What is SMS Pumping: Plivo’s Quick Guide

SMS
Jan 8, 2024
What is SMS Pumping: Plivo’s Quick Guide

In February 2023, Elon Musk reported that Twitter lost $60 million a year due to SMS pumping fraud. One study estimated that SMS OTP fraud made up around 6% of all SMS traffic — and that percentage is only increasing. 

SMS pumping fraud is a growing threat, yet many businesses are still unfamiliar with this type of attack. In this guide, we’ll explain SMS pumping to help you identify where your communications traffic may be at risk, protect your bottom line, and maintain a great experience for your customers. Read on to learn about SMS pumping fraud and Plivo’s solutions for mitigating this risk.

What is SMS pumping?

SMS pumping, also known as artificially inflated traffic (AIT) or SMS traffic pumping, is a type of cybercrime that targets businesses that use SMS for one-time passcodes (OTPs) or app download links.

In an SMS pumping attack, the perpetrator uses bots to flood a business's online forms with fake requests. These requests include phone numbers that the attackers control. Tricked into thinking these are legitimate requests, the business sends SMS messages to the fake numbers.

SMS pumping poses challenges for businesses by increasing A2P costs, negatively impacting the enterprise. Moreover, excessive sending of one-time passcodes to customers can lead to distrust and potentially tarnish a company's reputation. 

SMS pumping is a challenge for mobile network operators (MNOs), too. The ongoing increase in SMS rates could cause businesses to explore alternative authentication methods, reducing their reliance on A2P SMS services and resulting in revenue decline for MNOs. 

In this guide, we’ll further break down the ins and outs of SMS pumping, describe how to spot the signs of SMS pumping fraud, and provide advice for protecting your business from this security risk. 

{{cta-style-1}}

How does SMS pumping work?

SMS pumping relies on a combination of brute force and deceptive tactics in order to achieve financial gain. 

Typically, an SMS pumping attack starts with the perpetrator launching a bot designed to create fake accounts on a website or app. The bot fills out online forms with fake requests to trigger the sending of one-time passcodes to various mobile numbers. If the web form doesn’t have security controls, the attacker can enter premium rate numbers to generate funds for them and the mobile network operator. Often, the MNO is a rogue operator that shares in the profits; although some MNOs aren’t aware the fraud is being carried out over their network.

In another instance, the bot could trigger sending large volumes of text messages to random or targeted phone numbers. These messages mimic legitimate SMS traffic from sources such as banks, government agencies, or popular brands. For instance, a targeted message may appear to be from Netflix asking a user to verify their account due to suspicious activity. 

In this scenario, the SMS may contain links to fake websites that appear to be legitimate. These websites try to trick users into entering personal information, such as their username or password, that the perpetrator can use to infiltrate their account. 

The perpetrators' ultimate goal in SMS pumping is usually financial gain. They may profit directly from premium-rate SMS charges, identity theft, unauthorized access to financial accounts, or selling stolen personal information on the dark web.

SMS pumping fraud examples

Twitter is just one example of a brand that’s been hit with SMS pumping fraud. Research from Lanck Telecom found that for some major brands, as much as 30-60% of overall mobile traffic may be related to SMS pumping. 

There are a number of ways that SMS pumping can happen.

Web form attacks

In a web form attack, a fraudster deploys bots to enter thousands of phone numbers into promotions or discount web forms. The business then unknowingly sends SMS messages to these numbers, many of which may be premium rate or high-cost destinations, resulting in inflated charges.

SMS OTP fraud

In an OTP fraud attack, a fraudster uses stolen credentials and bots to attempt a large number of logins on a targeted website or app. This brute force attack triggers the system to send numerous OTP messages, causing the company to incur substantial costs for SMS delivery.

Sequential number attacks

This type of attack takes place when a fraudster sends OTP requests to a series of sequentially similar phone numbers, often controlled by a specific mobile network operator (MNO).

