Jun 13, 2024
Preventing SMS Pumping Fraud
If your app uses phone verification, you will most likely be a victim of SMS Pumping Fraud. Here's everything you need to know about it.
Your business is thriving, and SMS communication plays a key role in your success. But beneath the surface lies a hidden danger—SMS pumping fraud. This threat isn’t just about security breaches; it’s about the escalating costs and financial strain that can result from toll fraud and artificially inflated traffic.
In this article, I’ll explore SMS pumping — what it is, why it requires your immediate attention, and how to mitigate it from draining your resources.
What is SMS pumping fraud?
SMS pumping is a form of fraud that involves sending a large volume of fraudulent text messages to make money. Bad actors manipulate individuals into sending text messages to IPRN – international premium-rate numbers (or steal phones and send these texts themselves) that the scammers control.
Usually, the fraudsters collaborate with certain network operators to run the con and force revenue generation that they can profit from by colluding with rogue carriers or by illegally accessing a mobile operator’s network to reroute SMSes to specific numbers.
SMS pumping usually occurs when fraudsters strike up deals with unethical mobile network operators. Of course, there are quite a few cases in which the operator is duped unknowingly. Sometimes, smaller operators are paid by larger counterparts to provide traffic, and fraudsters can use this scenario to create a fake company that promises heavy traffic.
They can also configure attacks on digital touchpoints like logins and signups to activate OTP. However, it is almost impossible to determine at which layer in the chain of SMS delivery the scam originates from, which makes this an extra great tool for scammers.
Since businesses pay for every SMS OTP generated by a customer request and individual customers pay for messaging premium-rate numbers, SMS pumping can lead to fraudulent bills amounting to thousands and millions.
Also known as SMS Toll Fraud or Artificially Inflated Traffic (AIT), SMS Pumping is actually classified as an International Revenue Sharing Fraud (IRSF) and can victimize both individual customers and businesses, but obviously doing the latter causes more financial losses and adverse consequences. While the detection and prevention measures written here help both use cases, they are best utilized by brands and organizations.
How does it work? Examples of SMS Pumping Fraud
SMS pumping is a sophisticated scam requiring some technical knowledge and cooperation between cybercriminals. It involves significant planning and the compliance of at least one mobile network operator.
The fraudsters begin by promising to generate high volumes of messages and revenue by using numbers controlled by a provider. When the latter agrees, they send a large number of SMSes to premium numbers, often located in a foreign country, to exacerbate the cost.
When the customer (individual or business) is forced to pay this inflated bill, the provider pays a portion to the criminals who initiated the attack.
Example of SMS Pumping targeting a user
Lily receives an SMS saying: “Congratulations! You've won a $100 gift card! Reply 'YES' to claim.”
Lily replies, “YES,” as instructed. This causes her to subscribe to a premium SMS service unknowingly. She will now be charged a serious amount for every message she receives from this service.
She starts receiving messages from this number without realizing that she is paying for each text.
When Lily gets her phone bill, she realizes what happened (after some initial confusion). But, she finds it difficult to cancel the subscription. She may have to send more messages, look through terribly designed websites, or contact elusive customer service numbers to cancel it.
Example of SMS Pumping targeting a company
XMZ is a subscription-based business selling high-end clothing. Every customer who visits their website gets an offer to receive 15% off their first subscription if they enter their mobile number.
Customers who sign up for this will receive an SMS with a discount code. XMZ hopes to use this strategy to attract more customers, assuming that only the most interested ones will sign up for the deal.
Fraudsters target this site by using bots to enter thousands of fake “customer” phone numbers into the website. Each number triggers an SMS that is routed to a premium number, causing XMZ to rack a bill for all these SMSes.
Not only does XMZ receive a massive bill, but they don’t even get any customers out of the generated traffic because cybercriminals routed every message for their nefarious ends.
When these messages are sent, they bounce from network to network before reaching their destination. That means there’s no way to detect which network is colluding with the authors of the SMS fraud. In most cases, you never identify the criminal who defrauded your system.
