Jun 13, 2024

Preventing SMS Pumping Fraud

If your app uses phone verification, you will most likely be a victim of SMS Pumping Fraud. Here's everything you need to know about it.

Despite the advent of dynamic messaging platforms like WhatsApp, SMS-based communication has not quite lost its shine. Us folks outside the US may no longer use SMS to communicate with friends and family, but SMS-driven marketing communication is still more than effective.

In fact:

  • Text messages have an average open rate of 98%.

  • 85% of surveyed people in 2023 admitted to prefer receiving text messages over email or phone calls. (Source)

  • 55% of people prefer using SMS over Facebook Messenger and WhatsApp, which shows how powerful SMS still is during the social media boom. (Source)

However, since nothing in the world is perfect, SMS marketing comes with a few challenges. The major one that leads to companies incurring massive costs (sometimes millions of dollars) is something new — SMS pumping.

In this article, I’ll explore SMS pumping — what it is, why it requires your immediate attention, and how to mitigate it from draining your resources.

What is SMS pumping fraud?

Note: SMS pumping fraud victimizes both individual customers and businesses, but obviously doing the latter causes more financial losses and adverse consequences. While the detection and prevention measures written here help both use cases, they are best utilized by brands and organizations.

Basically, SMS pumping is a form of fraud that involves sending a large volume of fraudulent text messages to make money. Bad actors manipulate individuals into sending text messages to IPRN – international premium-rate numbers (or steal phones and send these texts themselves) that the scammers control.

Usually, the fraudsters collaborate with certain network operators to run the con and force revenue generation that they can profit from by colluding with rogue carriers or by illegally accessing a mobile operator’s network to reroute SMSes to specific numbers. SMS Pumping is actually classified as an International Revenue Sharing Fraud (IRSF).

They can also configure attacks on digital touchpoints like logins and signups to activate OTP. However, it is almost impossible to determine at which layer in the chain of SMS delivery the scam originates from, which makes this an extra great tool for scammers.

Since businesses pay for every OTP generated by a customer request and individual customers pay for messaging premium-rate numbers, SMS pumping can lead to fraudulent bills amounting to thousands and millions.

I went hunting for user accounts of folks victimized by SMS pumping, and let me tell you, I didn’t have to look far…

“My phone got stolen in Naples last year, just as I was about to board my plane. It was 11 PM, so when I called my boss from my girlfriend's phone, he decided to block the number the next morning as he was in bed already. By the time the SIM was blocked, 10 hours had passed, and thieves had managed to place over 100 hours of very expensive toll calls to numbers in Algeria. It cost the company over 10k, and our operator was not willing to accept any responsibility over it,” a HackerNews poster wrote.

SMS pumping usually occurs when fraudsters strike up deals with unethical mobile network operators. Of course, there are quite a few cases in which the operator is duped unknowingly.

Sometimes, smaller operators are paid by larger counterparts to provide traffic, and fraudsters can use this scenario to create a fake company that promises heavy traffic.

Diving deeper: how SMS pumping works, with examples

SMS pumping is a sophisticated scam requiring some technical knowledge and cooperation between cybercriminals. It involves significant planning and the compliance of at least one mobile network operator.

The fraudsters begin by promising to generate high volumes of messages and revenue by using numbers controlled by a provider. When the latter agrees, they send a large number of SMSes to premium numbers, often located in a foreign country, to exacerbate the cost. When the customer (individual or business) is forced to pay this inflated bill, the provider pays a portion to the criminals who initiated the attack.

  • Lily receives an SMS saying: “Congratulations! You've won a $100 gift card! Reply 'YES' to claim.”

  • Lily replies, “YES,” as instructed. This causes her to subscribe to a premium SMS service unknowingly. She will now be charged a serious amount for every message she receives from this service.

  • She starts receiving messages from this number without realizing that she is paying for each text.

  • When Lily gets her phone bill, she realizes what happened (after some initial confusion). But, she finds it difficult to cancel the subscription. She may have to send more messages, look through terribly designed websites, or contact elusive customer service numbers to cancel it.

