previous icon Back to blog
Jul 06, 2023
5 minutes read

Tips to help prevent fraud in SMS and Voice traffic

With each technological advance, criminals find new ways to defraud businesses, and Communication Platforms-as-a-Service (CPaaS) is no exception. Organizations as diverse as the Formula 1 Heineken Dutch Grand Prix to DHL are enjoying the customer experience and conversion benefits of CM.com. And fraudsters want to get in on the act. We take every measure to assure safety, but it will not stop criminals from trying. But there are some additional steps you can take to help prevent fraud.

First and foremost, we urge you to get in touch with us if you are experiencing any unusual or suspicious activity on your CM.com account. We will take every measure necessary to protect your data and accounts, but you can help us as well with preventative measures. In this blog, we signpost some of the most prevalent types of fraud you might encounter, and what you can put in place to minimise the risks.

Fraudsters need to communicate at scale with their potential victims, and if they can do this for free by piggybacking off your CM.com account, it's so much better for them. The risk of account compromise can be tackled in different ways, which we shall look at next.

Why Do Criminals Want to Compromise My CM.com Account?

We are all familiar with the threat of phishing: fraudulent emails and websites designed to trick recipients into revealing sensitive information, especially banking details. Text messages and voice calls are also exploited to “fish” for data, and these techniques are called “smishing” (with the “s” of SMS) and “vishing” for fraudulent voice messages.

fraud-monitoring-compromised-accountTargeting a CM.com customer account is attractive to fraudsters for two reasons: they can send out messages for free, and they can hide their identity. If your account is compromised, fraudulent messages are coming from you.

Next to phishing, smishing and vishing, fraudsters may also try to leverage your account to initiate voice calls to premium rate numbers – for which the CM.com account holder will then be charged.

Of course, there are things you can – and must – do to prevent criminals from cracking your account credentials or stealing your API token. We list these below.

What Can You Do to Prevent Account Compromise?

  • Ensure that two-factor authentication (2FA) is enabled on your CM.com account. This feature substantially decreases the likelihood of unauthorised access compared with an account that is protected solely with a username and password.

  • Create a complex password or even a passphrase using a combination of words, numbers, symbols, and upper and lower letters. Avoid using personal information or words that can be found in the dictionary.

  • Never share your token online or with someone who doesn’t need it. Your token must stay secured on your own servers; under no condition should it be shown to the end users of your website, not even in encrypted form. Your token should not be included in the source code of your website or mobile app.

  • Set a limit to your monthly credit amount and increase it when needed for a campaign by contacting your CM.com account manager. When you reach 75% of your credit, you will automatically be notified by email. When 100% is reached, your account will be temporarily suspended and reactivated once the outstanding invoices are settled.

SMS Pumping and Toll Fraud

Account compromise is not the only fraud risk in conversational commerce; you also need to protect against so-called SMS pumping and toll fraud, where the fraudster abuses your website and the verification possibilities.

What is SMS Pumping?

In SMS or traffic pumping, fraudsters exploit automated log-in systems to trigger sharp spikes in traffic toward numbers they own or to a range of numbers controlled by a specific mobile network operator (MNO) with whom they conspire. The fraudsters reap a share of the revenue generated in this way, but the CM.com account holder gets to foot the bill.

fraud-monitoring-sms-pumpingLook out for a spike of messages sent to a block of consecutive numbers (i.e. +1234567890, +1234567891, +1234567892, +1234567893 and so on). These numbers are most probably controlled by the same MNO. A telltale sign of fraudulent use of a one-time SMS passcode is an incomplete verification cycle. Unfortunately, advanced fraudsters even have the tools to fake a completed verification cycle.

What is Toll Fraud?

In the scenario of toll fraud, criminals target phone verification to generate a high volume of voice calls to premium rate numbers, which charge callers a price per call or per minute. If such calls are fraudulently generated from your website(s), the charges fall on you.fraud-monitoring-toll-fraud

What Can You Do to Prevent or Detect SMS Pumping and Toll Fraud?