Account creation abuse

A fraudster exploits sign-up processes that use SMS verification by creating multiple fake accounts with phone numbers they control. This generates a high volume of verification messages, leading to increased costs for the targeted company.

These are just a few common examples of SMS pumping, but there are many others—and new approaches are popping up constantly.

Common situations in which SMS pumping happens

SMS pumping is a risk in any situation that requires a business to send SMS in response to a user-triggered action. These include signup forms, two-factor authentication (2FA) logins, or forms where users request a password reset. Attackers exploit these forms by submitting a high volume of fake requests with phone numbers they control.

SMS pumping frequently occurs through online platforms and mobile applications capable of initiating Application-to-Person (A2P) SMS messages. Common scenarios include:

  • SMS-based registration: Users signing up for services via SMS.
  • Two-Factor Authentication (2FA): SMS verification for account access.
  • Mobile Number Changes: Updating phone numbers linked to accounts.
  • App Promotion: Sending SMS messages containing app store links

Certain industries and types of accounts are magnets for AIT fraud — such as the financial industry and tax or government agencies. 

Banking and financial scams are among the most common sources of SMS pumping fraud. Criminals send fake SMS messages impersonating banks claiming there is a problem with the recipient's account. They may request the recipient to click on a link to update their account details or provide sensitive information like account numbers, passwords, or PINs.

Likewise, perpetrators often impersonate government agencies, tax authorities, or law enforcement agencies, sending SMS messages threatening recipients with legal action, fines, or imprisonment if they do not comply with certain demands, such as paying outstanding taxes or providing personal information. Once the victim falls for the social engineering attack, the criminal can launch an account takeover and gain access to their PII. 

How does SMS pumping affect businesses?

SMS pumping is a risk that can’t be ignored. This type of fraud can cause financial and intangible damage, destroying customer trust and impacting the user experience. 

Analysis by LANCK Telecom, a global carrier, found that SMS pumping fraud costs companies 10% in revenue. At Twitter, Musk estimated that SMS fraud cost the company $60 million dollars a year, not counting traffic in North America. Financially, SMS pumping is a significant risk to businesses of all sizes. 

That’s not the only adverse impact of SMS pumping. Sending excessive OTPs or being associated with SMS fraud can damage a business's reputation. Customers may lose trust in the company's communication channels, leading to decreased loyalty, negative word-of-mouth publicity, and reluctance to engage with the business in the future.

Likewise, an influx of fraudulent traffic from SMS pumping can overload a business's SMS messaging infrastructure. This traffic overload can lead to service disruptions, delays, or even complete outages, preventing legitimate customers from receiving important messages like OTPs or appointment reminders. The user experience suffers dramatically when SMS pumping goes unchecked. 

There are also legal and compliance issues to consider. If customer data is compromised or privacy regulations are violated, companies face fines, lawsuits, or regulatory sanctions for failing to protect customer information.

The first step to mitigating these risks? Learn to spot the signs that your business may be the target of SMS pumping fraud. 

How to detect SMS pumping fraud ?

Several signs can indicate that your business is the target of SMS pumping attacks. Here’s what to look for. 

1. A spike in outbound or inbound messages.

An unexpected influx of responses or inquiries from SMS message recipients, particularly if they express confusion, suspicion, or complaints about unsolicited or misleading content, suggests that the business's SMS communications may have been compromised. Likewise, a sudden increase in the volume of outgoing SMS messages from the business's messaging platform could indicate an attempt to pump SMS traffic.

2. Reports of unauthorized charges and other negative feedback.

Sudden complaints or recipients of SMS messages reporting unauthorized charges on their mobile phone bills, could signal that the business's SMS channels are being exploited.

3. Your SMS budget runs out much sooner than planned.

Unexplained depletion of your SMS budget can be a sign of fraudulent activity. A significant rise in SMS-related expenses without a corresponding increase in legitimate customer interactions or marketing campaigns could signal fraudulent SMS pumping activity.