How SMS pumping fraud hurts your bottom line
In 2023, 5% of Application-to-Person (A2P) SMS were fraudulent. This means more than 20 billion messages were sent by fraudsters! Moreover, those messages cost brands a total of $1.16 billion (source).
Even the biggest names with huge engineering budgets are not immune to it. For instance, Elon Musk reported that Twitter was getting scammed by phone companies for $60M/year of fake 2FA SMS messages.
SMS fraud is widespread and can impact businesses in many ways:
Immediate financial loss
This one is obvious. Fraudulent SMS subscriptions lead to massive financial losses due to inflated phone bills, whether for individuals or businesses. When these charges add up, they can amount to hundreds of thousands or even millions of dollars. If a company's employees are victimized by SMS pumping fraud, the company may have to cover all these trumped-up bills, which can result in a severe financial hit.
Compromised security and privacy
Any form of SMS fraud (SMS pumping, SIM swapping, SIM phishing — also known as SIM smishing) directly threatens customer privacy. It can lead to identity theft and unauthorized access to guarded information. Any business that cannot protect customer data will inadvertently violate privacy laws and lose intellectual property.
I don’t have to tell you, that, in this era of digital security concerns (and whether quantum computers can break your passkeys), such shoddy security will swiftly lead to the downfall of any brand or business.
Erosion of positive reputation
Whether it be your customers or employees, becoming victimized by SMS pumping fraud will lead them to drop their trust levels in your business practices… which is only fair.
Customers won’t want to buy from a company that cannot protect their data, and employees certainly wouldn’t want to work in an environment that puts their contact information vulnerable to scammers.
Needless to say, this leads to a loss of revenue, brand credibility, and longevity.
Added operational costs
Dealing with the consequences of SMS pumping fraud doesn’t just eat into your financial resources. It will also make huge demands on your employees’ productivity because cybersecurity personnel will have their hands full fixing issues for every fraud victim. They also have to investigate each fraudulent charge, manage justifiably irate customers, implement more robust security mechanisms for the future, and, if possible, trigger lawsuits against the fraudsters (if they can be identified).
Possible legal penalties
Depending on the location of the business, employees, or customers, any charge of SMS pumping fraud might result in organizations being charged with complicity in the fraud. Businesses can also be charged fines or with legal action if they fail to protect their customers’ data adequately.
How to detect SMS pumping attacks?
Fraud is a cat and mouse game and keeping away from it is a constant challenges. There are however certain signals that can testify that your company is being targeted by fraudsters.
1. Unexplained spikes in SMS traffic
A sudden and unusual increase in SMS traffic, especially during non-peak times, can indicate fraud.
If the volume of OTP requests or SMS messages sent is significantly higher than normal without a corresponding increase in legitimate user activity or a user acquisition campaign, this is a red flag.
2. SMS messages sent to unusual countries
If you notice a high volume of SMS messages being sent to countries where your business does not operate or have a significant customer base, it could be a sign of fraudsters exploiting your SMS services.
3. Sequential or patterned phone numbers
If you notice that the SMS requests are coming from phone numbers that follow or resemble each other, there is very little chance that this is a coincidence. If you detect such patterns in the phone numbers receiving OTPs, it might indicate fraudulent activity.
4. Lower conversion rates
SMS pumping fraud can be reflected by your conversion rates. Once fraudsters receive the OTP SMS, they won’t bother following through with it since they already got what they wanted.
If you notice a drop in conversion rate (overall or on a specific country), it’s usually a good sign that you are being attacked.
5. Customer complaints about delays
If your customer service team is receiving messages about delays in receiving OTPs, your system may be overloaded with fraudulent pump SMS messages.
6. Your SMS budget is leaking
Finally, if at the end of the month your supplier sends you a bill for double (or more) your usual amount, even though your users' activity has not increased, your company has certainly paid fraudsters for a nice holiday.
How to prevent SMS pumping fraud?
Detecting fraud by SMS is a first step in the right direction. But now you're probably wondering "How do I prevent fraud before it impacts my bill?”
