SMS fraud: The complete guide to detection and prevention
SMS fraud is when bad actors misuse SMS for their own benefit. Learn how to protect your business and customers from potentially falling victim to it.
What is SMS fraud, and why does it happen?
Put simply, SMS fraud is when bad actors misuse SMS to trick others for their own benefit, which could be financial or otherwise. By taking advantage of weaknesses in SMS systems and human mistakes, they might steal data from the recipients or trick them into signing up for paid services.
Also, fraudsters can send fake SMS traffic and profit from charging the sending costs to businesses or charge advertisers for fake traffic.
SMS fraud is so widespread because of the vital role SMS (still) plays in digital communication. It’s accessible on all phone types worldwide, gets delivered instantly, and opened almost immediately. Unfortunately, scammers know this, so they continuously develop new methods to trick mobile users and businesses via SMS. Staying vigilant and informed is crucial to protect ourselves from these scams.
If you are already familiar with the impact of SMS fraud and its types, you can skip to the chapter about SMS fraud detection and prevention by clicking here.
The impact of SMS fraud
In January 2023, the US Federal Trade Commission reported that in 2022, US consumers lost $330 million to fraudulent text messages. This represents a whopping 151% increase compared to 2021, which was $131 million. Sending fake bank security messages was the most common type of fraud, which reportedly increased almost 20x since 2019.
$330 mil
in US consumer losses to text message fraud in 2022
151%
increase in text message fraud from 2021 to 2022
74%
of organizations worldwide have experienced smishing attacks in 2022
A particular spike happened in the first six months of 2021 when studies in the UK showed that SMS smishing attacks increased by a massive 700%. This can be partly attributed to the increase in home deliveries and associated SMS notifications during Covid lockdowns, but the trend is definitely on a steep upward curve.
Consumers are not the only ones affected – 74% of organizations worldwide have experienced smishing in 2022. According to the Global Fraud Loss Survey 2023 by CFCA, the telecommunications industry lost $38.95 billion in revenue globally in 2022, which makes 2.5% of global revenue lost to fraud, up from 2.2% in 2021. In 2023, the Bank of Valletta (BOV) was even held party responsible when its clients lost money due to an SMS scam.
In addition to the direct monetary losses, other impacts are less obvious but still detrimental:
- The general mistrust of SMS will lead consumers and businesses to abandon it as a communication channel in favor of others. This will erode revenues for mobile operators, leading to price increases on the other services they provide.
- The cost of additional security measures will also be passed on to consumers in the long run, and these measures may affect user experience, for example, through additional authentication steps.
Types of SMS fraud
There are many ways criminals use SMS for scams. In 2021, the Mobile Ecosystem Forum identified 14 types of SMS fraud, dividing them into four categories: identity theft, data theft, network manipulation, and commercial exploitation.
Let’s explore the most common types of SMS fraud in more detail.
Smishing
Smishing is a type of fraud where criminals contact potential victims by SMS to trick them into providing personal or bank account information or clicking on links that download malware onto their phones. It is the SMS equivalent of email phishing.
Sophisticated smishing attacks will use social engineering tactics to gather information about potential victims, including where they live, who they interact with online, and which banks and credit card companies they are customers of.
This information can then be used in the creation of very realistic spoof SMS messages that deceive the victim into believing that they are from a legitimate business or person.
Read more about smishing:
SMS spoofing
SMS spoofing is a way of changing the sender information on a text so that the recipient sees whatever alphanumeric text is defined, rather than a mobile number.
SMS spoofing is not inherently illegal. There are many valid applications for it and there are even free SMS spoofing services on the internet (we won’t link to them, just in case).
Here are a few valid examples:
- Bulk service messages: Messages sent to opted-in customers from a legitimate business, such as ‘Your monthly bill is available to download‘.
- SMS alerts: Important notifications from businesses or government agencies, such as ‘Tsunami alert – move to high ground‘.
- Whistle-blowing: Messages that expose wrongdoing by a person or business where the sender wants to remain anonymous.