4. Low conversion rates or service irregularities.

If you're sending a high volume of SMS messages for actions like OTP verification or password resets, but not seeing a corresponding rise in successful logins or account creations, it suggests something suspicious might be happening. A drop in conversion rate of 20% or more could be a sign of SMS pumping.

Alternatively, irregularities in the timing, frequency, or distribution of outgoing SMS messages, such as unusual spikes during off-hours or concentrated activity targeting specific demographics or regions, may indicate orchestrated SMS pumping efforts.

Conversion rate graph to detect SMS pumping

It’s possible that a mobile network operator or carrier might also alert your team of suspicious activity. Take these warnings seriously and investigate any red flags promptly to avoid having your service suspended. 

5. Location of the numbers asking for OTPs.

You know best where your customers are located. If you start to see ​​OTP requests from geographic areas where you don’t normally get traffic, this could be a sign of someone attempting SMS pumping fraud.

6. Bursts of requests.

Sudden, short spikes or a large number of incomplete login attempts can indicate SMS pumping is taking place. Watch for unexpected bursts of OTP requests occurring within a short timeframe. Likewise, pay attention if you see a high volume of incomplete login attempts.

7. Sequential number patterns.

It’s highly unlikely that multiple people with similar phone numbers will send you OTP requests at the same time. OTP requests from phone numbers that are the same down to two or three digits, or numbers that are sequentially similar, are a strong indicator of fraudulent activity.

How to prevent SMS pumping?

You can take several steps to make it harder for criminals to use your account and phone numbers for SMS pumping.

Our top recommendation is activating Fraud Shield, Plivo’s solution designed to fight SMS pumping.  Fraud Shield offers two primary features that operate at the destination country level — Fraud Thresholds allow you to control the number of messages that can be sent per hour and Geo Permissions allow you to control the countries to which your SMS messages are sent. 

Read more: Introducing Fraud Shield — Plivo’s new solution to fight SMS pumping

We use several factors to determine each country's risk level,  including any previous cases of fraud and local regulations. The Plivo team regularly reassesses our risk criteria to ensure that Fraud Shield uses the latest data for recommended thresholds. You can also choose how the system responds to a threshold breach and select who from your team is notified – options include Block & Alert, Alert Only, or Ignore.

Fraud Shield offers two primary features that operate at the destination country level — Fraud Thresholds allow you to control the number of messages that can be sent per hour and Geo Permissions allow you to control the countries to which your SMS messages are sent.

Plivo's Fraud Shield feature to prevent SMS pumping

Additional steps to consider depending on your configuration include:

  1. In your applications, limit the number of messages going out to a destination number based on your use case. For example, suppose you’re sending out one-time passwords (OTP) for two-factor authentication. Most OTP use cases set a duration for which the OTP is valid. During this time, you can block messages triggered toward the destination number.  You can write logic to not send more than n messages per minute or day for more generic use cases. You can also check the source IP addresses for message requests; fraud may be involved if hundreds are coming from the same address.  
  2. Consider implementing rate limiting on the source IP address level. Message limitation is use case-dependent, and you’ll likely be the best judge of how to implement it. 
  3. Implement challenge-response verification. Most if not all instances of SMS pumping employ bots that target a series of numbers with as much messaging traffic as possible. For example, if you have a web application, the bots’ scripts will try to register numbers on your login page one after another. To control this behavior you can add challenge-response systems such as CAPTCHAs to your forms or pages to ensure humans and not bots are using them. 
  4. Secure your authentication IDs and tokens. Don’t push code that includes authentication information to public repositories. For mobile applications, follow best practices recommended by the mobile OS. 

SMS pumping and other telecom frauds waste thousands of dollars for carriers and their customers. Together, you and Plivo can fight telecom fraud and keep your customers (and your finance department colleagues) happy.

How can Plivo help with SMS pumping?

Fraud Shield is one of the best ways to mitigate the risk of SMS pumping. Part of Plivo Verify, Plivo’s Fraud Shield delivers complete control over message destinations and volumes with at least 95% cost savings against SMS pumping fraud.

