A complete guide to SMS fraud detection and prevention

SMS is a crucial tool for digital communication. It’s available on all types of phones across the globe, gets delivered instantly, and is typically opened and read almost immediately. Unfortunately, fraudsters know this and are constantly devising new ways of using SMS to scam mobile users and businesses.

In this blog, we will define SMS fraud and explain how it impacts the mobile industry. Also, we will cover the most common types of SMS fraud, explaining how to recognize threats, and what mobile operators and businesses can do to protect their customers and users.

If you are already familiar with the different types of SMS fraud and its impact, you can skip to the chapter about detection and prevention by clicking here.

Put simply, SMS fraud is when bad actors send SMS messages to trick others for their benefit, which could be financial or otherwise. By taking advantage of weaknesses in SMS systems and human mistakes, they might steal data from the recipients or trick them into signing up for paid services.

Also, fraudsters can send fake SMS traffic and profit from charging the sending costs to businesses or charge advertisers for fake traffic.

In January 2023, the US Federal Trade Commission reported that in 2022, US consumers lost $330 million to fraudulent text messages. This represents a whopping 151% increase compared to 2021, which was $131 million. Sending fake bank security messages was the most common type of fraud, which reportedly increased almost 20x since 2019.

A particular spike happened in the first six months of 2021 when studies in the UK showed that SMS smishing attacks increased by a massive 700%. This can be partly attributed to the increase in home deliveries and associated SMS notifications during Covid lockdowns, but the trend is definitely on a steep upward curve.

Consumers are not the only ones affected – 74% of organizations worldwide have experienced smishing in 2022. According to the Global Fraud Loss Survey 2023 by CFCA, the telecommunications industry lost $38.95 billion in revenue globally in 2022, which makes 2.5% of global revenue lost to fraud, up from 2.2% in 2021. In 2023, the Bank of Valletta (BOV) was even held party responsible when its clients lost money due to an SMS scam.

In addition to the direct monetary losses, other impacts are less obvious but still detrimental:

There are many ways criminals use SMS for scams. In 2021, the Mobile Ecosystem Forum identified 14 types of SMS fraud, dividing them into four categories: identity theft, data theft, network manipulation, and commercial exploitation.

Here is a quick breakdown of the most common types of fraud and those affected by it:

Smishing is a type of fraud where criminals contact potential victims by SMS to trick them into providing personal or bank account information or clicking on links that download malware onto their phones. It is the SMS equivalent of email phishing.

Sophisticated smishing attacks will use social engineering tactics to gather information about potential victims, including where they live, who they interact with online, and which banks and credit card companies they are customers of.

This information can then be used in the creation of very realistic spoof SMS messages that deceive the victim into believing that they are from a legitimate business or person.

SMS spoofing is a way of changing the sender information on a text so that the recipient sees whatever alphanumeric text is defined, rather than a mobile number.

SMS spoofing is not inherently illegal. There are many valid applications for it and there are even free SMS spoofing services on the internet (we won’t link to them, just in case).

Here are a few valid examples:

The problem is that fraudsters often use SMS spoofing to mimic messages from legitimate businesses as part of smishing attacks. They could pretend to be from a bank, a delivery company, a trusted institution like the tax office, or even the recipient’s own employer in the case of targeted ‘spear’ attacks.

Not realizing that the message is fake, recipients may drop their guard and click on links, which could download malware to their phones or take them to fake landing pages designed to extract private information from them.

Another sly tactic that criminals use is to use SMS spoofing to fake payment confirmations for the purchase of expensive items from individuals or businesses. They offer to pay for an item by bank transfer, but instead of actually making the payment, they fake a confirmation text message to the seller from their bank with the correct reference and exact amount of the sale for authenticity.

This fraud is particularly prevalent on buy-and-sell pages that don’t have stringent identity checks. A good tip, if you are selling a valuable item like a car or appliance, is to always log into your online banking to check that the funds are actually there before letting the buyer take it.

You can read more about spoofing here.

SIM swapping fraud is when fraudsters abuse the process of swapping SIM cards to steal data, money and in many cases the mobile user’s identity. It is a significant threat for businesses that have been slow to implement SIM swap detection solutions.

There are of course valid reasons to swap a SIM card – for example when a subscriber switches network provider and wants to move their mobile number from one SIM card to another. This process is common enough that fraudsters can exploit it to take over a person’s mobile number by simply contacting the provider and employing some simple social engineering tactics to impersonate them.

Once the account has been taken over, the criminal will have access to all the person’s personal details and their message inbox to receive the 2FA notifications required to change banking and credit card passwords.

SIM swap detection services use a number of inputs to flag both attempted and successful takeover attempts, for example by checking the IMSI register for any changes to the SIM activation date. Mobile operators that implement these solutions are able to protect their subscribers from account takeover fraud and the stress of identity theft.

SMS pumping, also known as artificially inflated traffic (AIT) or toll-free fraud, is a type of SMS fraud can significantly harm a business’ SMS budget. Essentially, fraudsters will artificially inflate SMS traffic by sending fake OTP messages, and charge the business for it.  

This kind of fraud even affects some of the world’s biggest businesses. Elon Musk claimed that SMS pumping costs Twitter $60 million a year. That’s a shocking amount of money that proves no one is truly safe from this kind of SMS fraud.

SMS pumping is tricky to catch, especially for businesses that send large amounts of SMS messages every month. There are a few techniques fraudsters use to get away with this. 

For example:  

Most businesses will notice something is wrong when they go over their monthly SMS budget in a very short amount of time. Another way is by noticing a very low conversion rate on OTP messages, meaning the customers you sent OTPs to never used them. By then, it’s too late to stop the fraudster but not too late to prevent SMS pumping from happening again.  

