A recent article published on Commsrisk argued that application-to-person (A2P) messaging volumes may plummet as artificial inflation of traffic (AIT) hits enterprises with considerable costs of moving fake traffic to fake users. Enea has been researching and discussing this type of fraud for a number of years now, and it has come to a similar conclusion: AIT is a direct threat to the A2P SMS ecosystem. The Mobile Ecosystem Forum (MEF) and research by Mobilesquared, among others, have also echoed these concerns.
Where Enea differs from this overall sentiment is in the analysis and description of the nature of AIT. Generally speaking, the prevailing description of AIT includes enterprises being defrauded by bots programmed to mimic customer behaviors, such as opening new accounts or requesting password resets, prompting the automatic sending of A2P messages. These so-called “amplification bots” can generate thousands of these requests, inflating the volume of A2P messages being sent. Outpayments to virtual numbers can be set up by the fraudsters, allowing them to generate an income for every message sent. In a double-blow to retailers, this massively inflates their messaging costs and skews their customer engagement metrics.
However, this industry-accepted definition only focuses on one specific type of AIT, and it’s not even the type that has the most devastating impact on the market. When you drill deeper into the world of AIT and its many guises, it becomes clear that enterprises are far from the only players in the ecosystem paying the cost of AIT.
Enea’s in-depth research has revealed seven distinctly different types of AIT. Each type is injected at different points in the message delivery path and employs unique methods to cause significant financial, business, and reputational damage to the entire messaging ecosystem. Brands, communication providers, aggregators, and mobile network operators are all impacted. In a recent report, titled “Artificial Inflation of Traffic (AIT): A taxonomy of abuse types, identified techniques, and countering mechanisms”, Enea outlines each AIT type in detail and ranks them according to their overall market impact:
- Counterfeit Fabrication: Illegitimate messages are generated during the transit phase by an aggregator, mimicking genuine messages to create convincing but fraudulent traffic.
- Amplification Bot Generation: Message generation is performed by bots on a brand’s website or service, using fake accounts or exploiting unprotected service interfaces, making it challenging to identify through conventional methods.
- Masquerade Parasite Generation: Attackers create accounts on CPaaS platforms with the sole intent of generating fraudulent traffic. These accounts are often disguised as legitimate enterprises or aggregator partner accounts, blending illegitimate traffic with legitimate messages.
- Interface Hijacking: Exploitation of CPaaS interfaces to generate unauthorized traffic, either through illegitimately opened accounts or misusing legitimate ones, for financial gains or to manipulate performance metrics.
- Puppet Consumer Exploit: Manipulating end-users into sending messages without their knowledge or against their will, using methods like malware, compromised SMS applications, or other deceptive practices.
- Insider Inflation: Enterprises deliberately generate artificial traffic within their internal systems to give the appearance of heightened activity or boost user engagement artificially.
- P2P: Illicitly generating interconnect revenue by manipulating person-to-person traffic, particularly targeting roaming users and exploiting cross-border mobile usage.
There are also two additional enabling techniques for AIT:
- Traffic Trashing: Involves intentionally failing to deliver legitimate business SMS messages and generating false delivery receipts to create an illusion of successful message delivery.
- Virtual Number Outpayment: Obtaining a range of numbers from mobile operators that generate income for every message sent to those numbers. When used with AIT, this can generate a revenue stream for the holder of those numbers.
These classifications are essential to the A2P SMS ecosystem, because they can ultimately help the community preserve trust and protect revenue. Rather than have one catch-all definition of AIT that overlooks much of the nuance in the attacks, it’s important to look at the distinct methods being deployed so that they can be effectively countered and guarded against.
First, there is no single point where all AIT types traverse, let alone where they are visible or controllable. Claiming AIT is an “enterprise problem” that can be solved through improved bot protection on enterprise websites is short-sighted. It’s also wrong to assume that AIT can be solved on the terminating end by forcing MNOs to take action through regulation.
Rather, a community effort will be needed to deal with AIT, including mobile network operators, regulatory bodies, CPaaS providers, aggregators, and brands. This collective effort must embrace the exchange of intelligence and best practices, fostering an environment of information-sharing among stakeholders to pre-emptively identify and neutralize specific and nuanced forms of AIT.
Second, for a collective effort to work, the community must ensure that it is talking about the same thing. Without a clear taxonomy that represents the diverse range of AIT types, the problem will remain elusive. Such is the complexity of AIT, that the i3forum, the GSMA, and the MEF — all authoritative sources — have struggled to develop a universal and consistent definition for it. As long as the community lacks a common understanding of the problem and common definitions of the various types of AIT, it will not be able to discuss how to mitigate it.
There are technological solutions that can be deployed to identify AIT at different nodes in the messaging path, which can help to control the problem. Beyond that, establishing industry-wide standards and regulatory frameworks — based on a clear taxonomy of AIT abuses — is essential, providing a clear guideline for acceptable practices and ensuring a concerted effort in the ongoing battle against AIT. Through unity, innovation, and vigilance, the telecommunications sector can fortify its defenses, safeguarding the integrity of its networks and preserving trust in the A2P messaging ecosystem.



