Messaging fraud mitigation best practices

Follow

Kenny Taylor

Updated

This article is part of the Recommended Fraud Mitigation Best Practices intended to help Bandwidth Customers reduce their fraud attack surface and help them take measures to protect themselves, including their connections to Bandwidth. This document is not all-inclusive and can’t guarantee that the recommended best practices will stop all fraud. The intent is to provide a framework our customers can use toward the prevention and mitigation of fraudulent events and to lessen the risk associated with all types of telecommunications fraud.

Types of fraudulent traffic to be concerned about

The term “Fraud” typically refers to illegally extorting money, personal information, financial information, security credentials, etc. The term “fraudulent traffic” also describes a wide range of devious telecommunications behaviors used to impersonate and mask identities with the intent to steal or harm.

Bandwidth considers the following types of voice calling and text messaging as fraudulent traffic:

  1. Traffic deemed invalid (per FCC rules) 
  2. Traffic sent with the intent to steal or harm 
  3. Traffic sent with the intent to harm through impersonating or masquerading identities 

Bandwidth reserves the right to protect itself and its networks by stopping fraudulent traffic from traversing its networks. Bandwidth’s customers who send traffic that the telecommunications industry, government authorities, and Bandwidth consider being fraudulent, are at risk of having their traffic blocked either by Bandwidth or any downstream service provider.

The following specific types of illegal activities also violate Bandwidth’s Acceptable-Use Policies (AUP).

  • Unlawful Robocalls (North America)
  • Domestic Toll Fraud/Traffic Pumping
  • International Toll Fraud/IRSF
  • Toll-Free Traffic Pumping (North America)
  • Phishing Scams (IRS, SSA, Vacations, Student Loans, etc.)
  • Text messaging SPAM

Text messaging SPAM

Text messaging is a very convenient mode of simple and fast communication. Messages sent out via public networks to end users are required to comply with all relevant laws and regulations, including but not limited to the Telephone Consumer Protection Act (TCPA).

Unfortunately, bad actors can also leverage these technological capabilities to commit crimes by defrauding, impersonating, and extorting innocent victims. The text messaging industry generally operates in a more lightly regulated environment than voice calling does, so text messaging service providers must be that much more vigilant on fraud prevention and mitigation best practices.

At the outset, it’s important to understand the differences between Person-to-Person text messaging (P2P) and Application-to-Person text messaging (A2P).  

P2P (Person-to-Person) is defined as two-way messaging. Typically, this is the conventional conversational two-way SMS or MMS messaging between individuals. From CTIA best practices: “Person-to-Person (P2P) generally describes the low-volume exchange of wireless messages between end users... the concept of consistent with typical human operation defines P2P traffic to distinguish P2P from A2P traffic.”

Consumer (P2P) messaging

Consumer (P2P) messaging is sent by a Consumer to one or more Consumers and is consistent with typical Consumer operations (i.e., message exchanges are consistent with conversational messaging among Consumers).

Attributes of typical consumer operation

  • Throughput: 15 to 60 messages per minute. A Consumer is typically not able to originate or receive more than about one message per second.
  • Volume: 1,000 per day. Only in unusual cases do Consumers send or receive more than a few hundred messages a day. A consumer can't typically send or receive messages continuously over a long period of time.
  • Unique Sender: 1 telephone number assigned to or utilized by a single Consumer. A single Consumer typically originates messages from a single telephone number.
  • Unique Recipients: 100 distinct recipients/telephone numbers per message. A Consumer typically sends messages to a limited number of recipients (e.g., 10 unique recipients).
  • Balance: 1:1 ratio of outgoing to incoming messages per telephone number with some latitude in either direction. Consumer messages are typically conversational. An incoming message typically generates a response from the recipient.
  • Repetition: 25 Repetitive Messages. Consumer messages are uniquely originated or chosen at the direction of the Consumer to unique recipients. Typical Consumer behavior is not to send essentially or substantially repetitive messages.