How SMS spoofing works
The problem is that fraudsters often use SMS spoofing to mimic messages from legitimate businesses as part of smishing attacks. They could pretend to be from a bank, a delivery company, a trusted institution like the tax office, or even the recipient’s own employer in the case of targeted ‘spear’ attacks.
Not realizing that the message is fake, recipients may drop their guard and click on links, which could download malware to their phones or take them to fake landing pages designed to extract private information from them.
Another sly tactic that criminals use is to use SMS spoofing to fake payment confirmations for the purchase of expensive items from individuals or businesses. They offer to pay for an item by bank transfer, but instead of actually making the payment, they fake a confirmation text message to the seller from their bank with the correct reference and exact amount of the sale for authenticity.
This fraud is particularly prevalent on buy-and-sell pages that don’t have stringent identity checks. A good tip, if you are selling a valuable item like a car or appliance, is to always log into your online banking to check that the funds are actually there before letting the buyer take it.
You can read more about spoofing here.
SIM swapping fraud
SIM swapping fraud is when fraudsters abuse the process of swapping SIM cards to steal data, money and in many cases the mobile user’s identity. It is a significant threat for businesses that have been slow to implement SIM swap detection solutions.
There are of course valid reasons to swap a SIM card – for example when a subscriber switches network provider and wants to move their mobile number from one SIM card to another. This process is common enough that fraudsters can exploit it to take over a person’s mobile number by simply contacting the provider and employing some simple social engineering tactics to impersonate them.
Once the account has been taken over, the criminal will have access to all the person’s personal details and their message inbox to receive the 2FA notifications required to change banking and credit card passwords.
SIM swap detection services use a number of inputs to flag both attempted and successful takeover attempts, for example by checking the IMSI register for any changes to the SIM activation date. Mobile operators that implement these solutions are able to protect their subscribers from account takeover fraud and the stress of identity theft.
Read more about SIM swapping fraud:
SMS pumping
SMS pumping, also known as artificially inflated traffic (AIT) or toll-free fraud, is a type of SMS fraud can significantly harm a business’ SMS budget. Essentially, fraudsters will artificially inflate SMS traffic by sending fake SMS OTP messages, and charge the business for it.
This kind of fraud even affects some of the world’s biggest businesses. Elon Musk claimed that SMS pumping costs Twitter $60 million a year. That’s a shocking amount of money that proves no one is truly safe from this kind of SMS fraud.
SMS pumping is tricky to catch, especially for businesses that send large amounts of SMS messages every month. There are a few techniques fraudsters use to get away with this.
For example:
- The scammer will use a sequence of numbers and send you one OTP request per phone number. You’ll only spot this fraud if you notice the same number with varying endings are sending you OTP requests at the same time.
- Scammers will use the same number to send multiple brands a single OTP request at the same time. This is impossible to catch since you don’t have access to other brands’ SMS traffic.
Most businesses will notice something is wrong when they go over their monthly SMS budget in a very short amount of time. Another way is by noticing a very low conversion rate on OTP messages, meaning the customers you sent OTPs to never used them. By then, it’s too late to stop the fraudster but not too late to prevent SMS pumping from happening again.
Did you know that Infobip Signals can flag and block suspicious traffic without blocking legitimate messages? That means that you don’t pay for any illegitimate SMS messages, and only pay for traffic that could yield real results.
SMS trashing
Identified as a new major type of SMS fraud in 2021, SMS trashing happens when a portion of SMS messages are not even sent to a mobile subscriber number (MSISDN), but are nonetheless charged to a business.
The only ones benefiting from message trashing are rogue (or fraudulent) SMS aggregators, as they charge the sending of undelivered messages at full price to a business, without calculating the percentage that should be paid out to a mobile operator (since the messages are „trashed“ on the aggregator’s platform, and not actually delivered to a mobile number).
SMS grey routes
SMS grey routes represent a type of fraud committed by rogue mobile operators (MNOs) where A2P SMS messages, which should be charged at a premium rate, are passed off as P2P traffic for all or parts of their journey to benefit from reduced rates. This results in other mobile operators, who facilitate the delivery of the messages through their network infrastructure, not being compensated for the services they provide.
