AIT - The root cause, the Solution and the Implication on RCS and Network APIs
Artificially inflated SMS traffic is a longstanding issue that has surged exponentially in recent times. Mobile network operators (MNOs) have been accused of benefiting from this type of fraud. However, we believe MNOs are not the perpetrators. Certain business models adopted by MNOs may have inadvertently created an environment that incentivizes these activities. It is time for MNOs to reconsider their business and partnership models to create a better system.
Executive Summary
Artificially inflated SMS traffic, or SMS pumping, has been a longstanding concern that has surged exponentially in recent times. Large international brands have been significantly affected, with some directly accusing mobile network operators (MNOs) of benefitting from this specific type of fraud. We firmly believe that MNOs are not the perpetrators of these fraudulent activities for several reasons, which will be discussed later. However, we acknowledge that certain business models adopted by MNOs create an environment that incentivizes some actors to engage in SMS pumping.
Additionally, while rich communication services (RCS) are more secure and transparent than SMS, they are not immune to similar types of fraud. If SMS business models are directly applied to the RCS business messaging ecosystem, we might encounter the same issues. Although network APIs can disrupt the fraud chain for specific use cases, such as one-time passwords (OTPs), they unfortunately cannot address the entire problem. Consequently, MNOs must reconsider their business and partnership models to maintain their native technologies within the value chain, preventing brands from migrating to non-MNO channels and avoiding potential regulatory implications.
Demystifying artificially inflated SMS traffic
Artificially inflated traffic (AIT) as defined by the GSMA, refers to SMS traffic that is generated for the fraudulent purpose of generating revenue associated with its delivery for certain parties in the SMS traffic chain. SMS AIT traffic is typically disproportionate to the overall amount of traffic that would be expected from legitimate usage or acceptable and reasonable commercial practices. Victims of AIT are typically large brands in the consumer space subjected to ‘bot attacks’ against their applications, such as one-time password login flows, notifications, or SMS links to download mobile applications during a user sign-up flow. Large enterprises are not the sole victims of such attacks; aggregators and MNOs can also encounter significant liabilities in the event of fraud disputes.
There are multiple strategies for exploiting AIT for financial gain depending on the position of the bad actor in the ecosystem and the specific attack vector. AIT can be broadly categorized into two main categories based on the attack vector: Supply chain attacks or revenue share-based attacks.
Supply chain attacks involve a bad actor, either within the supply chain or collaborating with a supply chain partner. An attack is launched against the victim, which routes traffic via the bad actor within the supply chain. Depending on the level of sophistication, traffic may be forwarded to unsuspecting users, dropped locally, or in more advanced cases, terminated locally and converted into a legitimate user action within the victim’s application. For example, a bot may enter a one-time password to mimic a legitimate end-user and evade detection.
Revenue share-based attacks target legitimate services offered by MNOs such as number leasing and termination-based revenue share. In such cases, the bad actor obtains access to numbers or number ranges before launching an attack against the victim. Attackers are then paid a revenue share of termination revenues from their service provider, typically a reseller of services provided by an MNO or national operator.
Why MNOs are not at fault?
Although there have been direct accusations claiming that MNOs are responsible for this type of AIT fraud, this is a misconception. There are four reasons for this:
First, it is often assumed that brands directly engage with MNOs to send SMS messages. However, this is not accurate. In most instances, there are multiple intermediaries, such as aggregators, between the MNO and the brand.
Second, the additional revenue generated by sporadic AIT has an insignificant impact on the overall revenues of MNOs, making it highly unlikely that they would deliberately engage in fraud with virtually no financial benefit.
Third, it is not in the best interest of MNOs to devalue their products and drive brands to explore alternative channels, such as WhatsApp, from which MNOs would not derive any revenue. However, MNOs and reputable supply chain partners, who indirectly derive marginal profits from the termination of fraudulent traffic have been accused of "willful blindness"—the act of avoiding liability through intentional ignorance of the facts. Finally, there is heightened scrutiny from regulators and legislators who seek to protect consumers and enterprises from harm. This trend is moving toward establishing a duty of care with financial and criminal liability for MNOs, in an effort to break the fraudulent money chain.
What is the root cause of AIT?
