SMS Pumping Complete Guide
Understand what SMS Pumping is, its risks and how to prevent fraud.
Table of contents
In recent years, firms have been under immense pressure to diversify their communication strategies, especially towards SMS, the mobile channel customers prefer to communicate with businesses. At the same time, cybercriminals are continually finding new ways to profit from vulnerabilities in and around this channel.
Almost anyone with a mobile device has received a fraudulent text. Many resources have been published to help individuals educate and protect themselves from this crime. Unfortunately, education for end recipients doesn’t go nearly far enough to protect against SMS-related liabilities and does nothing to protect originators of mobile communications from new kinds of fraud which target enterprises only.
Today’s fraudsters have discovered ways to get much larger payouts by attacking firms rather than individuals. In this environment, the only way to minimize risk is for firms to implement provider-side solutions to prevent fraud.
With large-scale attacks rising sharply, understanding how common SMS fraud schemes work and strategies to combat them are critical pieces of the arsenal firms need before an attack takes place.
One new type of fraud which has dominated recent headlines, SMS pumping, is difficult to detect before the consequences present themselves and can be very costly. Use this article as a guide to understand and take proactive action against SMS pumping schemes.
SMS Pumping Fraud or Toll Fraud is a Risk to Enterprises
There are myriad ways fraudsters can profit from ingenuine mobile interactions. Some examples of fraud are Social Engineering, Account Takeover (ATO), SIM Swap fraud, Man-in-the-middle attacks, Phishing, Smishing, Vishing, Pretexting, Password Spraying, and Credential Stuffing.
No matter how it’s done, the duty to prevent the attack is not something firms can assign away from themselves. Originators of mobile communications are obliged to pay carriers for any traffic they produce, even if it is fraudulent.
As it stands, enterprises need to work with their communication partners to protect themselves. In CloudMark’s recent whitepaper “The True Cost of SMS Spam: A Case Study,” costs that appear typical to a mobile network operator or business could be hugely inflated by SMS fraud.
In the case of an MNO, when more fraudulent messages are sent compared with an equally sized counterpart, that operator will likely pay for a large delta in volumes, resulting in an imbalance in termination fees. Additionally, suppose the volume of SMS fraud messages or issues becomes large enough. In that case, MNOs and businesses must grow their infrastructure or staff to cope with the volume and attacks.
Originators of mobile communications are obliged to pay carriers for any traffic they produce, even if it is fraudulent.
How SMS Pumping Works – Example
Stopping SMS fraud is equal parts education and prevention tools. In a nutshell, SMS pumping is when cyber criminals (usually coordinating as a sophisticated group) send high volumes of requests (e.g. for a one-time password or other authentication) to an online form or web app, which sends an SMS automatically in response to the request.
This fraud scheme requires preplanning, work, and a provider’s cooperation. To set up this scheme, a cyber-criminal organization will approach a provider with a proposition to generate high volumes of messages, revenue, and margin with numbers owned by that provider.
Depending on the capability of the fraudster and their complicit partner, these large SMS volumes are sent to high-cost destinations, often to another faraway country, further inflating the attack’s cost. When the targeted business pays its inflated SMS bill, the provider will give the cybercriminals a share of the profits.
This kind of activity is too risky for large providers to take part in – their reputation and traffic integrity are hugely important to them, and they would not knowingly partake in this kind of activity.
Unfortunately, very few people realize that the organization they buy their traffic from is rarely the only entity to handle their traffic. Networks purchase traffic from one another in a layered set of routes which results in better connectivity for everyone—but also obscures bad actors that might be mishandling traffic and working with fraudsters.
Let’s play this out as an example. Say you are a retail business selling high-end subscription-based haircare products. When a consumer lands on your website, they see a popup that asks the consumer for their mobile number in return for 15% off the consumer’s first sixth-month subscription package.
All this customer needs to do is provide a mobile number and receive a text on their device with a discount code. The business is hoping that opting into texts will help them promote more products and increase the LTV of their customers, and of course, they expect that the texts are going out to genuinely interested buyers.
This kind of site is a target for SMS pumping. This haircare business pays a bill to a provider for the messages they send from numbers gathered on their website. If a fraudster uses bots to put thousands of numbers into the form asking for the promotion and each message is routed to high-cost SMS destinations, the business will rack up an inflated bill owed to the provider. They might think they are about to get a lot of business from this customer spike, but they are victims of SMS pumping.