Fraud Shield’s Geo Permissions gives you control over the countries to which your SMS traffic is sent by creating an approved countries list. Geo Permissions uses several factors to determine each country's risk level, including previous fraud cases and local regulations. 

Fraud Shield also features Fraud Thresholds, a tool that limits the number of messages per hour that can be sent to countries on your approved destination list. The Plivo team regularly reassesses our risk criteria to ensure that Fraud Shield uses the latest data for recommended thresholds. 

You can also choose how the system responds to a threshold breach and select who from your team is notified – options include Block & Alert, Alert Only, or Ignore. Customize your settings and automate alerts to quickly take action in case of a breach. 

Fraud Shield combats SMS pumping fraud seamlessly at zero cost. It’s complementary as part of Plivo’s Verify API, one of the strongest user verification solutions on the market. Learn more about Plivo’s tools for combating SMS pumping by requesting a trial.

Get Volume Pricing

Thousands of businesses in more than 220 countries trust Plivo’s cloud communications platform
REQUEST TRIALGET VOLUME PRICING

The best communications platform forthe world’s leading entertainment service

GET VOLUME PRICING

Frequently asked questions

No items found.
footer bg

Subscribe to Our Newsletter

Get monthly product and feature updates, the latest industry news, and more!

Thank you icon
Thank you!
Thank you for subscribing
Oops! Something went wrong while submitting the form.

POSTS YOU MIGHT LIKE

5 Best SMS API Providers to Consider in 2024
5 Best SMS API Providers to Consider in 2024
5 Best SMS API Providers to Consider in 2024
SMS
Aug 28, 2024
The Best SMS Notification Service: Send Real-Time Alerts
The Best SMS Notification Service: Send Real-Time Alerts
The Best SMS Notification Service: Send Real-Time Alerts
SMS
Aug 20, 2024
SMS Long Codes vs. Short Codes: The Definitive 2024 Guide
SMS Long Codes vs. Short Codes: The Definitive 2024 Guide
SMS Long Codes vs. Short Codes: The Definitive 2024 Guide
SMS
May 30, 2024
Drive Engagement with Political Texting: Examples, Benefits, and Best Practices
Drive Engagement with Political Texting: Examples, Benefits, and Best Practices
Drive Engagement with Political Texting: Examples, Benefits, and Best Practices
SMS
Sep 13, 2023
Boost Your Business Efficiency with Automated Text Messaging Solutions
Boost Your Business Efficiency with Automated Text Messaging Solutions
Boost Your Business Efficiency with Automated Text Messaging Solutions
SMS
Aug 25, 2023
Text Subscriptions: A Valuable Tool for Marketers
Text Subscriptions: A Valuable Tool for Marketers
Text Subscriptions: A Valuable Tool for Marketers
SMS API
Jul 28, 2023
Focusing on Transactional SMS
Focusing on Transactional SMS
Focusing on Transactional SMS
SMS
Jul 27, 2023
Benefits and Use Cases for Bulk SMS Marketing in India
Benefits and Use Cases for Bulk SMS Marketing in India
Benefits and Use Cases for Bulk SMS Marketing in India
SMS
Jul 25, 2023
How I Built Our Internal /askplivo AI-Powered Chatbot for Slack
How I Built Our Internal /askplivo AI-Powered Chatbot for Slack
How I Built Our Internal /askplivo AI-Powered Chatbot for Slack
SMS
Jul 20, 2023
How to Use Voice Transcriptions for Customer Analytics
How to Use Voice Transcriptions for Customer Analytics
How to Use Voice Transcriptions for Customer Analytics
What is SIM Swapping Fraud and How to Prevent It
What is SIM Swapping Fraud and How to Prevent It
What is SIM Swapping Fraud and How to Prevent It
7 IVR Script Examples to Help You Build Your Own
7 IVR Script Examples to Help You Build Your Own
7 IVR Script Examples to Help You Build Your Own