  • Detect and deter bot attacks by implementing libraries such as BOTD or CAPTCHAs on your website.

  • Monitor one-time passcode (OTP) conversion rates and create alerts as rates are dropping.

  • Implement (exponential) delays between verification retry requests with the same phone number.

  • Offer alternative channels such as voice verification, not in the first instance but, for example on the third verification attempt.

  • Build a destination “allow” or “block” list on your website.

  • Analyse IP and detect VPNs on your website.

  • Implement rate limits on the number of requests. For example, limit the number of requests per phone number/IP address over a set time period on your website.

  • Set a limit to your monthly credit amount as outlined above.

Fraud is a sad fact of life, and criminals continually look for new ways to exploit innovative technologies. If you want to know what CM.com does to protect against security breaches, visit our Trust Centre.

We hope this short blog will have given you a better idea about the fraud risks in conversational commerce, and what you can do to mitigate them. If you believe your account could have been compromised or suspect any other type of malfeasance, please get in touch.

If you have any questions, feel free to reach out to your account manager or the fraud team.

Was this article interesting?
Share it!
CM.com
connects tens of thousands of companies with millions of consumers via their mobile phone each day. Behind the scenes, from our innovative platform, CM.com makes sure companies can use these millions of messages, phone calls and payments to become part of people’s lives.

Latest Articles

payspace customer story
Oct 23, 2023 • Marketing

Enhance your Black Friday SMS marketing with Pages

In recent years, the integration of SMS has played a pivotal role in transforming the Black Friday shopping experience. Retailers and consumers alike have embraced SMS as a powerful tool for communicating promotions, exclusive offers, and time-sensitive alerts.

live-meta
Oct 10, 2023 • SMS

Why SMS Remains As Essential As Ever For Black Friday

One might assume that SMS has lost relevance in an era dominated by popular messaging channels such as WhatsApp and Instagram. However, regarding Black Friday, one of the most anticipated shopping events of the year, SMS remains as essential as ever. While consumers are bombarded with emails, push notifications, and social media advertisements, the humble SMS message, with its 98% open rate, often cuts through the noise and connects businesses with eager shoppers.

mfa-sso-blog-hero
Sep 18, 2023 • Authentication

MFA/2FA vs. SSO: Navigating the Digital Security Landscape

In today's interconnected world, the importance of robust digital security cannot be overstated. As businesses and individuals grapple with increasing cyber threats, the choice of security measures becomes crucial.

whatsapp-authentication
Aug 14, 2023 • Authentication

Two Factor Authentication (2FA) on different messaging channels

Two Factor Authentication, or 2FA, is an effective way to protect your data and customers. But how do you set up Two Factor Authentication? And what messaging channels can be used for 2FA?

two-factor-authentication
Aug 07, 2023 • Authentication

The Benefits of 2FA for Business

Protecting customer data is (or should be) a priority for every modern business. One of the most secure ways to verify customer information is by multi-factor authentication (MFA). In this blog, we’ll discuss the top benefits of MFA (and 2FA) and explain why it’s a must-have for mobile-native businesses.

hero-channel-advisor-blog
Sep 28, 2022 • Messaging

Why engagement on the right communication platform is key

Today’s consumers expect easy and convenient communication with businesses. That means your business needs to be easy to engage with and reach when your customers need you. Being present on the right communication channels can make or break the customer experience.

SMS Marketing Use Cases for B2B
Sep 28, 2021 • SMS

B2B Text Messaging Use Cases to Build Your Business

You’ve heard about SMS marketing campaigns for consumers, but what about SMS marketing for B2B? B2B text messaging is an effective way to communicate with your business clientele, enabling you to build relationships with decision-makers and offer information that helps them make buying decisions.

apple-ios-updates-privacy
Jul 29, 2021 • SMS

SMS Marketing Done Right: 3 Examples We Love

You're probably wondering "What's the point of sending text messages?" Especially since there are now so many new and exciting messaging tools that businesses can leverage in their marketing. As it happens, SMS may be the older brother of these other communication innovations, but it still has some unexpectedly impressive benefits.