The root cause of the issue lies in the complex supply chain model involving multiple actors, along with certain MNO business models that create an environment where some participants in the value chain feel incentivized to engage in AIT. It is rare for an MNO to be directly connected to a brand. Typically, an MNO works with a select group of partners or SMS aggregators, selling SMS traffic to them on a wholesale basis. These aggregators often are not directly connected to the brands and may further sell SMS traffic to other aggregators. As a result, there can often be three or four aggregators between an MNO and the brand. Attackers often depend on this lack of transparency to avoid detection and evade law enforcement.
Exclusive agreements
Recently, MNOs have increasingly adopted shorter exclusivity agreements for A2P SMS, reducing the duration from the initial three-year period to just one year. MNOs typically auction these exclusivities through a request for proposal (RFP) process to aggregators, where those who win the RFP become the sole SMS termination provider for the specific MNO. Being exclusive, these deals often include substantial minimum commitments, and the winning aggregator is usually the one who offers the highest commitment to the MNO.
Once an aggregator commits to a significant upfront commitment, they may feel incentivized to dramatically increase SMS termination prices—sometimes by as much as tenfold—to fulfill the commitment. This drastic shift in price-volume economics pushes many brands away from SMS to cheaper but less ubiquitous OTT channels. If the exodus is too swift and significant, the exclusive aggregators could find themselves in a difficult position and might resort to fraudulent means to replace traffic and prevent losses.
Furthermore, this issue cascades down the supply chain. No single aggregator connects directly with all the brands worldwide to sell SMS traffic, so the exclusive aggregator resells SMS termination rights to other aggregators, imposing minimum commitments on them as well. Any aggregator in the value chain facing increased prices and the threat of incurring losses might also engage in fraudulent activities to stay in business.
Importantly, there are long-term consequences to the strategy of using sole exclusive aggregators. The increased prices, combined with AIT, erode the market and push brands toward OTT channels. Once brands leave, it becomes challenging to lure them back, even if prices are later reduced, as stability and trust in the SMS channel have been compromised in their eyes.
A handful of trusted partners
When MNOs choose to interact with a handful of partners, instead of exclusivities, similar issues might occur (albeit to a lesser extent). An MNO often has upfront commitments to its trusted partners. Since these partners can not represent all brands globally, they need to resell SMS termination to other aggregators down the supply chain, often placing revenue commitments on them as well. The issue becomes more evident when an MNO selects trusted partners, as the aggregators that don't have direct relationships with brands depend entirely on resellers. AIT fraud in this scenario becomes harder for MNOs to pinpoint, as often fraudulent traffic is mixed with legitimate traffic.
Termination revenue share incentives
In addition to supply chain factors in AIT, fraudsters also exploit legitimate revenue-sharing agreements such as number range leasing, and micro–mobile virtual network operator (MVNO) or mobile virtual network enabler (MVNE) deals. Like supply chain fraud scenarios, MNOs must exercise caution in vetting and working with trusted partners who are directly using their valuable numbering and interconnect assets, as this directly exposes them to regulatory and legislative risks.
The simple approach for an attacker would be to register with an online reseller who offers virtual numbers capable of receiving calls or SMS for which the attacker is paid a share of any associated wholesale termination revenue. The reseller has in turn leased number ranges from a licensed operator under a terminating revenue share agreement.
At a more industrial scale, attacks often span extensive number ranges where an attacker has either entered into a direct agreement with an MNO or has used an MVNE, which offers the ability to set up a white-labeled MVNO within weeks using pre-existing MNO agreements. In such cases, the MNO or MVNE often become direct victims of fraud, as bad actors use fake or stolen credentials to access services.
In either case, responsible service providers have a duty of care to take reasonable measures to detect and prevent fraud, including strong vetting of revenue share use cases and traffic monitoring to detect suspicious patterns of abuse. The significance of trust between an MNO and a partner or reseller offering access to the MNO’s licensed assets cannot be overstated, as the MNO’s risk exposure is much higher in such cases.
What is the solution?
Trust and integrity in the MNO and its supply chain partners are essential to ensuring safe, durable business revenues for all. The industry has witnessed an erosion of trust in mobile communications due to the growth of spoofing, phishing, and AIT attacks as technology evolved into IP-based communications, enabling wider network access with global interconnectedness. Despite this, our industry has an opportunity to rebuild trust through solutions such as RCS and network APIs which increase supply chain transparency and break the fraud chain.