There are three types of grey route fraud:
- Operator to Operator: In this scenario, Operator 1 will have a roaming agreement with Operator 2 in another country for sending person-to-person (P2P) messages. Since the ratio of incoming and outgoing messages is the same, they agree not to charge each other for international P2P traffic. However, (rogue) Operator 2 deliberately masks commercial A2P traffic as P2P instead, earning revenue for the more expensive A2P messages without having to pay anything extra to (law-abiding) Operator 1.
- A2P Aggregators: In this scenario, MNOs use local A2P aggregators to avoid paying premium roaming charges in a foreign country. For example, Operator 1 uses the aggregator, which has better SMS rates with Telecom B, to deliver A2P traffic over SMPP routes. Operator 1 is the rogue here as they get to avoid paying the agreed market rate to Operator 2, the one that actually delivers the message to the recipient.
- SIM Boxes: Also known as ‘grey route traffic machines’, these devices use prepaid P2P SIM cards to fraudulently handle premium A2P traffic. These cards have a price per SMS that is lower than direct A2P telecom prices or include a set number of free messages as part of the package. The difference between the two prices, which can be significant, is pure profit for the fraudsters.
While grey route traffic does not impact mobile users directly as fraud, it upsets the balance of the mobile ecosystem. The measures required to prevent it lead to overall higher prices and a more disjointed customer experience.
SMS spam
There are several valid and useful reasons to receive unsolicited SMS messages – notifications warning of a potential fraud or an extreme weather event are definitely beneficial. SMS spam will do neither, and it breaks compliance laws in almost every country globally. Unfortunately, this doesn’t stop unprincipled businesses from buying up lists of mobile numbers and bombarding them with irrelevant offers and promotions.
A 2023 report found that in the United States, 10.89 billion spam SMS messages were sent in August 2022 alone. That is 39 messages each for the whole population, in a single month. Compared to August 2021, this represents a staggering 500% increase.
SMS spam is a problem that is only growing. With the introduction of both legislation and technology to combat robocalling, spammers are turning to SMS to mass-distribute their messages. This type of fraud has been a severe threat to the mobile industry for at least five years.
How to stop spam texts
As a mobile user, you can do very little to stop SMS spam completely. Spam text blocking and reporting may be satisfying, but they are largely ineffective. Spammers have a vast pool of numbers to choose from, and the number you report would probably have already been discarded.
Usually, the emphasis is on reducing the impact of spam texts to your phone. For example, if your phone supports it, you could switch off notifications from ‘unknown’ numbers or have these filtered into a separate inbox.
However, in doing this, you risk missing an important text alert from your bank about a possible fraud, or even an extreme weather warning from a local government agency.
So, the responsibility ultimately falls to mobile operators to cut off spam texts and other fraud attempts before they even make it to their subscribers.
But how can they do this without blocking genuine traffic? This is the million-dollar question that the industry is currently trying to find an answer to. We’ll explore possible solutions for detecting and preventing SMS fraud below.
How to detect and prevent SMS fraud
There are two main strategies for detecting and preventing SMS fraud. The first is on a micro-level, where businesses, A2P SMS providers, and mobile operators can implement better security solutions to protect the quality of their connections.
The second one is a broader, collective effort that includes local regulators and government organizations, who can introduce stricter regulations or set the benchmark for everyone on the market. Let’s explain each of these strategies in more detail.
Micro-level: implementing security solutions
A key part in the defense against SMS fraud is implementing SMS firewalls, such as the one we use at Infobip. It features include:
- Links to a continually updated database of malicious numbers and URLs that can be automatically blocked in real-time
- Proactive threat detection using machine learning to pre-empt fraud attempts
- Automated responses to identified threats
- Detection of MSISDNs that are not “real customers” based on SIM box detection that can provide MSISDN reputation analysis
In a whitepaper, we described how our SMS firewall was the first to detect a previously unknown type of fraud that was spreading globally. It identified an unusual SMS message content pattern that did not appear to be either A2P traffic or legitimate P2P messaging. It wasn’t spam either as the messages were traced back to legitimate senders.