Here are some ways you can prevent fraud to protect your company and your users.
Use Prelude Verification API
Built directly within our OTP API, our fraud prevention system uses an adaptive machine learning algorithm to assess real-time risk for each login attempt. It uses dozens of signals relating to each OTP and draws on data from our vast database to predict whether a request is likely to be fraudulent.
For each authentication request, we combine existing user data with the information you provide. This allows it to link your login attempt with ongoing spam, bot activity, and other fraudulent behaviors.
For example, we helped our customer BeReal to reduce its fraudulent traffic by 95%, resulting in a 75% reduction in its SMS verification costs.
Set a daily balance limit with your provider
If you use a different provider than Prelude for your OTP and SMS needs, you can decide and establish a daily balance limit with your provider.
For example, make it clear that you will be spending no more than $300 a day for OTP verification and SMS-based authentication. This eliminates the possibility of receiving an alarming bill at the end of the month/year.
Build a block list
You can manually create a block list and block users you have identified as fraudulent. However, this procedure can be time-consuming and assumes that a user has already fooled you once before you block them.
Block specific countries
You can also block certain countries to prevent messages being sent to numbers in those regions. But we don't recommend this approach, as it risks deeply frustrating the real users you have in that region.
How Prelude protects customers from SMS pumping fraud
To start with, the reason Prelude can provide far better fraud protection than our competitors and counterparts is simple: we only care about OTP verification. We’re only obsessed with keeping SMS prices low and protecting customers from SMS fraud. That’s it… and we put everything we have into these areas.
When it comes to fraud protection, we are, without exception, the more reliable option. In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSes.
We start by looking at basic heuristics, like whether we’re seeing one number sending ten or more messages. That’s a sanity check. Then, we enrich this data with device and IP information.
We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Competitors will only look at a phone number to determine fraud, but then you’re paying for false negatives. We don’t do that. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil.
Learn more about the Prelude API here.
Or, you could explore how to integrate the Prelude API from any language.
We’re very proud to have created much better SMS verification–for less.
Your business is thriving, and SMS communication plays a key role in your success. But beneath the surface lies a hidden danger—SMS pumping fraud. This threat isn’t just about security breaches; it’s about the escalating costs and financial strain that can result from toll fraud and artificially inflated traffic.
In this article, I’ll explore SMS pumping — what it is, why it requires your immediate attention, and how to mitigate it from draining your resources.
What is SMS pumping fraud?
SMS pumping is a form of fraud that involves sending a large volume of fraudulent text messages to make money. Bad actors manipulate individuals into sending text messages to IPRN – international premium-rate numbers (or steal phones and send these texts themselves) that the scammers control.
Usually, the fraudsters collaborate with certain network operators to run the con and force revenue generation that they can profit from by colluding with rogue carriers or by illegally accessing a mobile operator’s network to reroute SMSes to specific numbers.
SMS pumping usually occurs when fraudsters strike up deals with unethical mobile network operators. Of course, there are quite a few cases in which the operator is duped unknowingly. Sometimes, smaller operators are paid by larger counterparts to provide traffic, and fraudsters can use this scenario to create a fake company that promises heavy traffic.
They can also configure attacks on digital touchpoints like logins and signups to activate OTP. However, it is almost impossible to determine at which layer in the chain of SMS delivery the scam originates from, which makes this an extra great tool for scammers.
Since businesses pay for every SMS OTP generated by a customer request and individual customers pay for messaging premium-rate numbers, SMS pumping can lead to fraudulent bills amounting to thousands and millions.
Also known as SMS Toll Fraud or Artificially Inflated Traffic (AIT), SMS Pumping is actually classified as an International Revenue Sharing Fraud (IRSF) and can victimize both individual customers and businesses, but obviously doing the latter causes more financial losses and adverse consequences. While the detection and prevention measures written here help both use cases, they are best utilized by brands and organizations.
How does it work? Examples of SMS Pumping Fraud
SMS pumping is a sophisticated scam requiring some technical knowledge and cooperation between cybercriminals. It involves significant planning and the compliance of at least one mobile network operator.
