In this article:
How often have you been asked to enter a phone number to create a new account? Brands use phone numbers to streamline the onboarding process for new customers, and customers use phone numbers to identify themselves. It usually plays out like this:
- You sign up for a new account.
- The brand sends you a one-time passcode (OTP) via SMS to confirm you own the number creating the account.
- You input the code and move forward with the brand.
While such low-friction onboarding makes it easy for brands to acquire new users, it also makes it easy for fraudsters to attempt fake sign-ups and scam brands for the cost of the SMS. This is a particular problem in markets where SMS is expensive — fake traffic created in this way is known as Artificially Inflated Traffic (AIT) or SMS traffic pumping.
We spoke with Lee Suker, Head of Number Intelligence and Authentication at Sinch, about trends in AIT and what enterprises can do to minimize the risk of fraud.
Q: What trends do we at Sinch see with AIT?
A: First, we know that many organizations use OTP to onboard new users. Second, SMS can be expensive in some markets. And third, there are bad actors in the ecosystem who benefit from fake sign-ups.
It can take just one bad actor to disrupt parts of the mobile ecosystem and generate fake SMS OTP traffic. And the longer the chain of trust, the more opportunities there are for bad actors to take advantage of this system. Ultimately, this is an issue for the whole industry.
At Sinch, we keep the chain of trust as short as possible, with over 600 direct carrier connections to operators. This limits the fraud since no other third party stands to benefit from fake traffic.
Q: What control measures does Sinch recommend brands use to reduce AIT?
A: There are tools that brands can use to establish the context of user authentications. With these tools, for example, a brand can learn IP addresses, details of browsers, or the systems that make these requests. That can help mitigate fraudulent sign-up attempts.
At Sinch, we actively monitor customer conversion rates (or the number of people who confirm their phone number after receiving an OTP). This is important because a bad actor can randomly choose any telephone number — they don’t need control over a device.
In cases of fraud, the conversion rate will drop. Sinch triggers alerts when the conversion percentage rate drops below the expected norms for monitored number ranges and blocks further attempts.
We also take a legal stance. When we have sufficient evidence of suspicious traffic, we inform our suppliers. This could result in a supplier being permanently blocked or a dispute associated with suspicious traffic. Ultimately, our aim is to prevent money flowing down to the fraudsters.
Q: How would an enterprise know if they have a problem with AIT?
A: They need to start measuring conversion. That’s a clear alarm bell that something is wrong. Many enterprises do this, but some don’t, and that’s problematic.
Enterprises should also look for unique user agents — browsers and desktops — making large numbers of OTP requests. But this isn’t foolproof, so enterprises need to measure conversions, then alert partners as soon as they see a drop in conversion rates.
Q: What can an enterprise do to protect themselves and their customers?
A: Many companies aren’t well-aligned. They have a team dealing with telecom expense management, a separate team doing web development, and perhaps a fraud team. There is a real threat here, so businesses can't address this in silos — they need real collaboration.
Companies should work with partners like Sinch, who has a zero-tolerance approach to artificially inflated traffic — or at least lay defenses. Consider the right amount of user friction, context, and conversion measurement, alongside volumetric control measures.
Companies should also find the right balance of security for a new user to create an account. For example, I recently spoke to a company about their sign-up flow, but they were conscious about adding friction to the user experience. They wanted a user to give them a phone number and hit “submit” to create a new account. That’s heaven for a fraudster — hence defenses are necessary, e.g., captchas, browser fingerprinting, or richer forms.
We recommend that our customers make spotting fraud a collaborative effort and speak with their suppliers frequently. Changing verification methods can also be very effective in the fight against fraud. For example, SMS fraud is not seen in phone call verification (PCV).
Q: What does Verification API do to help?
A: A core design principle of Verification API is conversion monitoring. That means for high-risk countries, we closely monitor conversion all the time. We also set rules to make automated blocking decisions when we detect fraud.
I’ve learned that making the decision to block can be tough. If we block traffic to a specific country or operator, we risk legitimate users not being able to set up an account.
This is where there's another value in Verification API: we provide four different authentication methods through a single API to mitigate fraud and help our customers reduce churn. This means that in networks where the AIT risk for SMS OTP is too high, companies can use another method, like a phone call, because the fraud incentives aren't the same.
We always work with our customers on the context of their accounts. We can block number ranges or switch verification methods based on message volumes or sudden spikes, monitor for suspicious conversions or sudden dips, and have regular dialogue to detect early warning signs of fraud.
As a leader in our sector, we’re committed to following the highest standards for transparency and accountability. Sinch Verification API doesn’t compromise on the speed, reliability, or UX, so our customers can keep engagement high and costs low.
There will always be some fraud; we can’t stop it all, but these combined approaches can make it hard for the untrustworthy to generate fake traffic.
---
About Lee Suker
Lee is responsible for building identity, authentication, and fraud prevention portfolios at Sinch and, as a trained computer scientist, has over 25 years of experience working in IT, telecoms, and security. Over the last 10 years, he has worked in mobile authentication, risk, fraud, and identity.
