Artificially Inflated Traffic. What is it and how to protect against it?

As the name suggests, AIT involves the generation of fake traffic through apps or websites, specifically targeting those who make use of application-to-person SMS messaging services to send One-time Passwords (OTP). OTPs are often used as a security or verification step as part of an authentication method for online account access.

How does AIT fraud work?

In an AIT attack, fraudsters use bots to create fake accounts on multiple platforms or apps. These bots then trigger the sending of OTP SMSes, which results in a surge in SMS traffic to specific destinations. However, the primary objective is not to deliver messages to the mobile numbers but rather to inflate the traffic artificially on a mobile network.

Who is involved in an AIT attack?

Unlike many other types of fraud, AIT attacks require the involvement of multiple parties. Here’s a simple breakdown of who is involved in an AIT attack and how each party benefits:

1. The Fraudster:

The mastermind behind the AIT attack is the fraudster. The fraudster designs and deploys the bot responsible for creating fake accounts with fake mobile numbers on an expensive network route and triggers OTP SMS messages in the process. The fraudster orchestrates the entire operation, exploiting vulnerabilities in mobile networks for profit.

2. The Bot:

The bot, developed and deployed by the fraudster, carries out the automated tasks required to initiate the AIT attack. This software is programmed to create fake accounts across multiple platforms or applications, mimicking human behavior as closely as possible. Once the accounts are set up, the bot triggers OTP SMS messages to fake mobile numbers, thus generating the desired surge in traffic.

3. Rogue Party:

To intercept the artificially inflated traffic and benefit financially from the AIT attack, the fraudster collaborates with a rogue party. This rogue party operates within the telecommunications industry. They intercept the SMS traffic before it gets to the networks and before attempts to deliver the messages to the fake recipients. They collect the OTPs and use them on the target websites as they would be used by normal users. By doing so, they avoid detection while claiming a share of the revenue generated from the inflated traffic. The fraudster and the rogue party share the profits obtained from the AIT attack.

What can you do to protect yourself from an AIT attack?

  • Set a reasonable Daily Quota on your BulkSMS account and, if it is reached unexpectedly, check your message history.
  • Add a CAPTCHA to your website when authentication is required. Adding CAPTCHA removes the ability for a bot to automatically generate OTPs and thus limits an attack. CAPTCHA also makes it much more expensive for a hacker as manual entries are required to generate OTPs.
  • Block message sending to countries where you are unlikely to have customers using your website.
  • Restrict the number of texts that a single mobile number can receive in any given time period.

At, our 800+ carrier connections, and our industry compliance help you limit fraud and protect your clients. If you have any questions on how to better protect your account, or would like to know more about AIT, please contact