The fraudsters begin by promising to generate high volumes of messages and revenue by using numbers controlled by a provider. When the latter agrees, they send a large number of SMSes to premium numbers, often located in a foreign country, to exacerbate the cost.
When the customer (individual or business) is forced to pay this inflated bill, the provider pays a portion to the criminals who initiated the attack.
Example of SMS Pumping targeting a user
Lily receives an SMS saying: “Congratulations! You've won a $100 gift card! Reply 'YES' to claim.”
Lily replies, “YES,” as instructed. This causes her to subscribe to a premium SMS service unknowingly. She will now be charged a serious amount for every message she receives from this service.
She starts receiving messages from this number without realizing that she is paying for each text.
When Lily gets her phone bill, she realizes what happened (after some initial confusion). But, she finds it difficult to cancel the subscription. She may have to send more messages, look through terribly designed websites, or contact elusive customer service numbers to cancel it.
Example of SMS Pumping targeting a company
XMZ is a subscription-based business selling high-end clothing. Every customer who visits their website gets an offer to receive 15% off their first subscription if they enter their mobile number.
Customers who sign up for this will receive an SMS with a discount code. XMZ hopes to use this strategy to attract more customers, assuming that only the most interested ones will sign up for the deal.
Fraudsters target this site by using bots to enter thousands of fake “customer” phone numbers into the website. Each number triggers an SMS that is routed to a premium number, causing XMZ to rack a bill for all these SMSes.
Not only does XMZ receive a massive bill, but they don’t even get any customers out of the generated traffic because cybercriminals routed every message for their nefarious ends.
When these messages are sent, they bounce from network to network before reaching their destination. That means there’s no way to detect which network is colluding with the authors of the SMS fraud. In most cases, you never identify the criminal who defrauded your system.
How SMS pumping fraud hurts your bottom line
In 2023, 5% of Application-to-Person (A2P) SMS were fraudulent. This means more than 20 billion messages were sent by fraudsters! Moreover, those messages cost brands a total of $1.16 billion (source).
Even the biggest names with huge engineering budgets are not immune to it. For instance, Elon Musk reported that Twitter was getting scammed by phone companies for $60M/year of fake 2FA SMS messages.
SMS fraud is widespread and can impact businesses in many ways:
Immediate financial loss
This one is obvious. Fraudulent SMS subscriptions lead to massive financial losses due to inflated phone bills, whether for individuals or businesses. When these charges add up, they can amount to hundreds of thousands or even millions of dollars. If a company's employees are victimized by SMS pumping fraud, the company may have to cover all these trumped-up bills, which can result in a severe financial hit.
Compromised security and privacy
Any form of SMS fraud (SMS pumping, SIM swapping, SIM phishing — also known as SIM smishing) directly threatens customer privacy. It can lead to identity theft and unauthorized access to guarded information. Any business that cannot protect customer data will inadvertently violate privacy laws and lose intellectual property.
I don’t have to tell you, that, in this era of digital security concerns (and whether quantum computers can break your passkeys), such shoddy security will swiftly lead to the downfall of any brand or business.
Erosion of positive reputation
Whether it be your customers or employees, becoming victimized by SMS pumping fraud will lead them to drop their trust levels in your business practices… which is only fair.
Customers won’t want to buy from a company that cannot protect their data, and employees certainly wouldn’t want to work in an environment that puts their contact information vulnerable to scammers.
Needless to say, this leads to a loss of revenue, brand credibility, and longevity.
Added operational costs
Dealing with the consequences of SMS pumping fraud doesn’t just eat into your financial resources. It will also make huge demands on your employees’ productivity because cybersecurity personnel will have their hands full fixing issues for every fraud victim. They also have to investigate each fraudulent charge, manage justifiably irate customers, implement more robust security mechanisms for the future, and, if possible, trigger lawsuits against the fraudsters (if they can be identified).
