Yes, Your Business is at Risk from SMS Fraud. Here’s What You Can Do
Do you ever think about how many SMSes are sent in just one day? With SMS being used across all industries or a growing number of transactions globally, it’s crucial for businesses to be aware of how vulnerable they and their customers are to cyberattacks. To hackers, overloaded SMS channels are a goldmine of personal information that they are all too willing to exploit for financial gain.
But what can businesses do? It’s not as if there’s a channel out there that is more ubiquitous and far-reaching as SMS is. Skipping out on SMS is equivalent to skipping out on business opportunities, but throwing caution to the wind when it comes to SMS security also means risking your hard-earned revenue streams and endangering your customers.
Fraud is everywhere and harms everyone
To illustrate just how much is at stake, here are some SMS fraud facts:
- 2022 saw S$660.7 million lost to SMS scams in Singapore
- Instances of fraud attempts have been rising year-on-year throughout Southeast Asia since 2018.
- Notable fraud increases include the Philippines (65%) in 2019 and Thailand (270%) in 2021.
- Reports show that three in four children have been exposed to cyber scams, a worrying trend considering how frictionless online transactions have become.
Consider the alarm bells ringing in your head as you read these numbers as a good sign. In this article, we’ll cover common types of SMS fraud and how you can tap into CPaaS (Communications Platform as a Service) to keep your SMS channels airtight.
Understanding the impact of common SMS fraud tactics
Step one in SMS fraud mitigation is knowing thy enemy. So let’s take a closer look at common tactics deployed by SMS hackers and the resulting damage they can cause.
SMS flooding attacks
An SMS flooding attack, also known as SMS traffic pumping or artificially inflated traffic, usually involves the use of automation to overwhelm a system with high-frequency SMS requests. This can result in the following consequences (simultaneously):
- Excessive SMS charges on the business
- Poor user experience as systems significantly slow down for genuine users (who might be receiving OTP minutes later)
- Personal information leaks as passwords and OTPs are breached through sheer brute force
Even if businesses somehow manage to defray the financial and reputational cost, service quality will likely drop off for a significant period after attacks subside. Just imagine the backend staff having to sift through a torrent of SMS messages just to find those from actual customers that warrant a response.
And don’t think for a second that larger conglomerates are less vulnerable to such attacks. Social media giant Twitter has been reported to lose US$60 million a year from artificial traffic consisting of fake 2FA SMS messages.
SMS phishing or malware
The democratization of AI technology is part of the reason why SMS flooding attacks have become so prevalent, leading to an increase in traditional scams such as SMS phishing and malware, which can be protected from using anti-spyware for Android and other devices. Phishing and malware both involve hackers masquerading as legitimate business entities, friends, or relatives, and use malicious links to either obtain personal information or stealthily install malicious software into systems respectively.
The consequences of phishing should by no means be downplayed, as victims to such scams have lost fortunes before. But malware is arguably what businesses should be more wary of, as it can quickly lead to legal action lawsuits if sensitive data is stolen.
Here’s how you can mitigate SMS fraud
There are several security features that businesses can implement in order to tackle SMS fraud:
CAPTCHA & Web Application Firewall (WAF)
As a challenge-response test, CAPTCHA has traditionally been used to determine whether a user is human. Though robots are arguably becoming better at decoding CAPTCHA, this preliminary barrier still serves as a useful traffic filter especially against low-level hackers who do not have the tech-savvies or resources to access more sophisticated hacking tools.
As an additional safeguard, businesses can also activate Web Application Firewalls (WAFs) that filter and monitor HTTP traffic between a web application and the internet. Filter rules that determine whether traffic should be considered safe can be customized so that actual customers don’t experience too many interruptions while still keeping hackers from gaining unauthorized data access.
Rate limiting
Rate limiting effectively shuts down SMS flooding tactics by placing a hard cap on how many times an individual can repeat an action (e.g. sends an SMS OTP request) within a given timeframe. And here are some examples on how you can implement it:
- Set an SMS sending daily limit per user
- Do not send more than 1 message per 30 seconds ot the same mobile number range or prefix
- Exponential delays between verification retry requests (for example starting with 30 seconds, one minute, one minutes, etc)
When used in conjunction with CAPTCHAs and WAFs, rate limiting can bring a significant number of flood tactics to a screeching halt. With complex feedback loops that alternate between SMS flooding, CAPTCHA solving, and filter by-passing, hackers will have no chance in successfully navigating these multilayer defenses.
Hyper-targeting through client IP rate limiting and geo restrictions
The network traffic limiting strategy can be further augmented through client IP rate limiting, a hyper-targeted way to stop automated scripting attacks launched from specific devices. Targeting IPs lets businesses generate banned lists and make it that much harder for hackers to attack consecutively without sourcing for new devices or WiFi networks.
And if you’re worried about the cost of such a specific cybersecurity software or defense product, rest easy. We understand that cybersecurity is a need and not a want in today’s digital climate. That’s why 8x8 APIs have client IP rate limiting built-in, allowing businesses to gain high level protection at a low cost.
Finally, to save yourself from future hassle, you may even opt to set up geographical restrictions where you choose to block SMS traffic from regions where you do not operate. And 8x8 APIs provide you with the means to set up country and operator-based restrictions against places that’s highly unlikely you’ll receive qualified business leads and queries from.
The best way to do business is with a trusted CPaaS partner
As a CPaaS provider, we at 8x8 believe that customer and business data privacy are just as, if not more critical, to communications and customer service. Call us paranoid, but we’re willing to invest significantly in our defense protocols, going so far as to run a disclosure and incentivised bug bounty program through HackerOne so that vulnerabilities can be reported as soon as they are detected.
Keep cyber threats at the back of your mind when you engage 8x8, with robot and human security troopers patrolling your systems round the clock.