Best practices for SMS carriers
New Fraud Challenges in A2P Messaging
Based on Skyward’s hands-on work mitigating fraud across live routes and ongoing industry monitoring, this report explains how fraud is evolving, why legacy filtering is becoming less reliable, and what a resilient defense model looks like in 2026.
SMS fraud has moved beyond traditional spam patterns. It is now an adversarial environment where threat actors continuously refine message content, sending tactics, and distribution strategies to bypass firewalls. In parallel, Artificially Inflated Traffic (AIT) continues to pressure margins and strain partner relationships.
The fraud landscape is expanding
Fraud is continuously increasing across various route types and destinations, increasingly showing up in markets where it was previously uncommon and entering through sources that previously appeared low-risk.
Even in regulated European environments, recurring scam activity is widely documented across countries such as the UK, Germany, Spain, and the Netherlands. As attackers quickly switch routes and reuse proven scam messages, fraud now appears across more destinations and partners.
Even in regulated European environments, recurring scam activity is widely documented across countries such as the UK, Germany, Spain, and the Netherlands. As attackers quickly switch routes and reuse proven scam messages, fraud now appears across more destinations and partners.
How fraud is evolving
Attackers design fraud traffic to exploit predictable weaknesses in common filtering approaches. Three trends reinforce each other: lexical obfuscation, semantic imitation, and delivery-level evasion.
Lexical Obfuscation
Many detection algorithms depend on extracting and validating explicit clues such as URLs or phone numbers. Attackers often preserve the underlying scam intent while making those fraud indicators difficult to parse reliably.
Many detection algorithms depend on extracting and validating explicit clues such as URLs or phone numbers. Attackers often preserve the underlying scam intent while making those fraud indicators difficult to parse reliably.
Common techniques include:
- splitting URLs or keywords with spaces, punctuation, or line breaks
- inserting separators that disrupt pattern-based detection
- using look-alike characters and subtle misspellings
- formatting phone numbers in fragmented or non-standard ways
- adding filler text that keeps meaning intact but evades exact-match rules
Key takeaway: deep message preprocessing is now a security requirement. If systems cannot consistently reconstruct the real content (link, number, or brand reference), rigid block rules become unreliable.
Semantic Imitation
Fraud content increasingly resembles legitimate enterprise messaging. A particularly high-impact subset is OTP-shaped fraud: messages that imitate verification flows but include a social-engineering action designed to redirect users to a scam flow (for example, calling a number or following a prompt presented as support).
Fraud content increasingly resembles legitimate enterprise messaging. A particularly high-impact subset is OTP-shaped fraud: messages that imitate verification flows but include a social-engineering action designed to redirect users to a scam flow (for example, calling a number or following a prompt presented as support).
Typical examples include:
- account access alerts (new login or suspicious activity)
- account restriction and verification prompts
- delivery, marketplace, and support scenarios
- billing, subscription, or payment notices
- authentication-themed content that resembles OTP messaging
Key takeaway: message intent must be evaluated beyond surface structure. The presence of OTP-like formatting alone is no longer a reliable indicator of legitimacy.
Delivery-level Evasion
Even when the message content is suspicious, attackers can reduce detectability by changing how traffic is delivered. These tactics are designed to avoid simple thresholds and segment-based inspection.
Even when the message content is suspicious, attackers can reduce detectability by changing how traffic is delivered. These tactics are designed to avoid simple thresholds and segment-based inspection.
Common patterns include:
- splitting content across concatenated SMS
- gradual sending to avoid traffic spikes
- targeting specific destinations and time windows
- rotating templates and senders
- hiding activity during seasonal peaks
Key takeaway: effective protection must combine full-message reconstruction with behavioral detection. Content-only checks are not sufficient when delivery strategy is part of the attack.
Phoned-Based Social Engineering
While malicious links remain common, phone-based call-back schemes and vishing (voice phishing) are increasingly used because they bypass URL-focused controls and move the interaction into a voice conversation. Once the victim calls, the attacker can adapt in real time, build trust, and apply pressure in ways that a text message cannot. This also reduces the attacker’s dependency on domains, landing pages, and link infrastructure that can be blocked or taken down quickly.
In practice, these messages often imitate high-trust scenarios such as account security alerts, payment issues, delivery problems, or customer support requests. The call-to-action is designed to look urgent and legitimate, pushing the user to call a number rather than click a link. From an operator perspective, this creates a different detection challenge: instead of flagging a suspicious URL, the system must reliably extract and assess phone numbers, identify unusual calling prompts, and correlate patterns across traffic sources, destinations, and sending behavior.
