SMS pumping, also known as artificially inflated traffic (AIT), is an SMS-related fraud. The attackers generate loads of fake SMS traffic to premium SMS numbers that charge the sending party a fee for receiving the SMS, thus making money from every message sent to them. SMS pumping is challenging to detect because it looks like genuine traffic, and in many cases, companies pay for it for months without even realizing they are being cheated.
According to a study by Enea and Mobilesquared, between 19.8 billion and 35.7 billion fraudulent messages were sent in 2023 alone, costing companies an overwhelming $1.16 billion annually.
SMS pumping is why Elon Musk switched off phone verification and 2FA on Twitter in 2023. According to Musk, Twitter lost $60 million yearly on artificially inflated two-factor authentication SMS messages. He blamed telco companies for this fraud, even though the actual reason is that it is mainly the responsibility of SMS messaging platforms to combat SMS pumping. They are usually unwilling to do it because they charge clients for every message sent and have an apparent conflict of interest.
The decision to turn off 2FA on Twitter is questionable as it opens the door for other angles of attack from hackers, has already increased the number of fake and bot accounts, and has led to higher rates of account theft. Additionally, eliminating phone-based 2FA is not even an option for many companies, especially those in the financial sector, as many products, such as debit/credit and lending, have a regulatory mandate to verify phone numbers for KYC and anti-money laundering purposes, but also to ensure the effectiveness of its debt collection, cybersecurity, and fraud protection initiatives. So, what can these companies do to stop the scourge of SMS pumping?
SMS pumping is a complex threat, but there are several ways to protect your business from it:
No matter what you might hear from your current SMS provider, they will never protect you from SMS pumping if their primary source of revenue comes from charging for every SMS message you send. These companies benefit from SMS pumping and get a share of the profits every time it happens.
Only two possible solutions exist to root out this fraud and permanently protect your company. The first is to find a vendor aligned with your best interests and has no conflict of interest ingrained in their business model. Companies such as Veriph One charge you for every successful verification instead of every OTP you send. If the process fails or is triggered by an SMS pumping bot, you won’t have to pay the bill.
The second is to update your OTP technology to the latest and greatest. Companies nowadays prefer using Inverse OTPs to do phone verification and phone-based 2FA/MFA as it is immune to SMS pumping. An inverse OTP is an alternative phone verification method in which the user sends an encrypted OTP message instead of receiving it. In this case, it is impossible for fraudsters to inflate your SMS traffic artificially, but the benefits don’t end there, as your company also gets:
If you have discovered that your company is vulnerable to SMS pumping, do not panic. The first step is becoming aware of the issue. Many companies don’t realize it until it’s too late, and they have already lost millions to fraudsters without noticing. SMS pumping is a silent parasite that is difficult to remove once it has engulfed your company.
When taking action, you can implement DIY solutions, such as the aforementioned initiatives and tactics, or choose a plug-and-play solution from a tech provider offering all these functionalities to avoid wasting your team's precious time and energy on non-core software development and maintenance. These solutions are relatively inexpensive and effective, so you don’t need to break the bank to put a swift stop to hackers and fraudsters.
If you would like to know more about these solutions, contact Veriph One, the creators and pioneers of the Inverse OTP technology and a vendor specializing in phone-based technologies to protect you from bots/hackers/fraudsters, detect device farms, get enrichment data from phone numbers, and do world-class phone verification with built-in protection against SMS pumping.