Seamless User Experience and World-Class Protection in the Age of Digital Fraud

Seamless User Experience and World-Class Protection in the Age of Digital Fraud

As technology advances SMS fraud schemes are constantly evolving at breakneck speed, making it imperative for businesses to stay vigilant when it comes to protecting customer data. That's why we teamed up with Maciej Donajski, CTO of Street Beat and current Twilio client, for our recent webinar, Seamless User Experience and World-Class Protection in the Age of Digital Fraud. 

Hosted by Twilio’s Product Marketing Specialist, Sebastian Del Aguila, the session covered trending fraud schemes and how to protect yourself (and your customers) in an era where we’re all perpetually “plugged in”.

Scamming in the Age of the Smartphone

When consumers think about fraud, their minds typically conjure images of shadowy figures tricking unsuspecting victims into giving away crucial information that directly leads to their bank accounts.

When it comes to globally-operated businesses, the threat is magnified by the fact that consumers trust that their personal information is secure.

But what if the Bad Guys™ aren’t after your customer’s data?

Enter SMS Traffic Pumping fraud.

SMS pumping (also known as “artificially generated traffic” or “SMS OTP fraud” or “International Revenue Share Fraud”), happens when fraudsters take advantage of a phone number input field on a web form to receive a one-time passcode (OTP), an app download link, or anything else via SMS. The fraudsters send SMS to a range of numbers controlled by a specific mobile network operator (MNO) and get a share of the generated revenue.

This happens in one of two scenarios:

1. The MNO is complicit in the scheme and has a revenue-sharing agreement with the fraudsters
2. The MNO is unknowingly exploited by the fraudsters

What makes this scheme particularly nefarious is how easy it is to execute. “Fraudsters can use automated bots to send out large volumes of text messages in a short amount of time,” explains Sebastian. “As a matter of fact, it is estimated that this accounts for approximately 6% of the total SMS traffic worldwide.”

“At the same time,” continues Sebastian, “the issue remains widely unaddressed and many companies are not even aware that they are experiencing this problem or if they do, they do not know how to handle it.” This, in turn, makes it much easier for SMS pumping schemes to fly under the radar.

To whit, early this year, Commsrisk reported on a recorded discussion held on Twitter’s Spaces channel which included a claim from Twitter’s CEO, Elon Musk, in which he stated the following:

“…I discovered this, basically, about 10 days ago, that Twitter was being scammed to the tune of 60 million dollars a year for SMS texts, not counting North America.” The Head Tweeter in Charge went on to explain that he believed a group of “dishonest telcos” were gaming the system by generating two-factor authentication SMS texts over and over again, using bot accounts to “run up a tab so that Twitter would SMS text them, and Twitter would pay them millions of dollars, without even asking about it.”

Elon Musk tweets that Twitter is getting scammed out of $60 million a year due to SMS pumping.

Ouch.

In Twitter’s case, Elon’s response was to cut off 2-Factor Authentication (2FA) for non-Twitter Blue subscribers as well as any telcos with more than 10% of artificially generated traffic. While the long-term effects are still unfolding, the immediate effect was the axing of about 390 compromised telcos and Twitter users who felt exposed now that they could no longer login via SMS.

Most businesses don’t go so far as to remove protections for their customers, but some resort to blocking entire geographic regions in order to try to mitigate this fraud scheme.

4 tell-tale signs of SMS pumping fraud

Of course, the best way to protect yourself is to know what to watch out for. Fortunately, there are tell-tale signs that you may be experiencing SMS pumping if you know what to look for. Namely:

• A spike of messages sent to a block of adjacent numbers (i.e. +1111111110, +1111111111, +1111111112, +1111111113 etc.) controlled by the same MNO.
• A sharp increase in web traffic and auto-generated SMS messages
• Large volumes of SMS text messages being sent to countries outside of your business operations
• Partially filled web forms or incomplete verification cycles

Twilio protects Streetbeat from SMS OTP Fraud

Fraud Guard SMS-related fraud on the Twilio Verify product by monitoring your current and historical SMS traffic. When there are unusual fluctuations in SMS traffic patterns in a specific location, this feature will automatically block the prefix of the destination of the suspected fraud.

Streetbeat is an SEC-registered investment advisor offering manual and auto-trading for stocks, ETFs and Crypto and, according to CTO Maciej Donajski, choosing Twilio to be part of the user verification process was a no-brainer: “[...] We immediately chose Twilio to do the phone verification. Our first positive experience was how easy and how well documented their APIs are [...] we managed to fully integrate the phone verification in two days.”

It wasn’t until after a couple of weeks of using Twilio that the company noticed some unusual traffic. “[We noticed] the [number] of users [was not] proportional to the amount of money we [paid for] verified APIs. So we started to investigate.” Thanks to Twilio’s seamless, easy-to-use interface, the client was quickly able to determine that they were paying nearly $70 a day for traffic coming from Serbia. “We had some customers from Europe but we didn't have that many users from Serbia, [that’s] for sure.”

Maciej went on to admit that, while they weren’t all that familiar with newer OTP fraud schemes, they did notice (and take advantage of) Twilio’s suite of Verify features. That’s where they found Fraud Guard. “We enabled it without knowing anything about [SMS pumping] and immediately [saw] traffic from Serbia [drop] to zero.” Since then, Maciej says they’ve not seen anything out of the ordinary when it comes to their metrics. “We're pretty happy with the result and we didn't even have to implement any algorithms to protect from this [type of] fraud ourselves.”