previous icon Back to blog
Jan 04, 2023
5 minutes read

Tips to Help Prevent Fraud in SMS and Voice Traffic

With each technological advance, criminals find new ways to defraud businesses – and Communications Platform as a Service (CPaaS) is no exception. Organizations as diverse as Formula 1, the Dutch Red Cross, and DHL are enjoying the customer experience and conversion benefits of CM.com – and fraudsters want to get in on the act. Though we take every measure to assure your safety, it will not stop criminals from trying. But there are some additional steps you can take to help prevent fraud.

First and foremost, we urge you to get in touch with us if you are experiencing any unusual or suspicious activity on your CM.com account. We will take every measure necessary to protect your data and accounts, but you can help us as well with preventative measures. In this blog, we signpost some of the most prevalent types of fraud you might encounter, and what you can put in place to minimize the risks. 

Fraudsters need to communicate at scale with their potential victims and if they can do this for free by piggybacking off your CM.com account so much the better – for them. The risk of account compromise can be tackled in different ways which we shall look at next. 

Why Do Criminals Want to Compromise My CM.com Account?

We are all familiar with the threat of phishing: fraudulent emails and websites designed to trick recipients into revealing sensitive information, especially banking details. Text messages and voice calls are also exploited to “fish” for data, and these techniques are called “smishing” (with the “s” of SMS) and “vishing” for fraudulent voice messages.

fraud-monitoring-compromised-accountTargeting a CM.com customer account is attractive to the fraudsters for two reasons: they can send out messages for free, and they can hide their identity. If your account is compromised, the fraudulent messages are coming from you.

Next to phishing, smishing and vishing, fraudsters may also try to leverage your account to initiate voice calls to premium rate numbers – for which the CM.com account holder will then be charged.

Of course, there are things you can – and must – do to prevent criminals from cracking your account credentials or stealing your API token. We list these below. 

What Can You Do to Prevent Account Compromise? 

  • Ensure that two-factor authentication (2FA) is enabled on your CM.com account. This feature substantially decreases the likelihood of unauthorized access compared with an account that is protected solely with a username and password. Find instructions on our customer service page.

  • Create a complex password or even a passphrase using a combination of words, numbers, symbols, and upper and lower letters. Avoid using personal information or words that can be found in the dictionary. 

  • Never share your token online or with someone who doesn’t need it. Your token must stay secured on your own servers; under no condition should it be shown to the end users of your website, not even in encrypted form. Your token should not be included in the source code of your website or mobile app.

  • Set a limit to your monthly credit amount and increase it when needed for a campaign by contacting your CM.com account manager. When you reach 75% of your credit you will automatically be notified by email. When 100% is reached, your account will be temporarily suspended and reactivated once the outstanding invoices are settled.

SMS Pumping and Toll Fraud

Account compromise is not the only fraud risk in conversational commerce; you also need to protect against so-called SMS pumping and toll fraud where the fraudster abuses your website and the verification possibilities. 

What is SMS Pumping?

In SMS pumping, traffic pumping, or Artificially Inflated Traffic (AIT), fraudsters exploit automated log-in systems to trigger sharp spikes in traffic toward numbers they own or to a range of numbers controlled by a specific mobile network operator (MNO) with whom they conspire. The fraudsters reap a share of the revenue generated in this way, but the CM.com account holder gets to foot the bill. 

fraud-monitoring-sms-pumpingLook out for a spike of messages sent to a block of consecutive numbers (i.e. +1234567890, +1234567891, +1234567892, +1234567893 and so on). These numbers are most probably controlled by the same MNO. A telltale sign for fraudulent use of a one-time SMS passcode is an incomplete verification cycle. Unfortunately, advanced fraudsters even have the tools to fake a completed verification cycle. 

What is Toll Fraud?

In the scenario of toll fraud, criminals target phone verification to generate a high volume of voice calls to premium rate numbers, which charge callers a price per call or per minute. If such calls are fraudulently generated from your website(s) the charges fall on you.fraud-monitoring-toll-fraud 

What Can You Do to Prevent or Detect SMS Pumping and Toll Fraud?

  • Detect and deter bot attacks by implementing libraries such as BOTD or CAPTCHAs on your website.

  • Monitor one-time passcode (OTP) conversion rates and create alerts as rates are dropping.

  • Implement (exponential) delays between verification retry requests with the same phone number.

  • Offer alternative channels such as voice verification, not in the first instance but for example on the third verification attempt.

  • Build a destination “allow” or “block” list on your website.

  • Analyze IP and detect VPNs on your website.