Investigations showed that the traffic was being routed via a particular third-party app that was able to bypass international message charges. Mobile operators were briefed so that action could be taken to protect both their business and subscribers from this new fraud threat.
Our SMS firewall was updated to detect and block these messages automatically, and the information about affected subscribers was passed to each mobile operator so that they could help them to deal with the problem. The solution was shown to be extremely accurate with less than 0.1% false-positive cases.
Besides an SMS firewall, we also use a simple plug-and-play solution called Signals that uses a mix of methods to spot and stop fraud, particularly for OTP traffic. It checks for unusual patterns and behaviors, uses data analysis to assess risks, and employs machine learning to block fake traffic as it happens.
You can check out an overview of Signals in this video:
Macro-level: cross-sector initiatives and new regulations
One notable example of a collective effort to stop SMS fraud is the initiative by the UK’s mobile industry, banking and finance sector, and the UK government’s National Cyber Security Centre (NCSC). They joined forces to prevent criminals from sending scam text messages exploiting the Covid-19 crisis.
As part of the initiative, they have developed a ‘white list’ that allows organizations to register and protect the sender IDs used when sending out legitimate text messages. This limits the ability of criminals to send messages using the same sender ID as a particular brand or government department already registered. Also, the NCSC published guidance for businesses on „scam-proofing“ their SMS messages and phone calls.
When it comes to regulations, there is the example of new legislation in Poland called The Act on Combating Abuses in Electronic Communication (CAECA), enacted in 2023. It requires mobile operators to:
- block text messages that qualify as smishing
- block text messages purporting to be from a public institution (based on the name of the sender)
- block calls that conceal the caller ID from the end user
In the case of NAB, an Australian bank that joined forces with telco providers to combat text scams, the need for legislative action is directly mentioned by Chris Sheehan, NAB Executive for Group Investigations and Fraud: “One observation I would make is while we have had great co-operation from the telcos and they have moved as quickly as they can, there is no central, overarching legislative requirement,” he said. “We are very much reliant on them acting voluntarily across the entire industry.”
The problem is also, however, that not all mobile operators have the solutions needed to stop fraud, which is why they need to work with partners who can help them.
An example of a single, market-wide anti-fraud solution comes from Sri Lanka, where the Cabinet of Ministers granted approval to evaluate our SMS firewall. The goal of it is to monitor short message exchanges (SMS and MMS) on the whole market to confront fraud, spam, and illegal activities.
Conclusion: SMS fraud is a growing problem for the industry, but it is solvable
Let’s summarize the main takeaways:
- Definition: SMS fraud is a global issue in which fraudsters exploit SMS system vulnerabilities and human errors for financial or other types of gain. They use various methods to do this, inflicting financial or reputational damage on consumers, mobile operators, and businesses.
- Prevention (level 1): The first step in preventing SMS fraud is for businesses, A2P SMS providers, and mobile operators to implement better security solutions (and avoid working with partners engaging in fraudulent practices).
- Prevention (level 2): On a macro-level, companies and government organizations can work together and follow best practices from other countries, introducing cross-sector initiatives or setting new rules for the whole market.
To sum up, tackling SMS fraud is crucial for the future of the A2P SMS industry. Both individual and collective efforts are necessary to keep the ecosystem secure and beneficial to businesses, mobile operators, aggregators, and ultimately, mobile users.
Related solutions
This blog was originally published on Sep 15th, 2023, and last updated on Apr 5th, 2024. Updates include a definition of SMS fraud, the statistics on its impact, a chapter on SMS trashing as a new type of fraud categorized by MEF, and strategies for SMS fraud detection and prevention.
You may be interested in:
Get the latest insights and tips to elevate your business
By subscribing, you consent to receive email marketing communications from INFOBIP. You have the right to withdraw your consent at any time using the unsubscribe link provided in all INFOBIP’s email communications. For more information please read our Privacy Notice