The Largest Online Community for Contact Centre Professionals
The Largest Online Community for Contact Centre Professionals
Close
5th June 2023
Do you ever think about how many SMSes are sent in just one day? With SMS being used across all industries for a growing number of transactions globally, it’s crucial for businesses to be aware of how vulnerable they and their customers are to cyberattacks.
To hackers, overloaded SMS channels are a goldmine of personal information that they are all too willing to exploit for financial gain.
But what can businesses do? It’s not as if there’s a channel out there that is more ubiquitous and far-reaching as SMS is.
Skipping out on SMS is equivalent to skipping out on business opportunities, but throwing caution to the wind when it comes to SMS security also means risking your hard-earned revenue streams and endangering your customers.
To illustrate just how much is at stake, here are some SMS fraud facts:
Consider the alarm bells ringing in your head as you read these numbers as a good sign. In this article, we’ll cover common types of SMS fraud and how you can tap into CPaaS (Communications Platform as a Service) to keep your SMS channels airtight.
Step one in SMS fraud mitigation is knowing thy enemy. So let’s take a closer look at common tactics deployed by SMS hackers and the resulting damage they can cause.
An SMS flooding attack, also known as SMS traffic pumping or artificially inflated traffic, usually involves the use of automation to overwhelm a system with high-frequency SMS requests. This can result in the following consequences (simultaneously):
Even if businesses somehow manage to defray the financial and reputational cost, service quality will likely drop off for a significant period after attacks subside.
Just imagine the backend staff having to sift through a torrent of SMS messages just to find those from actual customers that warrant a response.
And don’t think for a second that larger conglomerates are less vulnerable to such attacks. Social media giant Twitter has been reported to lose US$60 million a year from artificial traffic consisting of fake 2FA SMS messages.
The democratization of AI technology is part of the reason why SMS flooding attacks have become so prevalent, leading to an increase in traditional scams such as SMS phishing and malware.
Phishing and malware both involve hackers masquerading as legitimate business entities, friends, or relatives, and use malicious links to either obtain personal information or stealthily install malicious software into systems respectively.
The consequences of phishing should by no means be downplayed, as victims to such scams have lost fortunes before. But malware is arguably what businesses should be more wary of, as it can quickly lead to legal action lawsuits if sensitive data is stolen.
There are several security features that businesses can implement in order to tackle SMS fraud:
As a challenge-response test, CAPTCHA has traditionally been used to determine whether a user is human.
Though robots are arguably becoming better at decoding CAPTCHA, this preliminary barrier still serves as a useful traffic filter especially against low-level hackers who do not have the tech-savvies or resources to access more sophisticated hacking tools.
As an additional safeguard, businesses can also activate Web Application Firewalls (WAFs) that filter and monitor HTTP traffic between a web application and the internet.
Filter rules that determine whether traffic should be considered safe can be customized so that actual customers don’t experience too many interruptions while still keeping hackers from gaining unauthorized data access.
Rate limiting effectively shuts down SMS flooding tactics by placing a hard cap on how many times an individual can repeat an action (e.g. send an SMS OTP request) within a given timeframe. And here are some examples of how you can implement it:
When used in conjunction with CAPTCHAs and WAFs, rate limiting can bring a significant number of flood tactics to a screeching halt.
With complex feedback loops that alternate between SMS flooding, CAPTCHA solving, and filter by-passing, hackers will have no chance in successfully navigating these multilayer defenses.
The network traffic limiting strategy can be further augmented through client IP rate limiting, a hyper-targeted way to stop automated scripting attacks launched from specific devices.
Targeting IPs lets businesses generate banned lists and make it that much harder for hackers to attack consecutively without sourcing for new devices or WiFi networks.
And if you’re worried about the cost of such a specific cyber defense product, rest easy. We understand that cybersecurity is a need and not a want in today’s digital climate. That’s why 8×8 APIs have client IP rate limiting built-in, allowing businesses to gain high level protection at a low cost.
Finally, to save yourself from future hassle, you may even opt to set up geographical restrictions where you choose to block SMS traffic from regions where you do not operate.
And APIs provide you with the means to set up country and operator-based restrictions against places that’s highly unlikely you’ll receive qualified business leads and queries from.
We at 8×8 believe that customer and business data privacy are just as, if not more critical, to communications and customer service.
Call us paranoid, but we’re willing to invest significantly in our defense protocols, going so far as to run a disclosure and incentivised bug bounty program through HackerOne so that vulnerabilities can be reported as soon as they are detected.
Keep cyber threats at the back of your mind, with robot and human security troopers patrolling your systems round the clock.
A selection of articles from contact centre industry experts
Read more by Guest Author
The Latest Customer Contact Research, Reports and White Papers straight to your inbox!
Get the latest insights from Call Centre Helper by signing up for our email content.
Close
24th September 2025
From Insight to Impact: The Next Era of CX and AI Leadership – Webinar
