a valid Mobile Station Integrated Services Digital Network (MSISDN).
The perpetrating party in the message delivery chain trashes the message instead of sending it to a mobile network operator (MNO) or messaging provider for onward delivery to the consumer.
Fraudsters often send fake delivery receipts to the originator of the message showing high rates of delivery. By working with a bad-acting aggregator, they only “trash” some of the messages and pass a bill to the originator for the entire amount of traffic requested, pocketing the difference.
That way, the MNO will not get the revenue and the consumer will not get the informational value of the message.
The typical target of message-trashing fraud is marketing because it’s not required a direct action or response by the recipient.
Access Hacking
As its name says, access hacking is the act of hijacking the credentials of a legitimate third party to gain access to an app, device, platform, or any other IT infrastructure.
In this type of fraud, the target is the orchestrator. Many big companies worldwide have already suffered its consequences. Medibank, an Australian health insurer, suffered the robbed of personal and medical data of nearly 10 million customers.
The costs of access hacking can be devastating when the target is a messaging orchestration platform. First, they usually hold a great deal of valuable customer data. Second, when fraudsters are inside a messaging platform, they can use the legitimate sender number and leverage the trust of the accessible audience to send smishing SMSs, misdirect, and rob consumers quickly and in huge volumes.
Global Title Faking
It’s time to talk about one of the most common types of SMS fraud that costs millions annually to MNOs. Yes, it’s Global Title Faking.
There are multiple steps required to send an SMS. Fraudsters take advantage of that and deceive MNOs about the true identity of the sender through the misuse of a global title.
Let’s explain Global Title Faking in more detail:
- Fraudsters use an international C7 network to ask the MNO (victim) where that device is and what network it is a customer of.
- The MNO gives the information to route the message correctly.
- Fraudsters use that information to send the SMS but replace the sending address with an unsuspecting third-party MNO.
When the MNO who terminated the message charges the MNO whose global title number is tied to the sent traffic, the MNO whose title number was used will end up paying for traffic that was sent by the fraudster.
Tip to prevent title faking: if a business looking to purchase a large volume of SMS traffic encounters a price that seems too good to be true, it could be because the seller is faking global title numbers.
SMS Traffic Pumping
Artificial Traffic Inflation or SMS Pumping is a type of fraud that aims to make money through revenue sharing by sending high volumes of requests to an online form or web app.
The fraudster approaches a provider with a proposal to generate high volumes of messages, revenue, and margin with numbers owned by that provider.
When possible, these large SMS volumes are sent to high-cost destinations, often internationally, which further inflates costs (i.e., toll fraud). When the targeted enterprise victim pays its significantly inflated SMS invoice, the provider gives a portion of the profits to the fraudsters who initiated the attack.
This type of SMS fraud attack more than one single vulnerability within the SMS communication chain. Victims usually discover it once it has occurred. That’s why it’s important to understand what SMS Pumping fraud is and how to prevent it.
Other SMS Fraud Types
- Identity Theft: SMS originator spoofing, SMS phishing, Access hacking.
- Network Manipulation: MAP global title faking, SCCP global title faking. SMSC compromise fraud.
- Data Theft: SMS swap fraud, SMS roaming intercept fraud, SMS malware (SMS hacking).
- Commercial Exploitation: Grey routes, bypass, non-interworked offnet routes, SIM farms, Spam. Artificial inflation of traffic (AIT), Message trashing.
Businesses using mobile communication have the responsibility to protect themselves and their audiences. While educating end recipients about detecting mobile fraud schemes is important, education alone is not enough.
Enterprises must set guardrails for originators, assess partner providers carefully, and choose an orchestration platform that provides secure messaging with the right features to prevent data breaches.
Do you want to learn more about types of SMS Fraud and how to prevent them? Fill out the form to download our new Security Whitepaper “Protecting Your Enterprise from the Next Generation of Mobile Fraud Schemes.”