Behind the scenes, the messages (both genuine and fraudulent) might be passed from network to network several times before reaching their intended endpoint (the person or bot receiving the promotion code via SMS). One of those networks is providing a kickback to the fraudster, but there is no way for the business or initial provider to know who is to blame. In some cases, the fraud scheme will be known only to a small number of individuals within a network organization, making the complicit source even harder to identify.
SMS Pumping of One-Time Password-Protected Portals
SMS pumping schemes often target sites which send one-time passwords for login attempts and turn a security measure into an expensive liability. To profit from pumping SMS of an OTP- protected login, a cybercriminal will obtain a block of logins (usernames, numbers, and passwords), often from the dark web.
They will then rapidly attempt a high volume of logins on their target’s website or app. The business implementing the OTP will pay a massive bill for passwords delivered from these fraudulent login attempts and see a spike in incomplete logins. They might also be paying higher bills as the fraudulent OTP traffic could have been routed to high-cost SMS countries, resulting in a higher bill for the business.
Unlike smishing or individual-targeting fraud, SMS pumping perpetrators aren’t looking for your information or data—they go straight for profit. This fraud is generally only detected after the event when businesses investigate an imbalance in their SMS bill compared to their projected business return from their SMS volume.
The banking industry is often the principal victim of this mobile fraud scheme because many of their web forms have a one-time password response.
How to Detect and Prevent SMS Pumping
Detect and prevent SMS pumping following the next steps:
- Monitor for high volumes of incomplete login attempts (for OTP SMS pumping attacks)
- Look for adjacent number inputs in rapid succession and alert your traffic provider. Often victims will see a block of sequential mobile numbers (+99999999990,
- +9999999999, (+99999999992 etc.) that were provided by the SMS pump service and are controlled by the rouge operator.
- Report any unexpected spikes in traffic as early as possible and investigate the source
- Set a volume cap and alerts on all mobile number gathering forms or logins
- Set rate limits on your OTP web form input box so that it will not send more than 1 message per X seconds to the same number or country prefix. This may not prevent fraud, but it might discourage them from targeting your app in the first place.
- Implement rates by API user or IP address
- Build an allow or blocking list for your system based on the country code. See here for a list of Country Codes.
- Modify your OTP user experience using CAPTCHAS or other services to detect and deter bots. If this negatively impacts your acquisition, you can try some of these 7 simple bot detection methods that won’t inconvenience users.
Preventing, Detecting, and Blocking Fraud with Soprano Connect
The mobile communications industry has long been a target for criminal opportunists, and their cons are advancing as fast as the industry itself. In the past couple of years, mobile messaging played a critical role in advancing security and efficiency, especially as COVID-19 required so many adaptations—but those innovations have opened new vulnerabilities which are actively being exploited.
Soprano Design is a leader in the CPaaS space, with 28 years of experience with a best-in-class reputation for trusted messaging. Our customers’ needs require a higher level of service and reliable delivery because their messages serve critical business purposes—elevating citizens’ health and responding to emergencies, to name a few.
From massive deployments in healthcare across the UK to safety-enhancing messaging in energy and mining, Soprano is the leading choice for firms that need white-glove treatment and elevated protection of their interconnected systems. In addition to rigorous organizational security, Soprano Connect offers a suite of features which help protect our customers and their end message recipients.
One feature is the newly released Fraud Detection and Prevention Service (API).
Our new stand-alone API detects and indicates possible Fraudulent mobile numbers on the platform. Users can start filtering for fraudulent numbers by setting configurable parameters. Soprano Connect assigns values to three indicators of risk: SIM Swapping, Trusted Network, and Call Forwarding.
These fraud checks may be assigned a “weightage” value where the sum of all three values must add to 100. Users can choose to check for all three, two, or a single Fraud type. When this license is purchased, users can (in conjunction with the HTTP API and Connect API SMS) decide whether to send SMS or not based on a predetermined risk threshold configured within the platform.
With this feature in place, users who send sensitive messages (like one-time passwords) can withhold messages from numbers or devices indicating that they might be part of or targets of fraud.
Fraud is an increasingly pervasive issue in mobile communications, and firms have a responsibility to protect themselves and their audiences whenever possible. With the Fraud Detection and Prevention Service API, Soprano offers customer protection and proactive defence for their message recipients.
Ready to learn more about how to protect your mobile communication?