While malicious links remain common, phone-based call-back schemes and vishing (voice phishing) are increasingly used because they bypass URL-focused controls and move the interaction into a voice conversation. Once the victim calls, the attacker can adapt in real time, build trust, and apply pressure in ways that a text message cannot. This also reduces the attacker’s dependency on domains, landing pages, and link infrastructure that can be blocked or taken down quickly.
In practice, these messages often imitate high-trust scenarios such as account security alerts, payment issues, delivery problems, or customer support requests. The call-to-action is designed to look urgent and legitimate, pushing the user to call a number rather than click a link. From an operator perspective, this creates a different detection challenge: instead of flagging a suspicious URL, the system must reliably extract and assess phone numbers, identify unusual calling prompts, and correlate patterns across traffic sources, destinations, and sending behavior.
Key takeaway: phone numbers must be treated as first-class risk objects. They should be extracted, normalized, scored, and governed by policy in the same way as URLs.
Limits of Traditional Filtering
Traditional filtering was built for a simpler threat model: obvious spam keywords, stable templates, and easy-to-parse artifacts such as clean URLs or repeated sender IDs. Today, fraud is designed to look legitimate, change quickly, and exploit the limitations of static rules.
Common failure modes include:
- keyword lists are bypassed via obfuscation and paraphrasing
- regex rules break when content is fragmented or uses look-alike characters
- URL-only strategies miss call-back flows and vishing
- static sender allow/deny lists do not scale when templates and sources rotate quickly
- rate limits fail to catch traffic sent in small batches and can block legitimate bursts
Examples that often slip through simple block rules:
- A login was registered on your bank account. If this wasn’t you, call (12) 34567897.
- To confirm transaction #AB2346, open: example[.]com/gfdh56;
- Your login code is 342-640. If the code was NOT requested by yourself, call 1234567890.
As a result, in high-volume A2P environments aggregators face a practical dilemma: stricter rules increase false positives, while looser rules let more fraud through. Effective antifraud requires continuous tuning and detection that goes beyond static patterns.
AIT: The Detection Challenge
Artificially Inflated Traffic (AIT) remains one of the most damaging categories because it directly impacts profitability and partner trust. Operationally, it often falls into two scenarios:
The strategic challenge is the second scenario: as AIT becomes closer to legitimate traffic shape, detection must rely more on correlation across content signals, behavioral patterns, and traffic monitoring.
- External inflation from non-enterprise sources: often easier to detect due to uncommon patterns such as unusual destination mixes or unnatural OTP bursts.
- Enterprise-like inflation that blends into legitimate flows: harder to detect because it imitates normal business behavior and may arrive through channels that also carry valid traffic.
The strategic challenge is the second scenario: as AIT becomes closer to legitimate traffic shape, detection must rely more on correlation across content signals, behavioral patterns, and traffic monitoring.
Fraud continuously shifts into new destinations, new delivery paths, new formats, and new narratives. Maintaining traffic integrity, while protecting routes and margin requires ongoing traffic monitoring.
In this context, Skyward SMS Antifraud protects aggregators by analyzing traffic in real time, identifying fraud and AIT patterns using both content and behavioral signals, and enforcing policies that maintain route quality without compromising delivery. With a well-tuned antifraud layer, fraud mitigation becomes a controlled, measurable process that reduces risk and limits margin leakage.
In this context, Skyward SMS Antifraud protects aggregators by analyzing traffic in real time, identifying fraud and AIT patterns using both content and behavioral signals, and enforcing policies that maintain route quality without compromising delivery. With a well-tuned antifraud layer, fraud mitigation becomes a controlled, measurable process that reduces risk and limits margin leakage.
Skyward SMS Antifraud (SSA)
Skyward SMS Antifraud (SSA) is a cloud-based solution that helps A2P SMS providers protect their valuable routes by checking all SMS messages instantly and automatically blocking any suspicious traffic.
Artificial Traffic Detector (ATD)
Artificial Traffic Detector (ATD) is a solution designed to identify and block SMS AIT fraud, preventing its spread. By analyzing statistical data and traffic flow patterns, ATD quickly detects suspicious activity and stops fraudulent campaigns.
Learn about our solutions
Last publications