  • Implement rate limits on the number of requests. For example, limit the number of requests per phone number/IP address over a set time period on your website.

  • Set a limit to your monthly credit amount as outlined above.

Fraud is a sad fact of life, and criminals are always looking for new ways to exploit innovative technologies. If you want to know what CM.com does to protect against security breaches, visit our Trust Center.

We hope this short blog will have given you a better idea about the fraud risks in conversational commerce, and what you can do to mitigate them. If you believe your account could have been compromised or suspect any other type of malfeasance, please get in touch. 

If you have any questions, feel free to reach out to your account manager or the support team.

Was this article interesting?
Share it!
CM.com
connects tens of thousands of companies with millions of consumers via their mobile phone each day. Behind the scenes, from our innovative platform, CM.com makes sure companies can use these millions of messages, phone calls and payments to become part of people’s lives.

Latest Articles

customer lifetime value touch points in the journey blog explain
Oct 20, 2023 • Email

What Is DMARC and How Do You Implement It?

In our digital age, email threats loom large, with phishing and spoofing becoming increasingly sophisticated. DMARC is the powerful shield that businesses and individuals need. This authentication protocol ensures email integrity, safeguarding against domain impersonation and cyberattacks. In this article, we demystify DMARC, explaining its significance in bolstering email security.

messaging-fraud-and-prevention-for-businesses
Sep 25, 2023 • Security

Combat SMS Pumping (AIT) Fraud Effectively With CM.com

In this digital era, providing the optimal customer experience means connecting and engaging with your customers online on their favorite platforms and channels. Online (automated) customer engagement and A2P (application-to-person) messaging is bigger than ever, which unfortunately also means that messaging fraud is on the rise. Artificially Inflated Traffic (AIT) fraud has become an alarming issue in the telecommunications industry, but worry not! CM.com has built the perfect safeguard feature to protect your business endeavors from AIT fraud.

messaging-fraud-and-prevention-for-businesses
Sep 06, 2023 • Instant Messaging

A2P Messaging Fraud and Prevention for Businesses

Safeguarding company data against security threats should be on the top of the priorities list for every modern company. Especially since A2P, or application-to-person messaging fraud is on the rise. Read all about the different types of A2P fraud and what steps you can take to avoid being the next victim.

how-to-protect-your-customers-against-a2p-messaging-fraud
Sep 06, 2023 • Security

How to Protect Your Customers Against A2P Messaging Fraud

Protecting your data, and the data of your customers, is top priority for most modern companies. And it should be! Now that A2P (application-to-person) messaging is bigger than ever, A2P messaging fraud is also on the rise. As a business, you can protect yourself against threats by implementing certain security measures, but you're not the only target. Criminals will also attempt to scam or deceive your customers! Let's take a look at the types of A2P messaging fraud your customers can face, and what measures can be taken against them.

blog-image-2fa-best-practices
Aug 07, 2023 • Authentication

Best Practices for Two-Factor Authentication (2FA)

Enhancing platform security and implementing Two-Factor Authentication (2FA) processes are crucial for organizations to protect business and customer data. However, these security measures only work when employees and customers are willing to adopt and adhere to them. So, how can your business ensure employee and customer adoption? In this blog, we'll dive into Two-Factor Authentication (2FA), its benefits and best practices to ensure adoption.

whatsapp-otp-security
Jun 19, 2023 • WhatsApp

WhatsApp Business One Time Passwords: What They Are and How to Use Them.

Chances are that you've received One Time Passwords (OTPs) before, often via SMS or email. But did you know that there might be an even better platform to send OTPs on? WhatsApp Business Platform allows you to send One Time Passwords on the favorite messaging channel of your customers, enhancing the customer experience and improving customer relations.

what is smishing
Jan 12, 2023 • Trust Center

What Is Smishing and How Can You Protect Yourself Against It?

Even if you’ve never heard of “smishing” you have almost certainly been the target of this type of cyber fraud. Smishing weaponizes SMS messages to scam recipients into disclosing sensitive personal information or to unwittingly infect a mobile device with malware.

trust-center-introduction
Jun 24, 2022 • Trust Center

The Trust Center: a Clear Insight in Security, Privacy, Risk and Compliance Within CM.com

At CM.com, we enable organizations to connect to their customers and offer them a superior customer experience through our state-of-the-art cloud software. Transparency, quality, and trustworthiness are at the core of our products and services. This is why we are happy to announce the introduction of the Trust Center, a place where everyone can have insight into security, privacy, risk, and compliance within CM.com.

Is this region a better fit for you?
Go
close icon