Silent attacker: How SMS fraud is gutting business budgets

In partnership with: 8x8

Summary:

• Artificially inflated traffic (AIT) attacks use bots that exploit firms’ automated systems to flood them with fake OTP requests, risking billions and threatening business credibility.
• They can be hard to detect, with attackers leveling up their tactics that keep companies clueless until they receive massive bills.
• Solutions like Omni Shield, which integrate real-time AI-powered monitoring and send alerts via communication platforms, help companies combat these threats.
• Learn how to protect your business against this highly-damaging fraud tactic.

It’s the end of the month, and John Tan, CFO of a thriving mid-sized enterprise, is doing his routine review of the company’s financial statements. Everything seems in order until one line item makes him pause: SMS charges.

The figure is astronomically high – an anomaly that defies any logical explanation. His firm hasn’t run any large-scale marketing campaigns, nor has there been a surge in user sign-ups.

Unbeknownst to him, the company has just become the latest victim of AIT, a sophisticated scam.

When your OTPs become a fraudster’s payday

AIT is a type of SMS fraud where attackers use bots to generate a massive volume of fake requests for messages – such as one-time passwords (OTPs) – from a business’ website or app.

This fraudulent activity costs companies billions of dollars globally, with one report estimating losses of US$2.1 billion in 2024 alone.

Attackers have a simple goal: to generate revenue for themselves by exploiting a company’s automated SMS system. Often, they route messages through networks that offer a share of the profit.

These networks are usually shady telco operators or intermediaries that have mobile networking infrastructure, and they work with these malicious actors to defraud companies.

For businesses, however, the consequences can be devastating.

“We know of a company that got charged US$10 million in fraudulent AIT in the span of one month,” shares Sylvain Chaperon, general manager at 8×8, a cloud-based communications-platform-as-a-service provider. “If you’re a multinational with billions, maybe you can survive that. But if you’re an SME, this will kill your P&L.”

Beyond the staggering financial losses, AIT poses a severe threat to a company’s reputation and service availability. During an attack, legitimate mobile users could suddenly receive OTPs they never requested. Annoyed, they might report the brand as spam, prompting carriers to block the company’s messages entirely and cutting off a vital communication channel with its actual customers.

Additionally, high-volume AIT attacks can function as denial-of-service attacks.

“If you get millions and millions of requests for OTP toward a single brand, you will have a similar issue,” says Chaperon.

The system becomes overwhelmed, so legitimate customers might be unable to receive the OTPs they need to log in or complete transactions. This could grind business to a halt.

An evolving, hard-to-detect threat

What makes AIT particularly insidious is how difficult it is to detect.

Many businesses discover the problem only after receiving a massive bill at the end of the month – long after the damage is done.

Further, fraudsters’ tactics are constantly evolving, making them harder to catch.

Initial attacks are basic: A single computer from one IP address would repeatedly request OTPs using the same number. Attackers have grown smarter, however. They now use sequential and then valid, randomized numbers.

The most advanced – and most challenging to detect – are the “low and slow” attacks.

“They’re not doing it in one go,” says Chaperon. “They’re going to start with 10 OTPs today, 30 tomorrow, hundreds the day after. You’re never going to see it happening as a spike.”

Even in the age of AI, detecting these nuanced patterns is difficult without the right tools. A provider’s backend system might use AI to spot anomalies, but it lacks visibility into what’s happening on the company’s front end.

A shield for businesses, big and small

Recognizing the issue, 8×8 developed Omni Shield, a fraud protection solution built directly into its communications platform.

Designed to be inclusive of SMEs’ needs, Omni Shield provides a simple, no-code interface that helps non-technical business owners monitor their SMS traffic in real-time. The system uses AI and machine learning to flag suspicious activity without disrupting legitimate business.

For example, if a firm primarily operates in Singapore and the system detects thousands of OTP requests coming from Ukraine, it can immediately raise an alert.

It doesn’t have to be from overseas, either.

“Let’s say in Singapore, 40% of your traffic is from Singtel, 40% from Starhub, and 20% from M1,” Chaperon says. “A week later, we may send a message saying that 90% of the traffic is coming from M1 – that doesn’t look normal.”

Omni Shield allows a business owner to block traffic by country, network, or even a specific range of numbers with a single click. It also distinguishes between a fraudulent spike and a legitimate one, such as during a flash sale. Instead of automatically blocking potentially valuable traffic, it alerts the user, asking for confirmation.

The solution’s impact has been significant. Chaperon even shares a case study of a global travel company that became an early beta user. By using Omni Shield’s automated notifications based on traffic pattern behavior, the company reduced AIT by 80% in over six months, saving nearly 50% on its SMS invoices.

The future of fraud: An AI arms race

As businesses adopt better defenses, fraudsters also level up.

Chaperon foresees a future where attackers will use their own AI solutions to probe systems, learning how to evade detection.

“A human will not be able to catch that; they’re just going to be quicker than you,” he warns.

He adds that the fight against fraudsters will become an arms race between defensive and malicious AI.

Moreover, the threat is expanding beyond SMS to other communication channels like WhatsApp. Any company that fails to adapt with proactive, AI-driven security will find itself far behind the fraudsters.

"If you’re a multinational with billions, maybe you can survive that. But if you’re an SME, this will kill your P&L."

For 8×8, the mission is to stay at the forefront of this battle, continuously integrating smarter tech like Omni Shield to protect businesses from a threat that is not only costly but also existential.

“Even if you get US$10 million in funding, one fraudulent charge can just wipe you out,” Chaperon says. “Startup founders need to protect themselves.”

8×8 CPaaS’ Omni Shield empowers organizations to respond swiftly to fraudulent activity, reduce financial losses, and strengthen customer trust.

To learn more about how you can safeguard your business from SMS fraud, visit 8×8’s website.

This content was produced by Tech in Asia Studios, which connects brands with Asia’s tech community. Learn more about partnering with Tech in Asia Studios.