Deep in the heart of the North Pacific Ocean is the Great Pacific Garbage Patch. This vast collection of plastic waste is believed to comprise 79,000 tonnes of debris across 1.6 million km2.
Basically, it is a huge moving island of crap, and it’s endangering marine ecosystems across the region. It shows what happens when you pump useless waste products into the system.
There is, of course, a metaphor here for the enterprise messaging business.
I’m talking about the various frauds carried out by rogue aggregators. Like the oceanic garbage island, these corrupt practices pollute everything they touch.
One of the most corrosive frauds is SMS trashing, where aggregators terminate legitimate traffic before it reaches the MNOs. Another is artificial traffic inflation, in which fraudsters bill customers for ‘fictitious’ texts they generate themselves.
Well, here’s the bad news. Around a year ago, dishonest aggregators started combining SMS trashing with artificial traffic inflation.
Why did they do this? Simple reason: to be able to manipulate conversion rates.
For many OTT customers the conversion rate of texts in the most important metric of all. Fraudsters know this. Being able to manipulate these rates – without detection – puts them in a powerful (and profitable) position.
Now, this next-gen fraud is spreading across the industry. And it’s extremely worrying because it is so much more difficult to identify than previous scams.
According to some estimates, 2FA messages currently make up at least 80 per cent of all international A2P traffic.
In this post, we will analyse how it works – and what we can do to eradicate it.
First, let’s explain SMS trashing and artificial traffic.
SMS trashing is based on the non-delivery of paid-for messages. It starts with a rogue aggregator quoting an OTT/enterprise a price per text (for example, a one-time passcode) that’s below the list price set by the MNO.
So let’s say the official rate is 8c and the price offered is 6c. The OTT/enterprise accepts these terms. After all, it probably has little idea of the ‘correct’ price especially if the MNO is relatively small and in a developing market.
Now the aggregator has a problem. It’s losing money on every text. So what does it do? Well, it can use one of several questionable methods to reduce its costs. These include bypass or grey routes – both of which we have written about before.
However, various technical and procedural defences have reduced both of these practices. So instead the rogue aggregator does something more drastic. It deletes (trashes) the SMSs to avoid sending them at all.
It then sends a fake delivery report to the enterprise to say that the texts were delivered successfully. But, in fact, they have not terminated in the network.
Of course, the end users do not receive their authentication messages. And so the three parties lose out in the following ways:
Obviously, this scam works nicely for the aggregator. Let’s say it is paid to send 10,000 messages at 6c a message. That’s $6,000 of revenue. But these texts cost 8c to send. That’s $8,000 of cost. It’s losing $2k.
By trashing half of its messages, it still gets $6k, but its outgoing is now $4k. Voila: a $2k profit.
Why don’t the enterprises get wise to this? Partly it’s because of the stealthy way the aggregators perform the scam. They rarely trash in bulk at first. They might start by delivering all the messages they can. But over time – and slowly – they will delete a proportion of the messages. This is hard to spot.
They say that ‘on the internet no one knows you’re a dog’. You can never be 100% sure whether a user is ‘real’ or not. This is what makes artificial traffic inflation possible.
With artificial traffic inflation, the fraudster uses various methods to create non-human users that fake the behaviour of a real person. For example, they might use an an emulator to sign up as a new user to an OTT service.
The emulator receives its one time passcode, enters it and is approved. But then it
does nothing. The OTT pays for converting a ‘user’ that cannot watch ads or buy virtual goods.
Meanwhile the aggregator gets paid for thousands of transactions that cost nothing. It is pure revenue.
Both of the fraud methods described above are extremely effective on their own. But now dishonest aggregators have found a way to make them even more destructive – by combining them together.
As we said, this enables them to do one very important thing: manipulate conversion rates.
This really matters. Why? Because conversion is the key metric for the majority of OTTs. They want to know: how many of my 2FA messages led to a successful customer registration?
In fact, they care much more about this total that than the number of successfully delivered messages.
The best way to illustrate how the combination of artificial traffic and SMS trashing leads to conversion rate manipulation is with a hypothetical example.
Let’s go back to our previous model.
The aggregator is paid to send 10,000 OTP messages at 6c a message. It trashes half of them. It still gets $6k, but it pays out $4k. It has a $2k profit.
But now it has a problem. Even if all 5,000 messages result in sign-ups, it still has a conversion rate of just 50 per cent. It’s not enough.
So this is where artificial traffic comes in.
The aggregator generates 4,000 fake users to bring the total of terminated messages to 9000. It then files a report to show that 9000 of the 10,000 OTPs were converted. That’s an excellent 90 per cent rate.
But, as we know, the real rate is just 50 per cent.
By combining artificial traffic and SMS trashing, the aggregator can calibrate the conversion rate with complete freedom. By adjusting its fake message traffic it can raise or reduce the rate with precision.
Of course, everyone loses out. OTTs, MNOs, end users and also honest aggregators, who might be part of the value chain but who end up routing fake traffic.
As I have written many times before, the more the industry defrauds its important OTT customers the more likely it is that they will take their business elsewhere.
They will look into authentication via their own proprietary services – most obviously through native apps. They will investigate how to send OTPs via messaging apps (WhatsApp, Telegram etc) or they will try flash calling.
We’re flag-wavers for flash calling here at Vox. We believe it is inexpensive and carries virtually zero risk of interception by fraudsters. Still, the reality is that most MNOs are not yet ready to embrace flash calling. Instead, we need to protect ourselves from message fraud.
One of the great challenges of conversion rate manipulation is that it is a highly technical form of fraud. While OTTs have developed their own detection tools, most are not sophisticated enough to spot this method.
Vox is a tech-based company. We manage to track conversion numbers, and our systems can see when they are being manipulated. Because of this, we are one of a very few tech companies that can help MNOs and OTT combat this new threat.
Therefore, I believe MNOs should appoint an authorised channel partner to work with all global enterprises directly. This partner should be a technology company with the expertise and systems to spot this conversion rate fraud.
We know this approach works because we already do it here at Vox. We represent around 20 operators all over the world now. These are MNOs for whom it is not feasible to have direct relationships with global enterprises nor keep investing in anti-fraud solutions to keep up fighting with all type of sophisticated frauds.
Obviously, we can leverage our official relationship with the MNO to work directly with as many enterprises as possible. But some might still prefer to work with their own aggregators, who then have to buy from us.
So what is to stop these aggregators from trashing these texts or inflating their traffic? Well, nothing. But the difference is that – unlike MNOs and enterprises – we can accurately track their conversion numbers. We have systems in place to monitor this activity.
MNOs that can’t work directly with enterprises should appoint partners that have the technology to combat malpractice, and the financial backing to underwrite those upfront traffic commitments. We are one. But there are others.
I’m optimistic. Things don’t always have to ‘go to crap’. The tale of the Great Pacific Garbage Patch gives us some hope. A Dutch firm has been working on a clean-up. Thanks to its efforts, the patch is now 100,000 kg lighter than it was in 2013.
Written by Ehsan Ahmadi, CEO and Founder of Vox Solutions
The generation of fake traffic from legitimate websites and apps is proliferating and stiff resistance is required to […]