Application-to-Person (A2P) messaging is a vital channel for business communication in India, yet it faces growing challenges from sophisticated fraud. In this post, Chris Almeida, Chief Strategy Officer at Globe Teleservices explores the current security landscape, examining India’s regulatory framework, including the Distributed Ledger Technology (DLT) system, the prevalent fraud types, and ongoing mitigation efforts by operators and regulators.

A2P messaging is a cornerstone of digital communication for businesses in India, widely used for banking alerts, OTPs, promotional campaigns, and government notifications. However, its ubiquity has made it a prime target for fraudsters.

Globally, A2P messaging is recognized for its reliability, immediacy, and broad reach, making it a preferred channel for critical and time-sensitive communications and is projected to grow from $73.1 billion in 2024 to $84.8 billion by 2029, at a CAGR of 3.0%.

Growth is driven by increasing mobile phone penetration, in emerging markets, the integration of A2P platforms with customer relationship management (CRM) systems and multichannel communication tools, including SMS, MMS, RCS, and OTT messaging apps.

Let us look at some facts about A2P messaging globally:

• Globally, between 8 billion and 35.7 billion fraudulent A2P messages were sent in 2023, accounting for approximately 4.8% of total global messaging traffic. This fraudulent traffic, known as Artificial Inflation of Traffic (AIT), costs brands around $1.16 billion annually.
• It is estimated that fraud steals about 4% of A2P messaging revenue, or nearly $1.5 billion is lost annually assuming a $13.72 billion global A2P market valuation.
• Key fraud types impacting monetization include SIM farms (20.4%), spam (33.3%), grey routes (18%), and SMS phishing (10.2%).

The Indian telecom sector has responded with robust regulatory frameworks and advanced technological solutions, but evolving threats demand continuous vigilance and innovation.

This article explores the security landscape of A2P messaging in India, focusing on the regulatory framework, prevalent fraud types, mitigation efforts by Indian and global operators, and recommendations for future improvements.

DLT Regulation: The Foundation of A2P Security in India

India’s Distributed Ledger Technology (DLT) regulation, enforced by the Telecom Regulatory Authority of India (TRAI), is aimed at curbing spam and fraud in A2P messaging. DLT mandates registration of all message senders and content templates to be listed on a blockchain-based platform, ensuring transparency, traceability, and accountability across the messaging ecosystem. It is reported that soon any A2P SMS with unapproved URLs will be blocked, to reduce smishing and phishing risks.

With DLT deployed in India, how come there are still fraud messages?

There are several limitations of DLT in addressing sophisticated fraud. DLT, as deployed in India is primarily designed to track and manage consent for commercial messages, reduce spam, and ensure traceability of message origins. It is not a comprehensive solution for all types of fraud. DLT prevents unsolicited promotional or transactional messages but does not directly address scams like phishing, deepfake-based fraud, or social engineering attacks that originate outside the regulated telecom ecosystem.

⁠⁠Incomplete Adoption and enforcement or partial implementation by major telecom operators in India is an issue. Not all communication channels are fully covered. Voice calls, social media platforms, and messaging apps like WhatsApp and Telegram, which are major vectors for fraud, are not regulated under the same DLT framework.

Enforcement gaps exist. Several enforcement gaps still exist despite the efforts of the regulator. Even with DLT, enforcement is inconsistent. Fraudsters use spoofed numbers, unregistered telemarketers, or exploit loopholes in the system.

There are Technological and Scalability Challenges. With 1.2 billion mobile subscribers there are scalability challenges with the Indian telecom context. Interoperability is a challenge to contend with. Fraud can span multiple platforms (SMS, apps, emails) and lack of interoperability between DLT systems and other digital platforms (e.g., social media, banking apps) creates vulnerabilities that fraudsters exploit. Example, a scam might start with a DLT-registered SMS but escalate via an unregulated WhatsApp call.

Consent Manipulation: Fraudsters might trick users into providing consent (e.g., via fake apps or websites). The DLT system tracks consent, but if the consent itself is fraudulently obtained, the system cannot prevent the initial deception.