Let’s not forget how businesses fall prey to the same scam as often as regular customers:

  • XMZ is a subscription-based business selling high-end clothing. Every customer who visits their website gets an offer to receive 15% off their first subscription if they enter their mobile number.

  • Customers who sign up for this will receive an SMS with a discount code. XMZ hopes to use this strategy to attract more customers, assuming that only the most interested ones will sign up for the deal.

  • Fraudsters target this site by using bots to enter thousands of fake “customer” phone numbers into the website. Each number triggers an SMS that is routed to a premium number, causing XMZ to rack a bill for all these SMSes.

  • Not only does XMZ receive a massive bill, but they don’t even get any customers out of the generated traffic because cybercriminals routed every message for their nefarious ends.

When these messages are sent, they bounce from network to network before reaching their destination. That means there’s no way to detect which network is colluding with the authors of the SMS fraud. In most cases, you never identify the criminal who defrauded your system.

How SMS pumping fraud hurts your bottom line

Immediate financial loss

This one is obvious. Fraudulent SMS subscriptions lead to massive financial losses due to inflated phone bills, whether for individuals or businesses. When these charges add up, they can amount to hundreds of thousands or even millions of dollars. If a company's employees are victimized by SMS pumping fraud, the company may have to cover all these trumped-up bills, which can result in a severe financial hit.

Compromised security and privacy

Any form of SMS fraud (SMS pumping, SIM swapping, SIM phishing — also known as SIM smishing) directly threatens customer privacy. It can lead to identity theft and unauthorized access to guarded information. Any business that cannot protect customer data will inadvertently violate privacy laws and lose intellectual property.

I don’t have to tell you, that, in this era of digital security concerns (and whether quantum computers can break your passkeys, such shoddy security will swiftly lead to the downfall of any brand or business.

Erosion of positive reputation

Whether it be your customers or employees, becoming victimized by SMS pumping fraud will lead them to drop their trust levels in your business practices… which is only fair.

Customers won’t want to buy from a company that cannot protect their data, and employees certainly wouldn’t want to work in an environment that puts their contact information vulnerable to scammers.

Needless to say, this leads to a loss of revenue, brand credibility, and longevity.

Added operational costs

Dealing with the consequences of SMS pumping fraud doesn’t just eat into your financial resources. It will also make huge demands on your employees’ productivity because cybersecurity personnel will have their hands full fixing issues for every fraud victim. They also have to investigate each fraudulent charge, manage justifiably irate customers, implement more robust security mechanisms for the future, and, if possible, trigger lawsuits against the fraudsters (if they can be identified).

Possible legal penalties

Depending on the location of the business, employees, or customers, any charge of SMS pumping fraud might result in organizations being charged with complicity in the fraud. Businesses can also be charged fines or with legal action if they fail to protect their customers’ data adequately.

How to detect and prevent SMS pumping fraud in day-to-day operations

Simply put, companies need a deep awareness of the practice, vigilance to catch incoming attacks, and proactive measures to guard essential data.

Best practices to detect SMS pumping fraud

  • Review phone bills regularly to check for unknown or unexpected charges. Keep a particular eye out for premium-rate numbers in the charges.

  • Be more mindful of text messages received from unknown numbers and sources.

  • If your security team notices a change in the number of text messages received (which will be noticeable in your bill), investigate further.

  • Be sure to look over a list of services your teams are subscribed to, once each quarter if possible. Red flag any unfamiliar names immediately.

  • Ensure that your teams know to be skeptical of unknown messages offering free stuff or prizes for contests they don’t know of. Don’t click any links to unknown websites.

Best practices to prevent SMS pumping fraud

  • Decide and establish a daily balance limit with your provider. For example, make it clear that you will be spending no more than $300 a day for OTP verification and SMS-based authentication. This eliminates the possibility of receiving an alarming bill at the end of the month/year.

  • Ask the provider to contact your team if they notice any irregular traffic. For example, if your customers are primarily European, but it seems like a lot of OTP requests are coming from Vietnam, you should be informed of that immediately.

  • Educate employees and customers thoroughly about the existence of SMS fraud, as well as measures to recognize and protect themselves against such scams.

  • Install spam filters on company devices and email IDs in order to detect and block fraudulent messages.

