What is SMS Pumping: Plivo’s Quick Guide

Jan 8, 2024
What is SMS Pumping: Plivo’s Quick Guide

In February 2023, Elon Musk reported that Twitter lost $60 million a year due to SMS pumping fraud. One study estimated that SMS OTP fraud made up around 6% of all SMS traffic — and that percentage is only increasing. 

What is SMS pumping?

SMS pumping, also known as artificially inflated traffic (AIT) or SMS traffic pumping, is a type of cybercrime that targets businesses that use SMS for one-time passcodes (OTPs) or app download links.

In an SMS pumping attack, the perpetrator uses bots to flood a business's online forms with fake requests. These requests include phone numbers that the attackers control. Tricked into thinking these are legitimate requests, the business sends SMS messages to the fake numbers.

SMS pumping poses challenges for businesses by increasing A2P costs, negatively impacting the enterprise. Moreover, excessive sending of one-time passcodes to customers can lead to distrust and potentially tarnish a company's reputation. 

SMS pumping is a challenge for mobile network operators (MNOs), too. The ongoing increase in SMS rates could cause businesses to explore alternative authentication methods, reducing their reliance on A2P SMS services and resulting in revenue decline for MNOs. 

In this guide, we’ll further break down the ins and outs of SMS pumping, describe how to spot the signs of SMS pumping fraud, and provide advice for protecting your business from this security risk. 

How does SMS pumping work?

SMS pumping relies on a combination of brute force and deceptive tactics in order to achieve financial gain. 

Typically, an SMS pumping attack starts with the perpetrator launching a bot designed to create fake accounts on a website or app. The bot fills out online forms with fake requests to trigger the sending of one-time passcodes to various mobile numbers. If the web form doesn’t have security controls, the attacker can enter premium rate numbers to generate funds for them and the mobile network operator. Often, the MNO is a rogue operator that shares in the profits; although some MNOs aren’t aware the fraud is being carried out over their network.

In another instance, the bot could trigger sending large volumes of text messages to random or targeted phone numbers. These messages mimic legitimate SMS traffic from sources such as banks, government agencies, or popular brands. For instance, a targeted message may appear to be from Netflix asking a user to verify their account due to suspicious activity. 

In this scenario, the SMS may contain links to fake websites that appear to be legitimate. These websites try to trick users into entering personal information, such as their username or password, that the perpetrator can use to infiltrate their account. 

The perpetrators' ultimate goal in SMS pumping is usually financial gain. They may profit directly from premium-rate SMS charges, identity theft, unauthorized access to financial accounts, or selling stolen personal information on the dark web.

Common situations in which SMS pumping happens

SMS pumping is a risk in any situation that requires a business to send SMS in response to a user-triggered action. These include signup forms, two-factor authentication (2FA) logins, or forms where users request a password reset. Attackers exploit these forms by submitting a high volume of fake requests with phone numbers they control.

Certain industries and types of accounts are magnets for AIT fraud — such as the financial industry and tax or government agencies. 

Banking and financial scams are among the most common sources of SMS pumping fraud. Criminals send fake SMS messages impersonating banks claiming there is a problem with the recipient's account. They may request the recipient to click on a link to update their account details or provide sensitive information like account numbers, passwords, or PINs.

Likewise, perpetrators often impersonate government agencies, tax authorities, or law enforcement agencies, sending SMS messages threatening recipients with legal action, fines, or imprisonment if they do not comply with certain demands, such as paying outstanding taxes or providing personal information. Once the victim falls for the social engineering attack, the criminal can launch an account takeover and gain access to their PII. 

How does SMS pumping affect businesses?

SMS pumping is a risk that can’t be ignored. This type of fraud can cause financial and intangible damage, destroying customer trust and impacting the user experience. 

Analysis by LANCK Telecom, a global carrier, found that SMS pumping fraud costs companies 10% in revenue. At Twitter, Musk estimated that SMS fraud cost the company $60 million dollars a year, not counting traffic in North America. Financially, SMS pumping is a significant risk to businesses of all sizes. 

That’s not the only adverse impact of SMS pumping. Sending excessive OTPs or being associated with SMS fraud can damage a business's reputation. Customers may lose trust in the company's communication channels, leading to decreased loyalty, negative word-of-mouth publicity, and reluctance to engage with the business in the future.

