UK Cyber Security Center Issues Guidance on Artificial Inflation of SMS Traffic

A notable sign of the times comes in the form of new advice published by the UK’s National Cyber Security Centre (NCSC).

The rise in Artificial Inflation of Traffic (AIT) is leaving many businesses out of pocket.

To counter this growing threat, we’ve updated our SMS and telephone best practice guidance, which is designed to help organisations, and their customers reduce exposure to SMS and telephone-related fraud.

Elon Musk (pictured) gets credit for raising awareness of SMS AIT fraud.

This type of fraud can cause substantial financial cost to businesses. Elon Musk summarised how the issue had impacted X (formerly known as Twitter) last December, where he explained that “Twitter was being scammed to the tune of 60 million dollars a year for SMS texts.”

The link shows NCSC learned of this story by reading this website! Commsrisk has consistently encouraged a more rounded understanding of technology risks than typically provided by academics and other experts. You cannot have a complete picture of technology-related risks without considering the fundamentals of business too. Bad actors have motives. Risk mitigation will be poorly prioritized if we only use technical know-how to rank the seriousness of vulnerabilities and other weaknesses. Understanding how criminals can make money, and how much money they can make, gives us a better appreciation of the potential scale of threats. That necessitates insights into the global business of running networks and providing communications services. We should feel a degree of discomfort that it required the intervention of Elon Musk, an outsider to the telecoms industry, to highlight the extent of SMS AIT fraud.

The announcement from the NCSC is refreshingly straightforward when explaining the factors that have driven the rise of SMS AIT.

Since the NCSC’s SMS and telephone best practice guidance was originally published in January 2022, AIT fraud has increased, mainly for two reasons:

  1. Application to person (A2P) SMS costs have risen, increasing the potential profit of AIT fraud.
  2. AIT is not regulated by common SMS agreements and regulations. There are even companies that openly advertise their ability to defraud businesses by AIT, offering to impersonate hundreds of popular brands.

If I was to find any fault with the NCSC advice, it is with the assumption that SMS AIT has risen in the last two years. My guess is that there was already a lot of SMS AIT, partly because this threat received insufficient attention. We cannot form reliable conclusions as to how much SMS AIT may have genuinely increased and how much of the apparent increase is due to newer estimates being more accurate than they were a few years ago. Apart from this minor criticism, the NCSC’s practical advice is superbly succinct. The relevant section of the best practice guidance has been reproduced in full at the bottom of this article. The announcement explaining the need to add SMS AIT advice can be seen here and the complete text of the NCSC’s telephone and SMS best practice guide is here.

SMS and one time passcodes (OTP)

SMS is frequently used as part of multi-factor authentication (MFA) on websites. Criminals are using techniques to Artificially Inflate Traffic (AIT) leaving the website owner out of pocket. The NCSC has already published guidance on choosing the right type of authentication. Ideally you should offer different MFA options so the user can choose the one that best suits their needs.

You should:

  • Establish whether SMS is the right solution. If it is, refer to section 3 above (Contact by SMS).
  • Ensure your APIs for triggering SMS are not internet-facing (or publicly accessible) as these are often exploited by fraudsters.
  • Ensure your website has input validation so that only a telephone number of the correct length and format is accepted.
  • Restrict the number of retries a user/identifier can initiate in a given time. This can help protect against denial of service attacks and limit your fraud exposure.
  • Consider whether you need to send messages internationally. If not, then do not send them. If you do, consider blocking high-rate countries and/or doing further non-SMS checks before registering the number.
  • Do not send to unallocated numbers or virtual numbers. These are numbers that don’t have a person at the other end, and are used by criminals to artificially inflate traffic. Your messaging provider should be able to help with this.
  • Consider implementing business rules such as blocking multiple requests from the same IP address (or multiple requests for the same phone number from different IP addresses) and introduce rate limiting to help protect against attacks. Where possible, try to understand your historical message patterns for comparison. If there is a sudden spike, then it’s likely to be an attack.
  • Consider introducing technology to identify bots. This will help reduce your exposure to fraud or denial of service attacks.
  • Monitor your conversion rates. If the messages you send do not result in an input by the user, work with your provider to understand why.
  • Include fraud clauses in your contracts so that you can hold your message provider to account.
Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.