  • Mobile service provider(s) will offer some features to block texts from premium-rate SMS services. They may also offer extra security layers if attackers manage to get SMS messages through. Use both features.

  • Use two-factor authentication to protect sensitive accounts, systems, and data from quick slapdash access. This protects data even if attackers can send SMS messages.

  • All devices, including company-issued phones, tablets, and laptops, should have updated security software to protect against fraud, phishing, malware, and other cyber threats.

How Prelude protects customers from SMS pumping fraud

To start with, the reason Prelude can provide far better fraud protection than our competitors and counterparts is simple: we only care about OTP verification.

We’ll be the first ones to tell you that we are hyper-focused on one area: authentication and verification. If a brand wants to send marketing messages promoting a sale or establish two-way communication with customers, we’ll tell you to go talk to Twilio or Vonage.

We’re only obsessed with keeping SMS prices low and protecting customers from SMS fraud. That’s it… and we put everything we have into these areas.

At Prelude, we use over 20 different providers to find the most stable and most affordable route. Yes, it's totally possible to find the best possible price without compromising protection and quality.

Note: Prelude users can easily configure which messaging channels to use — SMS, RCS WhatsApp, Viber, etc. They can also choose whether they want Prelude to optimize for costs (choosing the cheapest-yet-best option) or optimize for conversion (paying more to add branding and specific text to customer messages).

In comparison, our competitors use one route at a time. They don't do algorithm-based optimization, and they will change the route of a given country only once a customer complains. Generally, the customer requests that all SMSes emerging from said country be blocked, which means all legitimate opportunities arising from that location (like customers and other startups) are also blocked off.

When it comes to fraud protection, we are, without exception, the more reliable option. In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSes.

We start by looking at basic heuristics, like whether we’re seeing one number sending ten or more messages. That’s a sanity check. Then, we enrich this data with device and IP information.

We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Competitors will only look at a phone number to determine fraud, but then you’re paying for false negatives. We don’t do that. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil.

Learn more about the Prelude API here.

Or, you could explore how to integrate the Prelude API from any language.

We’re very proud to have created much better SMS verification–for less.

Despite the advent of dynamic messaging platforms like WhatsApp, SMS-based communication has not quite lost its shine. Us folks outside the US may no longer use SMS to communicate with friends and family, but SMS-driven marketing communication is still more than effective.

In fact:

  • Text messages have an average open rate of 98%.

  • 85% of surveyed people in 2023 admitted to prefer receiving text messages over email or phone calls. (Source)

  • 55% of people prefer using SMS over Facebook Messenger and WhatsApp, which shows how powerful SMS still is during the social media boom. (Source)

However, since nothing in the world is perfect, SMS marketing comes with a few challenges. The major one that leads to companies incurring massive costs (sometimes millions of dollars) is something new — SMS pumping.

In this article, I’ll explore SMS pumping — what it is, why it requires your immediate attention, and how to mitigate it from draining your resources.

What is SMS pumping fraud?

Note: SMS pumping fraud victimizes both individual customers and businesses, but obviously doing the latter causes more financial losses and adverse consequences. While the detection and prevention measures written here help both use cases, they are best utilized by brands and organizations.

Basically, SMS pumping is a form of fraud that involves sending a large volume of fraudulent text messages to make money. Bad actors manipulate individuals into sending text messages to IPRN – international premium-rate numbers (or steal phones and send these texts themselves) that the scammers control.

Usually, the fraudsters collaborate with certain network operators to run the con and force revenue generation that they can profit from by colluding with rogue carriers or by illegally accessing a mobile operator’s network to reroute SMSes to specific numbers. SMS Pumping is actually classified as an International Revenue Sharing Fraud (IRSF).

They can also configure attacks on digital touchpoints like logins and signups to activate OTP. However, it is almost impossible to determine at which layer in the chain of SMS delivery the scam originates from, which makes this an extra great tool for scammers.

Since businesses pay for every OTP generated by a customer request and individual customers pay for messaging premium-rate numbers, SMS pumping can lead to fraudulent bills amounting to thousands and millions.

