Uku Tomikas from Messente on the future of SMS, combating user authentication fraud and effective leadership principles

Uku Tomikas is the CEO of Messente Communications, the Tartu-based business messaging platform servicing companies worldwide. He is also a father, a high-school teacher, and a yoga instructor with a military background. We sat down with him to discuss secure user authentication, the future of SMS in the age of AI, applying military leadership principles in the business setting and why one should never get comfortable in their job.

This interview was written by Rene Rumberg, a member of the sTARTUp Day marketing & communications team.

Can you tell us about the genesis of Messente around ten years ago?

Messente, interestingly enough, is a spin-off of Mobi Group. Mobi Solutions was founded in Tartu in 2007 and used to do anything related to mobile. The first thing they did was SMS sweepstakes, bingo-ish stuff. Messente was just the messaging part of those different mobile services. They also had carrier billing that spun into Fortumo, which was sold to Boku recently. As the messaging market got big enough, it made sense to create a standalone body with its own revenue and headcount. That's why Messente, from day one, has been profitable for the last ten years.

Throughout time it has developed from a sweepstakes messaging company into servicing some of the biggest enterprise companies in the world, doing wholesale and providing self-sign-up services – being more like a global communication provider.

Elon Musk recently received criticism for introducing paid two-factor authentication using SMS on Twitter, with the justification that Twitter loses millions of dollars to fake 2FA SMS scams. What is your view on this issue? Is it a common problem in the 2FA industry, and how can Messente contribute to addressing it?

It's a known problem with even a name for it – artificially inflated traffic (AIT). In fact, one of the reasons why Musk tried to pull out of the deal to buy Twitter was that he saw a lot of fake accounts generated using AIT and used to boost Twitter's revenue and growth numbers – something that people inside the industry have said the company itself desired to a degree.

From our perspective, Messente is moving towards finding and building tools to start combating AIT through machine learning, building algorithms to understand client behavior better and seeing whether we can differentiate malicious attacks from real content. However, it's very complicated because the attack happens on the client's platform, not on the service provider's side. The customer might say, "How did you not know that I didn't want to send messages to Burundi?" But we don't know where you do business unless you tell us so. We don't know if this is an intended marketing campaign or an attack because, from our side, the request looks exactly the same.

So it's a lot about education. We need to teach and communicate with our clients and find technological means to protect the industry because we want people to trust business messaging. In some cases, artificially inflated traffic is estimated at up to a third of the total traffic. So it's something the industry needs to tackle, and we've been very, very vocal to ensure it is being dealt with.

What guidance would you provide to businesses seeking to enhance their security measures and implement two-factor authentication?

First and foremost, you need to communicate to your provider about your intent. Where and how do you want the 2FA to work? Also, be willing to sacrifice a little bit of your user experience for improved security.

The simplest way to prevent fraud is implementing reCAPTCHA – you know, the puzzle-based annoyance, but it works.

For example, we had a Danish client who sent about 400,000 messages per month. We started seeing something off with their messaging and suggested implementing reCAPTCHA on their site – and their volume dropped from 400,000 to 15,000 per month. We now tell all our clients to do that.

So communicate with your provider and take additional security steps within that process to make it more effective, but also use different channels, for example, WhatsApp, because, unlike SMS, Whatsapp doesn't have any AIT issues. Why? Because the ones behind AIT are the operators and aggregators who benefit from it.

Can you give an example?

How it works is pretty simple. In certain markets, there are exclusive providers who own access to that gateway. In Azerbaijan, for example, you don't send an SMS to an Azerbaijani operator but to an aggregator who owns that gateway. So every company that tries to send a message to Azerbaijan always reaches that, no matter how many providers are in between.

So what they do is they build a bot to create, say, fake Wolt accounts. Whenever a Wolt account is created, the system generates a one-time password or OTP code. That message will end up getting to them. So they will take the code, use the same bot, and put it into the Wolt app. The Wolt verification goes through, and on Wolt's side, everything looks legitimate. But the message request never goes from the gateway holder to the operator, which means they never pay for it.

Let's say they float you 20%. For that 20%, they'll charge you but never pay for it, which means that they're making orders of magnitude more money.

But it even gets worse. Sometimes companies like Meta buy messages based on the conversion rate: they don't look at any other features except whether the message gets across and people convert. So every two weeks, Meta requests 20 of the biggest global providers to give them their best price, then goes from the lowest to the highest until the carriage return or CR reaches their desired level. They keep it there until it burns through, then go to the next one. It's a completely automated process.

What big aggregators will do is use that same bot logic, but instead of inserting the code and completing the CR, they won't insert the code and won't create that CR. So if you float 20% of messages that don't get there, and the conversion doesn't happen, that provider's CR drops. So they switch to the next one.

It's a pretty nasty game played by multibillion-dollar companies who sabotage each other trying to win Facebook's traffic. The only unfortunate part is that Facebook probably doesn't mind because they're getting more users, but the ones hurt are the smaller companies. Those are the ones we are trying to protect.

How do you anticipate the SMS API platform and 2FA solutions advancing in the future, and what actions is your company taking to adapt to those changes related to AI and ML?

It’s quite possible that the SMS will be the last global reach channel, and we'll start transitioning into more niche communication channels, like Apple business messaging, Android messaging, WhatsApp and Viber messaging. But messaging will not go anywhere because it's still one of the most effective channels to reach people. People don't read their emails; they don't want to talk to you on the phone. But they do text, and text even more, especially younger generations.

We're probably going to be looking at AI-generated content sent via WhatsApp or Viber, creating even more communication in that flow, but it might start getting more automated.