Consumer (P2P) messaging automation

Some Consumers utilize automation to assist in responding to communications. For example, a Consumer may direct their messaging service to auto-reply to a phone call in order to inform the caller about the Consumer’s status (e.g., “I’m busy” or “Driving now, can’t talk”). Such use of automation to assist Consumers in their composition and sending of messages falls within the attributes of typical Consumer operation. In contrast, the use of automation, in whole or in part, by Non-Consumers to facilitate messaging is not a typical Consumer operation.

A2P (Application-to-Person) is a one-way SMS to which recipients aren’t expected to reply. Typically this represents high-volume messaging between businesses and individuals. Some common examples are a logistics company sending delivery statuses and notifications, a dentist’s office sending one-way alerts and reminders, or a financial institution sending PIN codes to individuals either using short codes or long codes.

From CTIA best practices: “A2P traffic is all messaging that falls outside the definition of P2P (i.e., traffic that is not consistent with typical human operation).” The major difference between the current P2P service that Bandwidth offers today on U.S. and Canadian local 10-digit phone numbers, and the A2P Messaging service using toll-free numbers is that A2P formally allows TCPA-compliant and opted-in use cases for many application-to-person use cases, such as alerts, PIN codes, requested marketing, and automated high-volume interactions between business/government and consumers.

The one SMS/number/second message limits imposed in the guidelines for P2P messaging don’t apply to A2P messaging services. The use of an A2P text messaging service requires formal approval by Bandwidth (and potentially carriers, depending on the use case and the company generating outbound traffic).  

Non-consumer (A2P) messaging

Non-Consumer (A2P) message traffic includes but isn't limited to, messaging to and from large-to-small businesses, entities, and organizations. For example, Non-Consumer (A2P) messages may include messages sent to multiple Consumers from businesses or their agents, messages exchanged with customer service response centers, service alerts and notifications (e.g., fraud, airline), and machine-to-machine communications. Non-Consumer (A2P) Message Senders may also include financial service providers, schools, medical practices, customer service entities, non-profit organizations, and political campaigns. Specifically, such Message Senders should adhere to the Non-Consumer (A2P) Best Practices, described in the CTIA Messaging Best Practices document. 

Non-Consumer (A2P) message traffic includes all messaging traffic that is automated, in whole or in part, but isn’t described as Consumer (P2P) messaging automation. If Consumer (P2P) messaging traffic is operating in a manner inconsistent with typical Consumer operation, such traffic may be filtered or subject to a Service Provider’s Unwanted Messaging threat mitigation efforts consistent with a Service Provider’s individual messaging service terms and conditions.

Protecting consumers from unwanted messages, particularly from high-volume messaging traffic, is a key consensus-based goal among messaging ecosystem stakeholders. 

Unwanted messages

Unwanted Messages (or Unwanted Messaging) may include:

  • Unsolicited bulk commercial messages (i.e., SPAM)
  • “Phishing” messages intended to access private or confidential information through deception
  • Messages that required an opt-in but didn’t obtain it (or had it revoked)
  • Unwanted content, including other forms of abusive, harmful, malicious, unlawful, or otherwise inappropriate messages

We recommend customers follow best practices for Toll-Free (A2P) messaging and the CTIA messaging principles and best practices, as well as check out the CTIA Short Code Monitoring Handbook. Though this handbook is about text messaging short codes, the same basic principles and rules apply. We also recommend customers follow these additional industry-sanctioned Short Code guidelines.

Here are the best practices that customers can follow to prevent the flow of Text Messaging SPAM from their network toward Bandwidth. This type of SPAM traffic runs the risk of being BLOCKED by either Bandwidth or by a downstream provider:

Never send text messaging content related to S.H.A.F.T.:

  • Sex
  • Hate
  • Alcohol
  • Firearms
  • Tobacco (including cannabis)

Text messages with content that’s directly or remotely related to these categories will most likely be blocked as SPAM by either Bandwidth and/or one or more Tier 1 Mobile Network/Handset operators in the U.S. 