I went hunting for user accounts of folks victimized by SMS pumping, and let me tell you, I didn’t have to look far…

“My phone got stolen in Naples last year, just as I was about to board my plane. It was 11 PM, so when I called my boss from my girlfriend's phone, he decided to block the number the next morning as he was in bed already. By the time the SIM was blocked, 10 hours had passed, and thieves had managed to place over 100 hours of very expensive toll calls to numbers in Algeria. It cost the company over 10k, and our operator was not willing to accept any responsibility over it,” a HackerNews poster wrote.

SMS pumping usually occurs when fraudsters strike up deals with unethical mobile network operators. Of course, there are quite a few cases in which the operator is duped unknowingly.

Sometimes, smaller operators are paid by larger counterparts to provide traffic, and fraudsters can use this scenario to create a fake company that promises heavy traffic.

Diving deeper: how SMS pumping works, with examples

SMS pumping is a sophisticated scam requiring some technical knowledge and cooperation between cybercriminals. It involves significant planning and the compliance of at least one mobile network operator.

The fraudsters begin by promising to generate high volumes of messages and revenue by using numbers controlled by a provider. When the latter agrees, they send a large number of SMSes to premium numbers, often located in a foreign country, to exacerbate the cost. When the customer (individual or business) is forced to pay this inflated bill, the provider pays a portion to the criminals who initiated the attack.

  • Lily receives an SMS saying: “Congratulations! You've won a $100 gift card! Reply 'YES' to claim.”

  • Lily replies, “YES,” as instructed. This causes her to subscribe to a premium SMS service unknowingly. She will now be charged a serious amount for every message she receives from this service.

  • She starts receiving messages from this number without realizing that she is paying for each text.

  • When Lily gets her phone bill, she realizes what happened (after some initial confusion). But, she finds it difficult to cancel the subscription. She may have to send more messages, look through terribly designed websites, or contact elusive customer service numbers to cancel it.

Let’s not forget how businesses fall prey to the same scam as often as regular customers:

  • XMZ is a subscription-based business selling high-end clothing. Every customer who visits their website gets an offer to receive 15% off their first subscription if they enter their mobile number.

  • Customers who sign up for this will receive an SMS with a discount code. XMZ hopes to use this strategy to attract more customers, assuming that only the most interested ones will sign up for the deal.

  • Fraudsters target this site by using bots to enter thousands of fake “customer” phone numbers into the website. Each number triggers an SMS that is routed to a premium number, causing XMZ to rack a bill for all these SMSes.

  • Not only does XMZ receive a massive bill, but they don’t even get any customers out of the generated traffic because cybercriminals routed every message for their nefarious ends.

When these messages are sent, they bounce from network to network before reaching their destination. That means there’s no way to detect which network is colluding with the authors of the SMS fraud. In most cases, you never identify the criminal who defrauded your system.

How SMS pumping fraud hurts your bottom line

Immediate financial loss

This one is obvious. Fraudulent SMS subscriptions lead to massive financial losses due to inflated phone bills, whether for individuals or businesses. When these charges add up, they can amount to hundreds of thousands or even millions of dollars. If a company's employees are victimized by SMS pumping fraud, the company may have to cover all these trumped-up bills, which can result in a severe financial hit.

Compromised security and privacy

Any form of SMS fraud (SMS pumping, SIM swapping, SIM phishing — also known as SIM smishing) directly threatens customer privacy. It can lead to identity theft and unauthorized access to guarded information. Any business that cannot protect customer data will inadvertently violate privacy laws and lose intellectual property.

I don’t have to tell you, that, in this era of digital security concerns (and whether quantum computers can break your passkeys, such shoddy security will swiftly lead to the downfall of any brand or business.

Erosion of positive reputation

Whether it be your customers or employees, becoming victimized by SMS pumping fraud will lead them to drop their trust levels in your business practices… which is only fair.

Customers won’t want to buy from a company that cannot protect their data, and employees certainly wouldn’t want to work in an environment that puts their contact information vulnerable to scammers.

Needless to say, this leads to a loss of revenue, brand credibility, and longevity.

