Artificially Inflated Traffic (AIT) is one of the fastest-growing forms of fraud in the telecommunications industry, costing businesses an estimated $1.16 billion in 2023 alone, according to research by Enea and Mobilesquared. The Communications Fraud Control Association (CFCA) puts total telecommunications fraud at $38.95 billion globally, with AIT ranked as one of the fastest-growing categories. Yet most businesses have never heard of it — and many are victims without knowing.
What Is Artificially Inflated Traffic?
AIT occurs when fraudsters use bots to trigger high volumes of application-to-person (A2P) SMS messages — typically one-time passwords (OTPs) or verification codes. The fraud works like this:
- A website or app has a registration form that sends an SMS verification code when a phone number is entered
- Fraudsters deploy bots that submit thousands of phone numbers to that form
- Each submission triggers an SMS, which the business pays for
- The phone numbers belong to premium-rate ranges or networks where the fraudster receives a revenue share for incoming messages
The business pays for thousands of SMS messages that were never requested by real users. The fraudster earns a share of the termination fees. The business often doesn't notice until their monthly SMS bill arrives.
Why AIT Is Hard to Detect
AIT is insidious because each individual message looks legitimate — it's a real OTP sent to a real phone number. The fraud only becomes apparent when you analyse patterns:
- Sudden spikes in OTP requests from specific IP addresses
- High volumes of requests that are never verified (the code is never entered)
- Unusual geographic distribution — requests to countries where you have no customers
- Requests concentrated during off-peak hours
The Scale of the Problem
AIT affects businesses of all sizes, but the largest victims are typically companies with publicly accessible registration forms:
- E-commerce platforms with SMS-based account verification
- Social media services requiring phone number confirmation
- Financial services sending OTPs for login and transactions
- SaaS platforms offering free trials with phone verification
A single AIT attack can generate thousands of fraudulent SMS messages in minutes, costing hundreds or thousands of pounds before it's detected.
How to Protect Your Business
Preventing AIT requires a combination of technical controls and provider-level monitoring:
- Rate limiting: Restrict how many OTPs can be sent from a single IP address within a time window
- CAPTCHA: Add bot detection to any form that triggers an SMS
- Geographic restrictions: If you only serve UK customers, block OTP requests to international numbers
- Velocity checks: Monitor for unusual spikes in OTP volume and set automatic alerts
- Verification tracking: Monitor your OTP verification rate — if it drops significantly, you may be under attack
Provider-Level Protection
Your SMS provider plays a critical role in AIT prevention. Faretext provides:
- Traffic monitoring: We analyse messaging patterns and flag suspicious activity
- Destination controls: Restrict SMS delivery to specific countries or number ranges
- Spending alerts: Automatic notifications when your messaging volume exceeds expected thresholds
- Fraud reporting: Rapid investigation and blocking when AIT is detected
Learn more about how we combat SMS fraud on our fraud prevention page, or connect with us to discuss protecting your messaging. Our SMS API includes built-in safeguards against artificially inflated traffic.
Sources: Enea & Mobilesquared — AIT Report (2023) · CFCA — 2023 Global Fraud Loss Survey
