AIT (Artificially Inflated Traffic) attacks

Protect your application from automated attacks that exploit SMS and voice endpoints to generate fraudulent charges.
If you use SMS or voice API endpoints in your customer flows, you need to understand AIT (Artificially Inflated Traffic) attacks and how to defend against them.
What is an AIT attack?
An AIT attack, also known as Toll Fraud, targets your SMS and voice API endpoints to generate massive fraudulent charges. Attackers use automated bots to exploit public-facing forms, such as sign-up pages, password resets, or contact forms, that trigger SMS or voice calls.
The attacker's goal is to force your platform to send high volumes of messages or calls to premium numbers they control, leaving you with the bill.
Common attack targets
- Sign-up forms with SMS verification
- Password reset endpoints
- Two-factor authentication flows
- "Contact us" buttons
- One-time passcode (OTP) delivery
Attacker motivations
- Direct financial profit (Toll Fraud)
Attackers direct traffic to premium-rate numbers they own or have revenue-sharing agreements with. They earn money from every message or call your system sends. - Economic Denial of Service (EDoS)
Attackers aim to inflict financial damage or exhaust your API rate limits, turning off critical services for legitimate users.
Business impact
AIT attacks cause damage beyond high invoices:
- Financial loss
Attacks can generate tens or hundreds of thousands of fraudulent charges within hours. - Service disruption
Legitimate users can't receive OTPs or notifications. - Reputational damage
Suggests your platform lacks security. - Platform suspension
Dotdigital may suspend your account to prevent further damage.
Prevention strategies
The most effective defense is proactive hardening against automation.
Harden your website
Implement bot detection
Add services like Google reCAPTCHA v3, hCaptcha, or Cloudflare Turnstile to every form that triggers paid API calls. Deploy this protection before launch, not after an attack.
Apply layered rate limiting
Simple rate limits aren't enough. Implement sophisticated rules:
- IP restrictions: Limit accounts per IP address (hundreds of accounts from one IP is suspicious).
- Account age limits: New accounts should have lower request quotas than established accounts.
- Spike detection: Monitor total requests across your platform and trigger cooldowns for anomalous spikes.
Validate before sending
Use number verification
Use Dotdigital's Phone Number Validation API before sending messages. This API identifies:
- Valid mobile numbers
- Landline numbers
- Country registration
Deny requests to non-mobile numbers or numbers from countries where you don't operate.
Create trust scores
Build an internal risk engine that evaluates:
- User history
- Device familiarity
- IP address reputation
- Account age
High-risk requests should face additional verification steps.
Control request frequency
Implement exponential backoff
For "resend code" features, apply progressively longer delays for repeated requests (30 seconds, 1 minute, 5 minutes, 15 minutes). This neutralizes automated bot advantages.
Set financial safeguards
- Configure billing alerts
Work with Dotdigital to set usage thresholds. Early detection of unusual spending prevents larger financial damage. - Monitor error rates
Surges in API calls resulting in errors (invalid numbers) indicate bot probing. Alert your engineering team immediately when error rates spike.
Emergency response (What to do)
If an attack is underway, follow these steps immediately to minimize damage:
1. Contact Dotdigital
Call your account manager or contact support immediately. We'll help stop the attack and minimize impact.
2. Deploy immediate controls
- Add CAPTCHA
If not already deployed, implement it immediately. - Disable endpoints
Take abused forms or API endpoints offline if CAPTCHA can't be deployed quickly. - Block IP addresses
Identify and block IPs making fraudulent requests.
3. Implement emergency blocks
- Tighten rate limits
Drastically reduce requests allowed per IP and phone number. - Block high-risk countries
Analyze logs to identify destination countries and block them (Dotdigital can assist with this).
4. Review and harden
After containing the attack, analyze how your platform was exploited and implement the prevention strategies outlined above to prevent repeat attacks.
Dotdigital protection
We monitor SMS traffic for unusual patterns, including:
- Traffic spikes
- Sends to new countries
- Unusual usage patterns
We'll contact you immediately if we detect suspicious activity and may suspend accounts in extreme cases to limit financial liability.
Key takeaways
Treat AIT mitigation as a core security feature, not an emergency procedure. By implementing proactive defenses, you transform your platform from a profitable target into a hardened, unprofitable one for attackers.
Audit your systems and implement these protections before you need them!
Updated 1 day ago