However, to enable this we must learn from history. Exclusivity deals have distorted markets and obscured supply chains through reselling, enabling bad actors to go undetected. Such deals incentivize fraud and increase compliance risk. Prioritization of short-term gains from high initial commitments over long-term market resilience combined with increased compliance risk due to weak know your customer (KYC) controls, creates a toxic risk environment for an MNO operating valuable licensed assets.
To minimize AIT fraud and ensure the long-term sustainability of CSP assets in the value chain we recommend the following:
- Avoid exclusive agreements
- Choose partners with strong connections to brands, avoiding resellers
- Recognize that unsustainable high initial commitments incentivize fraud
- Impose stringent KYC and ethical standards on supply chain providers
What about RCS business messaging?
As all major device vendors start supporting RCS and RCS business messaging, the impact on A2P messaging will be significant. RCS offers richer content, such as interactive carousels, combined with trusted brand registration. It offers better monetization opportunities, such as charging based on conversation or time, unlike SMS's per-message model. Additionally, RCS has a clear path for evolution by potentially supporting new features like document signing and screen sharing. As global networks evolve towards full IMS architectures, RCS will displace SMS messaging within mobile networks as the ubiquitous secure messaging solution.
RCS business messaging represents a significant step forward in reducing spam and mitigating grey routes and introduces greater transparency in supply chain routing between brands and terminating MNOs. However, it is vulnerable to the same pitfalls and market conditions as SMS A2P, due to the risks associated with exclusivity deals, price-volume economics, and the prevalence of resellers lacking direct connections with brands.
RCS structurally mitigates AIT risks through its MaaP (messaging as a platform) framework, which centralizes agent provisioning under GSMA-backed certification processes. Unlike SMS’s fragmented supply chain (with opaque aggregators and resellers), RCS requires all agents to undergo identity verification and compliance checks to ensure legitimacy before integration. This creates traceability; every message is tied to a certified entity, enabling MNOs to monitor traffic sources. Additionally, MaaP’s standardized APIs and centralized hubs reduce uncontrolled intermediaries, limiting avenues for traffic manipulation. However, if MNOs bypass these safeguards through exclusivity deals, lax certification enforcement, or poor monitoring, the system’s transparency benefits diminish, bringing back vulnerabilities similar to those found in SMS AIT fraud. Thus, while RCS’s architecture inherently provides a significant step forward in security and transparency compared to SMS, its efficacy still hinges on the MNO’s diligence in monitoring the chain of trust.
Brands have high expectations for RCS, hoping that this type of fraud will be significantly reduced. If RCS develops a reputation similar to that of SMS, brands may find themselves left with only OTT channels as viable options. Therefore, MNOs must be highly vigilant to maintain the brand value of RCS by addressing the pitfalls of the ecosystem where AIT-type fraud can occur.
What about network APIs?
In the realm of CAMARA-based network APIs, the mechanisms differ significantly from those of SMS and RCS. AIT is often found in two-factor authentication (2FA) use cases. Fraudsters find 2FA journeys in mobile applications with a global user base and artificially inflate SMS and voice traffic in the form of OTPs around the world.
Network APIs like number verification and enhanced number verification eliminate any incentive for AIT by removing the requirement for OTPs during the 2FA use case. Number verification is a new 2FA solution that leverages the sim card of a mobile device as the possession factor. Enhanced number verification elevates the security and availability of number verification using an integrated token-based system.
Moreover, these network APIs will incorporate consent capture mechanisms for explicit end- user consent, further deterring fraudsters from using bots to artificially inflate CAMARA API traffic.
Even as new technologies like RCS and network APIs emerge and gain traction, traditional OTP solutions like SMS and voice will continue to be deployed. Developers and enterprises will transition and adopt new two-factor authentication (2FA) solutions at different times, depending on their individual risk tolerance and local market availability. Therefore, MNOs still need to reassess their business model practices to eliminate AIT fraud, even as new technologies help to address the problem.
Conclusion
The AIT phenomenon arises from the current SMS A2P supply chain structure, where aggregators are stacked one after another, compounded by certain business models utilized by MNOs that inadvertently encourage AIT. This problem is likely to be repeated in RCS business messaging, and even network APIs will not be able to fully address it. Therefore, MNOs need to reassess their business models. They should consider steering clear of exclusivity agreements, engaging more with partners who have strong brand connections, avoiding high initial commitments, and imposing more stringent KYC and ethical standards on all players in the supply chain.
