The Rising Threat of AIT Fraud in SMS

Artificial Inflation of Traffic (AIT) fraud, sometimes called "SMS traffic pumping", is becoming a serious threat in Australia. Fraudsters exploit SMS authentication systems by generating fake sign-ups or bot accounts that trigger one-time passcodes (OTPs).

The scheme works because a rogue participant in the messaging supply chain, such as an aggregator or overseas carrier, can intercept these messages, bill the sender, and share the revenue with the fraudster. The business ends up paying for large volumes of SMS that never reach real customers.

Australian providers such as Upwire warn that this type of fraud is already affecting local businesses. The tell-tale signs include sudden spikes in SMS to adjacent numbers, high volumes to remote destinations, or poor OTP conversion rates.

Why This Matters in Australia

The impact of AIT goes beyond wasted spend.

• Direct financial losses occur when businesses are billed for fraudulent SMS traffic.
• Customer experience risks arise when people receive OTPs they never requested, damaging trust.
• Security concerns increase as reliance on SMS OTP exposes businesses to both fraud and reputational damage.

The Australian regulator ACMA has also recognised the issue. From 15 December 2025, all SMS and MMS messages using a Sender ID must be registered under the new SMS Sender ID Register. Messages that are not registered may be blocked or flagged as unverified. This move is designed to curb SMS spoofing and associated scams. It also signals growing regulatory focus on SMS fraud risks.

Industry players are shifting stance as well. Visa has announced that by October 2026, banks and other institutions will be required to move beyond SMS OTP as a sole authentication factor. This is a direct response to AI-driven scams and fraud trends.

Practical Steps for Australian Organisations

At Cadence, we see several immediate steps organisations can take to reduce exposure to AIT.

1. Build Security into Procurement

Scrutinise SMS providers' fraud prevention measures. Contracts should include accountability clauses and clear obligations to detect and block fraudulent traffic.

2. Validate and Limit OTP Requests

Restrict inputs to valid Australian phone number formats. Apply rate limiting to prevent automated bots generating unlimited OTPs.

3. Filter and Block Risky Traffic

Question whether you need to send international OTPs at all. Work with providers who actively screen out unallocated or virtual numbers.

4. Monitor and Detect Anomalies

Track SMS usage patterns for sudden spikes or unusual destinations. Deploy bot detection to spot automated account creation.

5. Rethink Authentication Approaches

With regulatory and industry shifts underway, it is time to evaluate alternatives to SMS OTP. Options include app-based authenticators, push notifications, biometrics, and hardware-based solutions.

The Cadence View

AIT fraud is a strategic risk for Australian organisations. It drains budgets, undermines security, and erodes customer trust. With new regulation such as the SMS Sender ID Register and industry moves away from SMS OTP, it is clear the landscape is shifting.

Our advice is to treat AIT not just as a technical issue but as a business risk. Engage procurement, finance, and technology leaders in coordinated action. By strengthening controls, validating partners, and exploring authentication alternatives, you can stay ahead of fraudsters and ahead of regulatory change.

If you need help, we have a program to use our expertise and AI tools to run a communications audit on your ecosystem. AIT Fraud risk is one of many things we check for in this comms audit process.