Possible legal penalties
Depending on the location of the business, employees, or customers, any charge of SMS pumping fraud might result in organizations being charged with complicity in the fraud. Businesses can also be charged fines or with legal action if they fail to protect their customers’ data adequately.
How to detect SMS pumping attacks?
Fraud is a cat and mouse game and keeping away from it is a constant challenges. There are however certain signals that can testify that your company is being targeted by fraudsters.
1. Unexplained spikes in SMS traffic
A sudden and unusual increase in SMS traffic, especially during non-peak times, can indicate fraud.
If the volume of OTP requests or SMS messages sent is significantly higher than normal without a corresponding increase in legitimate user activity or a user acquisition campaign, this is a red flag.
2. SMS messages sent to unusual countries
If you notice a high volume of SMS messages being sent to countries where your business does not operate or have a significant customer base, it could be a sign of fraudsters exploiting your SMS services.
3. Sequential or patterned phone numbers
If you notice that the SMS requests are coming from phone numbers that follow or resemble each other, there is very little chance that this is a coincidence. If you detect such patterns in the phone numbers receiving OTPs, it might indicate fraudulent activity.
4. Lower conversion rates
SMS pumping fraud can be reflected by your conversion rates. Once fraudsters receive the OTP SMS, they won’t bother following through with it since they already got what they wanted.
If you notice a drop in conversion rate (overall or on a specific country), it’s usually a good sign that you are being attacked.
5. Customer complaints about delays
If your customer service team is receiving messages about delays in receiving OTPs, your system may be overloaded with fraudulent pump SMS messages.
6. Your SMS budget is leaking
Finally, if at the end of the month your supplier sends you a bill for double (or more) your usual amount, even though your users' activity has not increased, your company has certainly paid fraudsters for a nice holiday.
How to prevent SMS pumping fraud?
Detecting fraud by SMS is a first step in the right direction. But now you're probably wondering "How do I prevent fraud before it impacts my bill?”
Here are some ways you can prevent fraud to protect your company and your users.
Use Prelude Verification API
Built directly within our OTP API, our fraud prevention system uses an adaptive machine learning algorithm to assess real-time risk for each login attempt. It uses dozens of signals relating to each OTP and draws on data from our vast database to predict whether a request is likely to be fraudulent.
For each authentication request, we combine existing user data with the information you provide. This allows it to link your login attempt with ongoing spam, bot activity, and other fraudulent behaviors.
For example, we helped our customer BeReal to reduce its fraudulent traffic by 95%, resulting in a 75% reduction in its SMS verification costs.
Set a daily balance limit with your provider
If you use a different provider than Prelude for your OTP and SMS needs, you can decide and establish a daily balance limit with your provider.
For example, make it clear that you will be spending no more than $300 a day for OTP verification and SMS-based authentication. This eliminates the possibility of receiving an alarming bill at the end of the month/year.
Build a block list
You can manually create a block list and block users you have identified as fraudulent. However, this procedure can be time-consuming and assumes that a user has already fooled you once before you block them.
Block specific countries
You can also block certain countries to prevent messages being sent to numbers in those regions. But we don't recommend this approach, as it risks deeply frustrating the real users you have in that region.
How Prelude protects customers from SMS pumping fraud
To start with, the reason Prelude can provide far better fraud protection than our competitors and counterparts is simple: we only care about OTP verification. We’re only obsessed with keeping SMS prices low and protecting customers from SMS fraud. That’s it… and we put everything we have into these areas.
When it comes to fraud protection, we are, without exception, the more reliable option. In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSes.
We start by looking at basic heuristics, like whether we’re seeing one number sending ten or more messages. That’s a sanity check. Then, we enrich this data with device and IP information.
We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Competitors will only look at a phone number to determine fraud, but then you’re paying for false negatives. We don’t do that. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil.
Learn more about the Prelude API here.
Or, you could explore how to integrate the Prelude API from any language.
We’re very proud to have created much better SMS verification–for less.
Author
Matias Berny
CEO
Recent Articles
Start optimizing your auth flow
Send verification text-messages anywhere in the world with the best price, the best deliverability and no spam.