Having an AI bot use ChatGPT, then generate customer communication – that's quite a possible way to go.

But there are still limitations – both bots and AI are getting better, but they are still not good enough to hold a total conversation, especially in a niche or specific topic. Also, even WhatsApp still has 1.5 or 2 billion users out of nearly 8 billion in the world, so with chat apps, you're not going to reach everybody, only a fraction of people.

People sometimes forget that we still have forms of telegram and fax machines around. So text messaging is not going to go anywhere. At the end of the day, even probably 10-15 years from now, it will still be a backup channel.

But right now, I think the more important question is how to best reach and engage with your clients. And that's where rich communication has benefits because it allows you to be more visual, and people are visually much more engaged than simply text engaged, especially nowadays. So that is something that is going to happen.


Your professional journey is quite remarkable, rising from a junior salesperson to a CEO and multimillion-dollar company shareholder. What insights would you share with junior-level professionals aspiring to make a significant career leap?

Do your job really well, consistently – that's the thing that has got me here. One of the most important things that any young professional can do is try to do every single instance of their job as well as possible. Because what happens quite often is people start at a new position, start getting better at it, reach their peak at year two or three, and then start deteriorating. They start skipping steps because they already know everything, right? So never get comfortable.

Try to make every single email the best damn email you can send, even if it's not a very important email, because the practice of constantly trying to be better will make you better.

Secondly, be bold enough to take risks. One of the things I started in Messente back in 2020 was building a wholesale system. At the time, it was a small part of our business, generating about 100,000 euros in revenue per year. And we always had the mentality that we don't have enough positioning to wholesale.

I decided, screw it, I'll just try it; what's the worst that can happen? I'll fail, but so what? Today wholesale is 35% of our business, generating 5 million euros of revenue annually. We've gone from where most people were saying it's a waste of time to a point where it is a big part of our business just because I took a risk and tried to do something different. That's something that professionals can always learn – trying to do more. Also, the important part about it was I was allowed to do that.

I agree with you. If you have a management team who says you cannot fail, it means you cannot experiment, and if you cannot experiment, you will be stuck with average results.

Exactly. Another important part about this is that many people start experimenting with something, then let their main job that they're getting paid for slip, but you can't allow that to happen! You need to hit all of your main goals and then find additional time also to hit that Ferrari money kind of project that will take it to the next level. But your consistent everyday work is what gives you the ability to work on those projects.

You have served as a military commander in the past. What similarities do you see between being a CEO and being a military commander?

I sometimes feel that, especially in the tech scene, military leadership is seen as a byword for something negative; it's seen as too aggressive or disciplined. But the military also gives you very strong standards and a robust framework. For example, one of my favorite rules from the military is KISS or Keep It Simple, Stupid.

For instance, what is the simplest form of communication you can create? Then you can own that and tell somebody – "Hey, we're going to do this. Did you understand that?" They say, "Yes!" and you usually leave it at that. But in the military, you're going, "So what did you understand?" And then they go, "Uhmmmm…." And then you get to adjust and explain it again.

Another thing I've used, and one of the best tools to check company-wide communication, is the private check, where the commander would come in and ask a private about the general mission of their company. Then, if they don't know it, it's their platoon commander's or squad commander's job to explain it so they understand why they're doing what they're doing.

You can do the same in your company, not interrogating but asking, "What do you think about our mission? What do you think about our plans for the year?" to understand whether it has been communicated to them clearly or not. Then you can adjust and tell your managers, "Hey, maybe you need to spend a bit more time explaining why we're doing things." Because then people are significantly more engaged and perform better. Also, when engaged, they see things from the front lines that you, as a leader, don't see and can give you feedback that you can use more effectively.

Also, in the military, you are often given a goal and the general execution of the plan. But how you execute your section of it is left up to you.

"So here's your aim. Here's the general execution; here's what everyone else will do. But you do your own thing." And if people do their own thing, they do it much better than if you try to micromanage them. It's called the decentralized command.

Those sorts of principles are just as effective in a business setting. So it's less about using military-esque leadership and instead using principles that work well in high-stress situations and then carrying them over into the real world.

How has your experience as a father of two influenced your leadership style and approach to business?

It absolutely has. It has made me, some people might find it hard to believe, significantly more flexible. I've become more patient and understanding because I used to be a massive hothead – if you came at me, I came back with force, which created a lot of friction. That doesn't work with kids, so you have to be more patient consistently.

Also, as a father, your stress tolerance gets quite high. Say, something happens and a client can't send their messages out, so what? My daughter has been screaming for three hours, I'm fine. Not because she screams for three hours, it's just that you know that worse things than that could happen, so you just plow through.

I've also become less tough on myself. If you haven't had a good night's sleep, you're not going to be able to perform, and then it's fine to communicate it outward – "Hey, my kids had a crappy night, I'm not going to be my 100% today", and everyone will understand. With kids, I've learned that it's okay not to be okay.

Check out Uku Tomikas’s talk "Sweat the Small Stuff, a.k.a. How Small Things Lead to  Great Successes" at sTARTUp Day 2023.

Articles you might also like:

Jana Saastamoinen: "Tartu people know how to organize quality events"

Jana Saastamoinen is the newest Head Organizer of sTARTUp Day! She first joined the festival marketing team in 2019 as an assistant;...
Read more

Head Organizer Noora Ustav: We keep innovating with Refresh

Refresh, the biggest product and UX design conference in Estonia, is taking place in Tartu for the second time on April 11-12,...
Read more