Make sure users explicitly say they want messages from you.

The single most important practice is ensuring you have accurate, reliable opt-ins specific to the type of messages you’re sending consumers. Generally, opt-out rates are consistently low when you have obtained reliable and clear consumer opt-in consent. At any time, Bandwidth or other wireless carriers may request evidence of documented opt-in consent for a particular message sent from you (or your customers).

Don't use publicly available URL shorteners.

These same "free-public" URL shorteners are used by bad actors to evade detection and get their SPAM messages passed through text messaging platforms. Bandwidth encourages you to build custom URL shorteners that relate to your company or product name. They’re still free. If a custom URL shortener is found to be used for fraudulent purposes, Bandwidth can and will block messages containing them.

Bandwidth and partnering "downstream" carriers will block text messages that contain these publicly available URL shorteners:

  • goo.gl
  • bit.ly
  • tinyurl.com
  • tiny.cc
  • lc.chat
  • is.gd
  • soo.gd
  • s2r.co
  • clicky.me
  • budurl.com
  • Bc.vc

Provide opt-out functionality within the text messages sent, so receiving end-users can easily opt out at their discretion.

Failing to have an opt-out in the text messages sent may lead to carriers flagging and possibly blocking these messages as SPAM.

Be sure your users can opt out of receiving messages.

Consumer opt-in and opt-out functionality is enforced at the network level via the STOP and UNSTOP keywords (this is available on toll-free only). This functionality can’t be disabled for service providers or message senders.

Message senders have obligations to process the opted-out consumer phone number, so it’s removed from all distribution lists and logged as “opted out” from SMS communications. This ensures that the withdrawal of consumer consent is honored and future messages aren’t attempted. As you track opt-out responses, it is best practice to keep a log of how many STOP responses you receive and monitor for increasing percentages of opt-out responses. 

Examples of valid opt-out messages:  

  • STOP
  • Stop
  • stop
  • STop

For toll-free SMS, there’s no need for you to send an acknowledgment to the consumer. The generic opt-out confirmation message returned to a consumer from your network provider gives instructions on how to opt back into service.

Example:

  • “NETWORK MSG: You replied with the word "stop" which blocks all texts sent from this number. Text back "unstop" or "start" to receive messages again.”

Allow users to opt back in after opting out at the network level (Note: this is available on toll-free numbers only).

A consumer can opt back in at any time to receive messages by texting the keyword “UNSTOP” or "START" to a message sender’s phone number. The keyword isn't case-sensitive and triggers an opt-in only when sent as a single word, with no punctuation or leading spaces (any trailing spaces are trimmed). If the consumer uses the opt-in keyword within a sentence an opt-in is not triggered.

Examples of valid opt-ins:

  • UNSTOP
  • Unstop
  • unstop
  • UNStop
  • START
  • Start
  • start

The message returned to a consumer is generic and informs the consumer they can start two-way texting with the message sender’s phone number again.

Example:

  • “NETWORK MSG: You have replied "unstop"/"start" and will begin receiving messages again from this number.”

Don’t spread your campaigns over several numbers.

Using a single number for both text and voice calls is not only a best practice but also a better overall user experience, since your customers can call and text the same number.

More importantly, you should avoid spreading messages across many source phone numbers, specifically to dilute reputation metrics and evade filters. This is referred to as “snowshoeing” and can result in your content being blocked. If your messaging use case requires the use of multiple numbers to distribute “similar” or “like” content, please discuss it with your Bandwidth rep (or other carrier rep).

Identify your brand.

Your application, service, or business name should be included in the content of the body of your message(s). 

Example:

  • “[Your Business Name]: You have an appointment for Tuesday, 3:00PM. Reply YES to confirm, NO to reschedule. Reply STOP to unsubscribe.”

Use a single domain for URLs in your messages.

Each campaign should be associated with a single, specific web domain owned by you, the customer. Although a full domain is preferred, a custom URL shortener may be used to deliver custom links.

Article is closed for comments.