Added operational costs

Dealing with the consequences of SMS pumping fraud doesn’t just eat into your financial resources. It will also make huge demands on your employees’ productivity because cybersecurity personnel will have their hands full fixing issues for every fraud victim. They also have to investigate each fraudulent charge, manage justifiably irate customers, implement more robust security mechanisms for the future, and, if possible, trigger lawsuits against the fraudsters (if they can be identified).

Possible legal penalties

Depending on the location of the business, employees, or customers, any charge of SMS pumping fraud might result in organizations being charged with complicity in the fraud. Businesses can also be charged fines or with legal action if they fail to protect their customers’ data adequately.

How to detect and prevent SMS pumping fraud in day-to-day operations

Simply put, companies need a deep awareness of the practice, vigilance to catch incoming attacks, and proactive measures to guard essential data.

Best practices to detect SMS pumping fraud

  • Review phone bills regularly to check for unknown or unexpected charges. Keep a particular eye out for premium-rate numbers in the charges.

  • Be more mindful of text messages received from unknown numbers and sources.

  • If your security team notices a change in the number of text messages received (which will be noticeable in your bill), investigate further.

  • Be sure to look over a list of services your teams are subscribed to, once each quarter if possible. Red flag any unfamiliar names immediately.

  • Ensure that your teams know to be skeptical of unknown messages offering free stuff or prizes for contests they don’t know of. Don’t click any links to unknown websites.

Best practices to prevent SMS pumping fraud

  • Decide and establish a daily balance limit with your provider. For example, make it clear that you will be spending no more than $300 a day for OTP verification and SMS-based authentication. This eliminates the possibility of receiving an alarming bill at the end of the month/year.

  • Ask the provider to contact your team if they notice any irregular traffic. For example, if your customers are primarily European, but it seems like a lot of OTP requests are coming from Vietnam, you should be informed of that immediately.

  • Educate employees and customers thoroughly about the existence of SMS fraud, as well as measures to recognize and protect themselves against such scams.

  • Install spam filters on company devices and email IDs in order to detect and block fraudulent messages.

  • Mobile service provider(s) will offer some features to block texts from premium-rate SMS services. They may also offer extra security layers if attackers manage to get SMS messages through. Use both features.

  • Use two-factor authentication to protect sensitive accounts, systems, and data from quick slapdash access. This protects data even if attackers can send SMS messages.

  • All devices, including company-issued phones, tablets, and laptops, should have updated security software to protect against fraud, phishing, malware, and other cyber threats.

How Prelude protects customers from SMS pumping fraud

To start with, the reason Prelude can provide far better fraud protection than our competitors and counterparts is simple: we only care about OTP verification.

We’ll be the first ones to tell you that we are hyper-focused on one area: authentication and verification. If a brand wants to send marketing messages promoting a sale or establish two-way communication with customers, we’ll tell you to go talk to Twilio or Vonage.

We’re only obsessed with keeping SMS prices low and protecting customers from SMS fraud. That’s it… and we put everything we have into these areas.

At Prelude, we use over 20 different providers to find the most stable and most affordable route. Yes, it's totally possible to find the best possible price without compromising protection and quality.

Note: Prelude users can easily configure which messaging channels to use — SMS, RCS WhatsApp, Viber, etc. They can also choose whether they want Prelude to optimize for costs (choosing the cheapest-yet-best option) or optimize for conversion (paying more to add branding and specific text to customer messages).

In comparison, our competitors use one route at a time. They don't do algorithm-based optimization, and they will change the route of a given country only once a customer complains. Generally, the customer requests that all SMSes emerging from said country be blocked, which means all legitimate opportunities arising from that location (like customers and other startups) are also blocked off.

When it comes to fraud protection, we are, without exception, the more reliable option. In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSes.

We start by looking at basic heuristics, like whether we’re seeing one number sending ten or more messages. That’s a sanity check. Then, we enrich this data with device and IP information.

We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Competitors will only look at a phone number to determine fraud, but then you’re paying for false negatives. We don’t do that. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil.

Learn more about the Prelude API here.

Or, you could explore how to integrate the Prelude API from any language.

We’re very proud to have created much better SMS verification–for less.

Start optimizing your auth flow

Send verification text-messages anywhere in the world with the best price, the best deliverability and no spam.