AIT fraud: What you need to know

SMS and telephone guidance updated to address the rise in Artificial Inflation of Traffic (AIT).

The rise in Artificial Inflation of Traffic (AIT) is leaving many businesses out of pocket.

To counter this growing threat, we’ve updated our SMS and telephone best practice guidance, which is designed to help organisations, and their customers reduce exposure to SMS and telephone-related fraud.

AIT is a technique used by criminals that generates large volumes of fake traffic through apps or websites.

In a typical AIT scenario:

  • a fraudster uses a bot to create large numbers of fake accounts
  • the fake accounts trigger a one-time passcode (OTP) SMS message to mobile numbers during multi-factor authentication (MFA)
  • the fraudster partners with a rogue party in the mobile ecosystem (an operator or aggregator) to intercept the AIT, but never actually delivers messages to the end user
  • together, the fraudster and the rogue party claim the profit

This type of fraud can cause substantial financial cost to businesses. Elon Musk summarised how the issue had impacted X (formerly known as Twitter) last December, where he explained that “Twitter was being scammed to the tune of 60 million dollars a year for SMS texts.”

Since the NCSC’s SMS and telephone best practice guidance was originally published in January 2022, AIT fraud has increased, mainly for two reasons:

  1. Application to person (A2P) SMS costs have risen, increasing the potential profit of AIT fraud.
  2. AIT is not regulated by common SMS agreements and regulations. There are even companies that openly advertise their ability to defraud businesses by AIT, offering to impersonate hundreds of popular brands.

The overriding priority for your SMS procurement process should be security. Our guidance explains how you can protect your business and mitigate the risk of AIT fraud, without resorting to drastic measures such as charging users to use MFA by SMS.

As always, we welcome feedback on this guidance. You can contact us via our social media and normal contact channels.