What is Artificially Inflated traffic
Artificially Inflated Traffic, also called traffic pumping, is where large volumes of SMS or voice calls are generated by fraudsters. Bots & automation tools interact with customer web pages or applications to generate calls or SMS messages.
This is done to de-fraud the enterprise and other partners in the messaging eco-system. The fraudsters make money from the fees paid for the SMS and voice calls. In some cases Premium rate numbers are used to inflate the fees further.
The most common use cases impacted are One Time PIN codes, whether for registration, logins or password resets, though other use case such as download links sent via SMS can also be impacted.
How to Detect AIT
AIT causes unusual spikes in traffic focussed on specific routes. These may include the following additional signs
- Deliveries to sequential number ranges
- Deliveries focussed on unusual or remote countries
- Unusual concentrations on specific operators
- Reduced conversion metrics
Comprehensive monitoring and reporting enable detection of these spikes. It is recommended to not only monitor traffic levels, but also the underlying business processes that potentially this traffic such as registration, password resets etc.
Customers can configure the Syniverse messaging platforms to automatically provide useful additional data, such as destination country & operator, which will enhance their monitoring and reporting.
Customers can also create email alerts in the Syniverse reporting platform to complement their own monitoring. Emails & reports can be sent when certain thresholds are met. Customers who are uncertain how to create these email alerts can raise a ticket to request help or discuss with their Customer Success Manager.
If a customer is suspicious whether AIT may be occurring then they should raise a ticket with Syniverse, who can help investigate the incident and help take corrective action such as blocking routes.
Ways to Prevent AIT
There are additional steps that customers should take to reduce the likelihood and impact of AIT.
Always be mindful when designing customer experiences, particularly where customers can enter a phone number. In particular consider the following
- Perform bot detection during sign up, either using captcha or other tools. This should also be applied in any other process where customers enter phone numbers. With careful design the impact on legitimate customers can be limited.
- A more rigorous approach is to use Right Party Verification to verify whether phone numbers belong to a real person before registration. While this may not make sense for all customers it does provide additional protection against threats such as Synthetic Identity as well.
- Implement rate limiting to mitigate against large spikes in traffic. This can be configured out-of-the-box on most web servers or content delivery networks.
- Use exponential increases in delay between repeat login & registration attempts.
- Perform phone number filtering using Phone Number Verification. Looking up the phone number enables customers to filter out requests for certain countries or operators, useful when these destinations have been previously identified as problematic.
Route Set Up
Depending on your use case, you may only want to enable specific routes. These may be country specific, or in some cases operator specific.
This prevents traffic for unexpected destinations. This list can also be updated in response to detected incidents to mitigate AIT.
Again, if you are unsure to how set this up, please raise a ticket to Syniverse support or contact your Customer Success Manager.