New emerging threats and AI-Driven Scams are increasing. Fraudsters are using AI, deepfakes, and spoofing software to create highly convincing fraud messages. Scammers are using AI to mimic voices of relatives or create fake police stations, which DLT alone cannot detect or prevent since these occur outside traditional SMS channels.

Cross-Border Fraud is difficult to control. A significant portion of fraud in India originates from Southeast Asian countries like Cambodia and Myanmar, where scam centers operate. These operations often use international SIMs, VPNs, or encrypted apps, making them difficult to trace or block via India’s DLT system.

Thus, in conclusion, while DLT has been a significant step toward reducing spam and improving traceability of SMS messages in India, its effectiveness against fraud messages is limited by its scope, technological challenges, fraudster adaptability, and broader systemic issues like low cyber literacy and cross-border crime.

Prevailing Types of A2P Messaging Fraud in India

Despite regulatory efforts, several sophisticated fraud types persist in the Indian market:

• Grey Routing: Fraudsters exploit international or less-regulated networks to deliver messages at lower costs, bypassing domestic termination fees and regulatory scrutiny.
• SIM Box Fraud: Multiple SIM cards are used to send bulk A2P messages disguised as person-to-person (P2P) traffic, evading higher A2P charges.
• Sender ID Spoofing: Attackers manipulate sender identities to impersonate trusted brands, increasing the effectiveness of phishing and social engineering attacks.
• Bypassing Firewalls: Advanced tactics are used to circumvent network-level protections, allowing unauthorized or fraudulent traffic to reach end-users.
• SMS Bypass Fraud: Unauthorized gateways are leveraged to avoid legitimate SMS termination fees, causing revenue loss for operators.

What are the current strategies and tools being used by fraudsters in messaging scams?

• Technological exploitation: fraudsters are leveraging AI, deepfakes, and social engineering tactics to enhance their scams. For example, the web results mention AI-enabled techniques like data poisoning and fake recognition trickery.
• Anonymity tools: VPNs, spoofed numbers, and cryptocurrency is being used to obscure identities and transactions. Challenges with digital wallets, foreign exchanges, and cryptocurrency frauds originating abroad are noticed.

What regulatory and technological solutions are being implemented to combat messaging fraud?

• Government initiatives: Indian government has taken several steps like blocking SIMs, WhatsApp accounts, and Skype IDs to minimize fraud. Posts on X and web results indicate that the Indian government has blocked 781,000 SIMs, 3,000 Skype IDs, and 83,000 WhatsApp accounts linked to fraud by February 2025.
• Collaboration with tech companies: Telecom operators, banks, and messaging platforms like WhatsApp are working together to mitigate fraud. The Department of Telecommunications (DoT) has reduced spoofed calls by 90% through AI detection and carrier blocking.
• Regulatory frameworks: There are specific laws or guidelines like DPDP Act, SEBI regulations and others that address messaging fraud. It yet to be seen how effective they are.

Fraud Mitigation Steps initiated by Indian Mobile Operators

Indian mobile operators have deployed a multi-layered approach to fraud prevention:

• AI-Driven Fraud Detection: Operators are leveraging artificial intelligence and machine learning models to analyze large volumes of messaging traffic in real time, identifying anomalies, suspicious routing, and sender manipulation.
• Adaptive Firewalls: Self-learning firewalls, powered by real-user data and live testing, are used to intelligently block unauthorized A2P SMS routing and grey routes.
• Real-Time Monitoring and Alerts: Continuous traffic monitoring enables prompt detection and response to fraud attempts, minimizing revenue loss and protecting customer trust.
• Industry Collaboration: Operators share intelligence on emerging fraud trends and tactics, strengthening collective defenses across networks.
• Two-Factor Authentication (2FA): Many businesses employ SMS-based 2FA to secure user accounts and transactions, reducing the risk of unauthorized access.

Recommendations: Further Measures for Regulators and Operators

Chris Almeida

Chief Strategy Officer, Globe Teleservices