Likewise, an influx of fraudulent traffic from SMS pumping can overload a business's SMS messaging infrastructure. This traffic overload can lead to service disruptions, delays, or even complete outages, preventing legitimate customers from receiving important messages like OTPs or appointment reminders. The user experience suffers dramatically when SMS pumping goes unchecked. 

There are also legal and compliance issues to consider. If customer data is compromised or privacy regulations are violated, companies face fines, lawsuits, or regulatory sanctions for failing to protect customer information.

The first step to mitigating these risks? Learn to spot the signs that your business may be the target of SMS pumping fraud. 

How to detect SMS pumping fraud ?

Several signs can indicate that your business is the target of SMS pumping attacks. Here’s what to look for. 

1. A spike in outbound or inbound messages.

An unexpected influx of responses or inquiries from SMS message recipients, particularly if they express confusion, suspicion, or complaints about unsolicited or misleading content, suggests that the business's SMS communications may have been compromised. Likewise, a sudden increase in the volume of outgoing SMS messages from the business's messaging platform could indicate an attempt to pump SMS traffic.

2. Reports of unauthorized charges and other negative feedback.

Sudden complaints or recipients of SMS messages reporting unauthorized charges on their mobile phone bills, could signal that the business's SMS channels are being exploited.

3. Your SMS budget runs out much sooner than planned.

Unexplained depletion of your SMS budget can be a sign of fraudulent activity. A significant rise in SMS-related expenses without a corresponding increase in legitimate customer interactions or marketing campaigns could signal fraudulent SMS pumping activity.

4. Low conversion rates or service irregularities.

If you're sending a high volume of SMS messages for actions like OTP verification or password resets, but not seeing a corresponding rise in successful logins or account creations, it suggests something suspicious might be happening. Alternately, irregularities in the timing, frequency, or distribution of outgoing SMS messages, such as unusual spikes during off-hours or concentrated activity targeting specific demographics or regions, may indicate orchestrated SMS pumping efforts.

Conversion rate graph to detect SMS pumping

It’s possible that a mobile network operator or carrier might also alert your team of suspicious activity. Take these warnings seriously and investigate any red flags promptly to avoid having your service suspended. 

How to prevent SMS pumping?

You can take several steps to make it harder for criminals to use your account and phone numbers for SMS pumping.

Our top recommendation is activating Fraud Shield, Plivo’s solution designed to fight SMS pumping.  Fraud Shield offers two primary features that operate at the destination country level — Fraud Thresholds allow you to control the number of messages that can be sent per hour and Geo Permissions allow you to control the countries to which your SMS messages are sent. 

Read more: Introducing Fraud Shield — Plivo’s new solution to fight SMS pumping

We use several factors to determine each country's risk level,  including any previous cases of fraud and local regulations. The Plivo team regularly reassesses our risk criteria to ensure that Fraud Shield uses the latest data for recommended thresholds. You can also choose how the system responds to a threshold breach and select who from your team is notified – options include Block & Alert, Alert Only, or Ignore.

Plivo's Fraud Shield feature to prevent SMS pumping

Additional steps to consider depending on your configuration include:

  1. In your applications, limit the number of messages going out to a destination number based on your use case. For example, suppose you’re sending out one-time passwords (OTP) for two-factor authentication. Most OTP use cases set a duration for which the OTP is valid. During this time, you can block messages triggered toward the destination number.  You can write logic to not send more than n messages per minute or day for more generic use cases. You can also check the source IP addresses for message requests; fraud may be involved if hundreds are coming from the same address.  
  2. Consider implementing rate limiting on the source IP address level. Message limitation is use case-dependent, and you’ll likely be the best judge of how to implement it. 
  3. Implement challenge-response verification. Most if not all instances of SMS pumping employ bots that target a series of numbers with as much messaging traffic as possible. For example, if you have a web application, the bots’ scripts will try to register numbers on your login page one after another. To control this behavior you can add challenge-response systems such as CAPTCHAs to your forms or pages to ensure humans and not bots are using them. 
  4. Secure your authentication IDs and tokens. Don’t push code that includes authentication information to public repositories. For mobile applications, follow best practices recommended by the mobile OS. 

SMS pumping and other telecom frauds waste thousands of dollars for carriers and their customers. Together, you and Plivo can fight telecom fraud and keep your customers (and your finance department colleagues) happy.

footer bg

Subscribe to Our Newsletter

Get monthly product and feature updates, the latest industry news, and more!

Thank you icon
Thank you!
Thank you for subscribing
Oops! Something went wrong while submitting the form.