What IsSMS Pumping?
SMS pumping is a type of fraud activity where the malicious party exploits premium-rate services by sending a large volume of text messages through a company’s app or website.
Text message pumping aims to generate revenue for scammers or cause financial losses to those providing premium-rate services. Also known as SMS toll fraud, this form of SMS attack is a growing issue in the telecommunications industry.
How Does SMS Pumping Work?
In an SMS traffic pumping attack, the fraudster uses a bot to send thousands of SMS messages to high-cost destinations. This inflates the cost of the attack for a business, which then has to deal with millions of dollars in fraud SMS charges.
SMS pumping involves highly complex and varied network traffic routes. This makes it tricky for businesses to detect and prevent fraudulent activity. The process often consists of several parties, including aggregators and mobile carriers. Each of these parties has unique routing mechanisms to forward SMS communications, making the source of the attack obscure.
How Does SMS Pumping Affect Businesses?
Overspending for Nothing
SMS pumping results in a scenario where a business pays for fake traffic that yields zero legitimate results. Those messaging costs don't translate to tangible benefits like customer engagement or revenue. This amplifies the financial impact on the business.
Service Disruption
To deal with the damage of SMS traffic pumping, a business will sometimes need to suspend its SMS services for a while. This disruption can prevent actual customers from contacting the business. It will also hinder the revenue stream associated with those services.
Additional Expenses
Having to detect and combat SMS pumping will require investing in security measures and fraud prevention tools. This increases operational costs for the business as it tries to address the aftermath of the attack and prevent it from happening again.
Resource Diversion
Handling customer inquiries, complaints, and refund requests due to SMS pumping can be a hassle for customer service teams. This forces the business to divert resources from carrying out the usual proactive customer interactions to managing the fallout from the fraudulent activity.
Examples of SMS Pumping
OTP Fraud
The most common victims of SMS pumping are websites that send OTP messages for login attempts. In this scenario, cybercriminals get access to stolen credentials via the dark web and use bots to immediately carry out a large number of logins on the victim’s app or website.
The OTP pump will then result in massive costs for the business because of the numerous fraudulent login attempts. This means the company will face thousands or millions of dollars in charges following the diversion of those text messages to high-cost SMS destinations.
Webform Attacks
In a webform attack, a company that gathers mobile numbers in a popup webform becomes a victim of a cybercriminal using a bot to input countless numbers in the phone number field. The business will send thousands of SMS messages to premium-rate numbers or high-cost countries. Each of those messages will incur costs, resulting in unexpected financial losses. The company will think it is delivering messages to potential customers when it’s actually going through an SMS traffic pump attack.
How to Detect SMS Pumping
Keep Track of SMS Verification Success
One way to detect an SMS pumping attack is by monitoring the success rate of OTP verification attempts. Legitimate users often have a specific success rate when trying to verify their identity via SMS. An unusually high number of incomplete login attempts in a short period can point toward fraudulent activity. Businesses should regularly analyze and keep track of two-factor authentication (2FA) success rates to identify anomalies that can indicate SMS OTP fraud.
Report Unexpected Spikes in Traffic
A sudden and unexpected spike in SMS traffic, especially to premium-rate numbers, is another red flag for text message pumping. Companies must keep track of SMS traffic patterns and quickly report any unusual surges to mobile carriers. These spikes can indicate an effort to send SMS messages in large volumes for fraudulent purposes. After detecting a spike, businesses can investigate and mitigate potential SMS pumping attacks.
Look out for Similar Number Inputs
Those who engage in SMS traffic pumping often use automated systems or bots to send high volumes of messages. The result is patterns or sequences of similar number inputs. Businesses should keep an eye out for repetitive or sequential number inputs.
This can include consecutive or similar phone numbers, like +2222222223, +2222222224, +2222222225, and so on. Immediately reacting to such scenarios is crucial for preventing further losses.
How to Prevent SMS Pumping
Set Rate Limits
To prevent SMS traffic pumping, it’s important to establish rate limits for both message volume and frequency. Limiting the number of messages that can be sent within a certain timeframe reduces the risk of a large-scale SMS attack. A rate-limiting mechanism allows businesses to restrict the number of SMS messages that originate from a single source. This also helps to block other types of attacks, like website scraping and email flooding.
Use Bot Detection Solutions
Another way to mitigate the risk of SMS pumping is by implementing bot detection solutions. These systems use algorithms and machine learning to identify patterns, analyze user behavior, and distinguish between legitimate users and bad actors. By adding fraud detection to OTP verification, businesses can stop malicious bots from infiltrating online forms or SMS services.
Build a Blocking List
Putting together a blocking list based on country codes is an effective measure against SMS pumping. Companies can stop SMS traffic from high-risk countries where fraudsters often operate due to low regulations. They can do this by collaborating with a mobile network operator (MNO) or using specialized filtering software.
By creating—and regularly reviewing—a blocking list, businesses can protect their services from unexpected charges. The list will restrict messages from regions with a history of fraudulent activities.