‍What is SMS Pumping Fraud?

SMS pumping, also known as artificially inflated traffic (AIT), is an SMS-related fraud. The attackers generate loads of fake SMS traffic to premium SMS numbers that charge the sending party a fee for receiving the SMS, thus making money from every message sent to them. SMS pumping is challenging to detect because it looks like genuine traffic, and in many cases, companies pay for it for months without even realizing they are being cheated.

According to a study by Enea and Mobilesquared, between 19.8 billion and 35.7 billion fraudulent messages were sent in 2023 alone, costing companies an overwhelming $1.16 billion annually.

How SMS Pumping wreaked havoc at Twitter

SMS pumping is why Elon Musk switched off phone verification and 2FA on Twitter in 2023. According to Musk, Twitter lost $60 million yearly on artificially inflated two-factor authentication SMS messages. He blamed telco companies for this fraud, even though the actual reason is that it is mainly the responsibility of SMS messaging platforms to combat SMS pumping. They are usually unwilling to do it because they charge clients for every message sent and have an apparent conflict of interest. 

The decision to turn off 2FA on Twitter is questionable as it opens the door for other angles of attack from hackers, has already increased the number of fake and bot accounts, and has led to higher rates of account theft. Additionally, eliminating phone-based 2FA is not even an option for many companies, especially those in the financial sector, as many products, such as debit/credit and lending, have a regulatory mandate to verify phone numbers for KYC and anti-money laundering purposes, but also to ensure the effectiveness of its debt collection, cybersecurity, and fraud protection initiatives. So, what can these companies do to stop the scourge of SMS pumping?

How to Prevent SMS Pumping?

SMS pumping is a complex threat, but there are several ways to protect your business from it:

1. One of the simplest and most common tactics is restricting phone numbers from countries irrelevant to your business or places where this type of fraud is not illegal. This solution will prevent any user with a phone number outside your allow list from receiving SMS, and in many cases, it will be sufficient to stop most threats. Unfortunately, B2C companies receive users with phone numbers from all over the world, and implementing a solution like this will exclude them and potentially cause revenue losses.
2. Another widespread solution is limiting the number of messages a phone number can receive within a specific time frame. For example, you can limit the number of messages sent to one user to two SMS per 24 hours. Although this can work, it isn’t an ideal solution, especially if your SMS provider has a low deliverability rate or doesn't offer other phone-verification methods as fallbacks, as some legitimate users will become frustrated when the OTPs don’t reach their devices. This potential fix can cause your company to lose new customers/revenue, increase customer support tickets, and cause social engineering attacks by hackers claiming they did not receive the verification codes in the name of other users.
3. Implementing rules to detect SMS pumping in real time. Some common patterns help to identify artificially inflated traffic. For example, suppose you get a series of OTP requests from phone numbers that are sequentially similar (like 52561901, 52561902, 52561903, etc.). In that case, this is a telltale sign that your company is being scammed, as it is highly improbable that two users with sequential phone numbers would request an OTP simultaneously.‍
4. Real-time alerts for abnormal user behaviour. If you have a random surge of OTP requests without any link to marketing and advertising efforts, you are most probably being attacked by SMS pumping fraudsters. Similarly, your company might also notice that some “users” stop activity on your product during or after the phone verification flow; if your funnel suffers significant drops during this step, it might also be a symptom of SMS pumping or bot activity. Always configure real-time alerts to monitor and detect unexpected peaks of SMS sendings that can result from an SMS pumping attack.‍
5. Bot and synthetic activity detection. Implementing a robust bot detection system will protect your sign-in and log-in/MFA flows from SMS pumping to the highest degree. Bots are the primary workhorse of SMS pumping fraud, and detecting them will save your company millions of dollars and enhance your cybersecurity. Keep an eye out for any activity that might be synthetic by leveraging IP addresses, user agent headers, speed of interactions, request intervals, and similar data. A sad reality of the age of AI is that CAPTCHAs are no longer enough to deter bots.

How to get bulletproof protection against SMS Pumping?

No matter what you might hear from your current SMS provider, they will never protect you from SMS pumping if their primary source of revenue comes from charging for every SMS message you send. These companies benefit from SMS pumping and get a share of the profits every time it happens.

Only two possible solutions exist to root out this fraud and permanently protect your company. The first is to find a vendor aligned with your best interests and has no conflict of interest ingrained in their business model. Companies such as Veriph One charge you for every successful verification instead of every OTP you send. If the process fails or is triggered by an SMS pumping bot, you won’t have to pay the bill.

The second is to update your OTP technology to the latest and greatest. Companies nowadays prefer using Inverse OTPs to do phone verification and phone-based 2FA/MFA as it is immune to SMS pumping. An inverse OTP is an alternative phone verification method in which the user sends an encrypted OTP message instead of receiving it. In this case, it is impossible for fraudsters to inflate your SMS traffic artificially, but the benefits don’t end there, as your company also gets:

1. Immunity from identity theft via smishing. One of the most prevalent types of identity theft is done via Smishing, in which an attacker misleads a user into sharing their OTP to access their accounts. This angle of attack is impossible to execute when using Inverse OTPs, as stealing the OTP is not enough to do the verification..
2. Cost efficiency - your business pays only for successful verifications instead of paying for every message sent. The retries, abandoned sessions, and fraud attempts will not be charged.
3. 99.999% success rate - SMS messages are not always delivered to the final user, particularly in developing countries. According to a Veriph One estimation, around 30% of SMS messages go undelivered in Latin America and developing countries due to infrastructure issues, incomplete OTP implementations, and spam filters. Additionally, in over 10% of cases, users input the incorrect phone number when requesting an OTP, leading to more undelivered messages; this scenario is impossible to occur with Inverse OTP, as the user doesn’t need to capture their number to verify it.

Recommendations

If you have discovered that your company is vulnerable to SMS pumping, do not panic. The first step is becoming aware of the issue. Many companies don’t realize it until it’s too late, and they have already lost millions to fraudsters without noticing. SMS pumping is a silent parasite that is difficult to remove once it has engulfed your company.

When taking action, you can implement DIY solutions, such as the aforementioned initiatives and tactics, or choose a plug-and-play solution from a tech provider offering all these functionalities to avoid wasting your team's precious time and energy on non-core software development and maintenance. These solutions are relatively inexpensive and effective, so you don’t need to break the bank to put a swift stop to hackers and fraudsters.

If you would like to know more about these solutions, contact Veriph One, the creators and pioneers of the Inverse OTP technology and a vendor specializing in phone-based technologies to protect you from bots/hackers/fraudsters, detect device farms, get enrichment data from phone numbers, and do world-class phone verification with built-in protection against SMS pumping.