GuidesRecipesAPI Reference
Guides
Select productLog inHelp centre

AIT (Artificially Inflated Traffic) attacks

Suggest Edits

Protect your application from automated attacks that exploit SMS and voice endpoints to generate fraudulent charges.

If you use SMS or voice API endpoints in your customer flows, you need to understand AIT (Artificially Inflated Traffic) attacks and how to defend against them.

What is an AIT attack?

An AIT attack, also known as Toll Fraud, targets your SMS and voice API endpoints to generate massive fraudulent charges. Attackers use automated bots to exploit public-facing forms, such as sign-up pages, password resets, or contact forms, that trigger SMS or voice calls.

The attacker's goal is to force your platform to send high volumes of messages or calls to premium numbers they control, leaving you with the bill.

Common attack targets

  • Sign-up forms with SMS verification
  • Password reset endpoints
  • Two-factor authentication flows
  • "Contact us" buttons
  • One-time passcode (OTP) delivery

Attacker motivations

  • Direct financial profit (Toll Fraud)
    Attackers direct traffic to premium-rate numbers they own or have revenue-sharing agreements with. They earn money from every message or call your system sends.
  • Economic Denial of Service (EDoS)
    Attackers aim to inflict financial damage or exhaust your API rate limits, turning off critical services for legitimate users.

Business impact

AIT attacks cause damage beyond high invoices:

  • Financial loss
    Attacks can generate tens or hundreds of thousands of fraudulent charges within hours.
  • Service disruption
    Legitimate users can't receive OTPs or notifications.
  • Reputational damage
    Suggests your platform lacks security.
  • Platform suspension
    Dotdigital may suspend your account to prevent further damage.

Prevention strategies

The most effective defense is proactive hardening against automation.

Harden your website

Implement bot detection

Add services like Google reCAPTCHA v3, hCaptcha, or Cloudflare Turnstile to every form that triggers paid API calls. Deploy this protection before launch, not after an attack.

Apply layered rate limiting

Simple rate limits aren't enough. Implement sophisticated rules:

  • IP restrictions: Limit accounts per IP address (hundreds of accounts from one IP is suspicious).
  • Account age limits: New accounts should have lower request quotas than established accounts.
  • Spike detection: Monitor total requests across your platform and trigger cooldowns for anomalous spikes.
    Validate before sending

Use number verification

Use Dotdigital's Phone Number Validation API before sending messages. This API identifies:

  • Valid mobile numbers
  • Landline numbers
  • Country registration

Deny requests to non-mobile numbers or numbers from countries where you don't operate.

Create trust scores

Build an internal risk engine that evaluates:

  • User history
  • Device familiarity
  • IP address reputation
  • Account age

High-risk requests should face additional verification steps.

Control request frequency

Implement exponential backoff

For "resend code" features, apply progressively longer delays for repeated requests (30 seconds, 1 minute, 5 minutes, 15 minutes). This neutralizes automated bot advantages.

Set financial safeguards

  • Configure billing alerts
    Work with Dotdigital to set usage thresholds. Early detection of unusual spending prevents larger financial damage.
  • Monitor error rates
    Surges in API calls resulting in errors (invalid numbers) indicate bot probing. Alert your engineering team immediately when error rates spike.

Emergency response (What to do)

If an attack is underway, follow these steps immediately to minimize damage:

1. Contact Dotdigital

Call your account manager or contact support immediately. We'll help stop the attack and minimize impact.

2. Deploy immediate controls

  • Add CAPTCHA
    If not already deployed, implement it immediately.
  • Disable endpoints
    Take abused forms or API endpoints offline if CAPTCHA can't be deployed quickly.
  • Block IP addresses
    Identify and block IPs making fraudulent requests.

3. Implement emergency blocks

  • Tighten rate limits
    Drastically reduce requests allowed per IP and phone number.
  • Block high-risk countries
    Analyze logs to identify destination countries and block them (Dotdigital can assist with this).

4. Review and harden

After containing the attack, analyze how your platform was exploited and implement the prevention strategies outlined above to prevent repeat attacks.

Dotdigital protection

We monitor SMS traffic for unusual patterns, including:

  • Traffic spikes
  • Sends to new countries
  • Unusual usage patterns

We'll contact you if we detect suspicious activity and may suspend accounts in extreme cases to limit financial liability, however monitoring is not real-time.

Key takeaways

Treat AIT mitigation as a core security feature, not an emergency procedure. By implementing proactive defenses, you transform your platform from a profitable target into a hardened, unprofitable one for attackers.

Audit your systems and implement these protections before you need them!

Updated 20 days ago