Identified as a new major type of SMS fraud in 2021, SMS trashing happens when a portion of SMS messages are not even sent to a mobile subscriber number (MSISDN), but are nonetheless charged to a business.

The only ones benefiting from message trashing are rogue (or fraudulent) SMS aggregators, as they charge the sending of undelivered messages at full price to a business, without calculating the percentage that should be paid out to a mobile operator (since the messages are „trashed“ on the aggregator’s platform, and not actually delivered to a mobile number).

SMS grey routes represent a type of fraud committed by rogue mobile operators (MNOs) where A2P SMS messages, which should be charged at a premium rate, are passed off as P2P traffic for all or parts of their journey to benefit from reduced rates. This results in other mobile operators, who facilitate the delivery of the messages through their network infrastructure, not being compensated for the services they provide.

There are three types of grey route fraud:

While grey route traffic does not impact mobile users directly as fraud, it upsets the balance of the mobile ecosystem. The measures required to prevent it lead to overall higher prices and a more disjointed customer experience.

There are several valid and useful reasons to receive unsolicited SMS messages – notifications warning of a potential fraud or an extreme weather event are definitely beneficial. SMS spam will do neither, and it breaks compliance laws in almost every country globally. Unfortunately, this doesn’t stop unprincipled businesses from buying up lists of mobile numbers and bombarding them with irrelevant offers and promotions.

SMS spam is a problem that is only growing. With the introduction of both legislation and technology to combat robocalling, spammers are turning to SMS to mass-distribute their messages. This type of fraud has been a severe threat to the mobile industry for at least five years.

From a mobile user perspective there is very little you can do to stop SMS spam completely. Spam text blocking and reporting may be satisfying, but they are largely ineffective. Spammers have a vast pool of numbers to choose from, and the number you report would probably have already been discarded.

For individuals, the emphasis is usually on reducing the impact of spam texts. For example, if your phone supports it, you could switch off notifications from ‘unknown’ numbers or have these filtered into a separate inbox. However, in doing this you risk missing an important text alert from your bank about a possible fraud, or even an extreme weather warning from a local government agency.

So, the responsibility ultimately falls to mobile operators to cut off spam texts and other fraud attempts before they even make it to their subscribers.

But how can they do this without blocking genuine traffic? This is the million-dollar question that the industry is currently trying to find an answer to. We’ll explore possible solutions for detecting and preventing SMS fraud below.

There are two main strategies for detecting and preventing SMS fraud. The first is on a micro-level, where businesses, A2P SMS providers, and mobile operators can implement better security solutions to protect the quality of their connections.

The second one is a broader, collective effort that includes local regulators and government organizations, who can introduce stricter regulations or set the benchmark for everyone on the market. Let’s explain each of these strategies in more detail.

A key part in the defense against SMS fraud is implementing SMS firewalls, such as the one we use at Infobip. It features include:

In another blog, we described how our SMS firewall was the first to detect a previously unknown type of fraud that was spreading globally. It identified an unusual SMS message content pattern that did not appear to be either A2P traffic or legitimate P2P messaging. It wasn’t spam either as the messages were traced back to legitimate senders.

Investigations showed that the traffic was being routed via a particular third-party app that was able to bypass international message charges. Mobile operators were briefed so that action could be taken to protect both their business and subscribers from this new fraud threat.

Our SMS firewall was updated to detect and block these messages automatically, and the information about affected subscribers was passed to each mobile operator so that they could help them to deal with the problem. The solution was shown to be extremely accurate with less than 0.1% false-positive cases.

Besides an SMS firewall, we also use a simple plug-and-play solution called Signals that uses a mix of methods to spot and stop fraud, particularly for OTP traffic. It checks for unusual patterns and behaviors, uses data analysis to assess risks, and employs machine learning to block fake traffic as it happens.

You can check out an overview of Signals in this video:

One notable example of a collective effort to stop SMS fraud is the initiative by the UK’s mobile industry, banking and finance sector, and the UK government’s National Cyber Security Centre (NCSC). They joined forces to prevent criminals from sending scam text messages exploiting the Covid-19 crisis.

As part of the initiative, they have developed a ‘white list’ that allows organizations to register and protect the sender IDs used when sending out legitimate text messages. This limits the ability of criminals to send messages using the same sender ID as a particular brand or government department already registered. Also, the NCSC published guidance for businesses on „scam-proofing“ their SMS messages and phone calls.

When it comes to regulations, there is the example of new legislation in Poland called The Act on Combating Abuses in Electronic Communication (CAECA), enacted in 2023. It requires mobile operators to:

In the case of NAB, an Australian bank that joined forces with telco providers to combat text scams, the need for legislative action is directly mentioned by Chris Sheehan, NAB Executive for Group Investigations and Fraud: “One observation I would make is while we have had great co-operation from the telcos and they have moved as quickly as they can, there is no central, overarching legislative requirement,” he said. “We are very much reliant on them acting voluntarily across the entire industry.”

The problem is also, however, that not all mobile operators have the solutions needed to stop fraud, which is why they need to work with partners who can help them.

Let’s summarize the main takeaways:

To sum up, tackling SMS fraud is crucial for the future of the A2P SMS industry. Both individual and collective efforts are necessary to keep the ecosystem secure and beneficial to businesses, mobile operators, aggregators, and ultimately, mobile users.

This blog was originally published on Sep 15th, 2023, and last updated on Apr 5th, 2024. Updates include a definition of SMS fraud, the statistics on its impact, a chapter on SMS trashing as a new type of fraud categorized by MEF, and strategies for SMS fraud detection and prevention.