What is SMS pumping fraud and how can you avoid it?
SMS pumping fraud is when fraudsters attempt to make money by ambushing online forms that generate automated one time password texts.
When you sign up for a new app or service, you’ll frequently be sent an OTP by text. The fraud happens when scammers use a premium rate number for the OTP SMS to be sent to.
These premium rate text numbers offer a revenue share between the mobile network operator and the organisation that is using them.
So by generating hundreds or thousands of OTP text, the crooks can quickly generate revenue.
If there are inadequate protection measures on the web form, this fraud can be done on an industrial scale.
This type of inflated SMS traffic is also known as artificially generated traffic (AGT) or simply SMS OTP fraud.
How widespread is SMS pumping fraud?
According to LANCK Telecom, who have a developed a Fraud Management System, around 6% of all SMS traffic was flagged as artificially generated.
Their platform also revealed that;
For some brands, as much as 30-60% of their overall traffic might be down to SMS pumping.
Up to 80% of some network traffic might be artificial.
Networks that have the highest proportion of fraudulent traffic tend to have tiny subscriber numbers of less than 100,000.
Twitter suffers massive SMS OTP fraud
Incredibly, Elon Musk claims that Twitter lost $60 million dollars last year because 390 different telecoms companies used bots to inflate A2P SMS.
“I discovered this, basically, about 10 days ago, that Twitter was being scammed to the tune of 60 million dollars a year for SMS texts, not counting North America.”
There have also been reports of some web owners losing tens of thousands of dollars in these toll-fraud attacks.
Twitter poised to charge for 2fa SMS
From March 2023, Twitter users who want to continue to use SMS as the preferred 2fa method, with need to subscribe to the Twitter Blue service, which costs $8 a month.
Users who don’t want to subscribe will need to choose a different authentication option.
This change has been put in place because of the $60 million SMS pumping fraud, that Twitter is understandably keen to eradicate.
Twitter users will have the option to use an authentication app or a security key. Both can be configured in Twitter’s account settings.
Twilio customers victims of eye-watering SMS pumping losses
In May 2022, Benjamin Netter heard reports of one companies losing $80,0000 and another $140,000
The scale of these losses are due to the SMS API accounts having an unlimited credit limit. The fraudsters could keep generating the OTP texts and there was no limit to the number of texts that were successfully delivered.
Twilio customers have found themselves victims of this type of fraud, particularly startups companies who had no or only rudimentary measures to avoid the scam attacks on their web forms.
To make matters worse, If those Twilio customers had enabled the auto top up option then the depleted SMS account would automatically be topped up, only for the criminal to empty it again.
Colin Clark tweeted about how this issue was damaging Twilio’s reputation, particularly in the start-up community.
Zabe Agha, Founder and CEO of Metrical also tweeted
“@twilio has built their brand on developer trust. Once that’s gone, it’s hard to recover.”
Billy Chasen goes into much more detail in his excellent post on SMS pumping in the Twilio platform.
I have some sympathy for Twilio in this instance though. It’s very hard for them to protect against and they are simply delivering texts that have been triggered by their customers’ registration pages.
Responsibility for protection against fraudulent attacks must be shared with the app developer.
How to identify if your web form has been the victim of SMS pumping or artificially inflated SMS
There are some very obvious signals that will help you identify whether you’ve suffered a toll-fraud attack.
Sharp Increase in web traffic and auto-generated SMS
If you see a huge spike in account sign ups and OTP SMS messages being generated, it’s unlikely that your service has suddenly become more popular. Compare the volume of messages to normal traffic and you’ll get a good indication it you’ve been attacked.
High numbers of texts being sent to unusual countries
Have you seen a large number of messages being sent to countries where you wouldn’t expect to have many customers? If so, it’s probably SMS inflation.
Are the numbers receiving texts in numerical order?
Fraudsters will often trigger texts to batches of numbers that are simply in numerical order.
Examining the SMS delivery reports will reveal if this is the case.
Have the web forms been only partially completed?
Often the web form that triggers the texts is a bot. The form will often be either only partially completed or the information provided is complete garbage and very obviously not a genuine sign up.
How to protect your service from SMS pumping
It’s the responsibility of the service owner to prevent or minimise abuse of their web forms. There’s only so much the SMS API can do to prevent this type of fraud.
Here are some reasonably easy and low cost ways that you can reduce the risk of toll-fraud.
Disable sign ups from countries where you don’t operate
Take a robust stance and disable the ability for people to complete the form from any countries where you don’t operate or where you know the country will be a minor part of your market.
Set rate limits on the number of SMS that can be sent to any range of mobile numbers
Restrict the number of texts that can be sent in a set number of minutes to certain number prefixes.
This might not completely resolve the problem but it should massively reduce it. The lack of throughput might deter the criminal to pick on someone else’s app!
Detect and discourage bots
Using CAPTCHAs can help deter bots. Try to create a little more friction in the sign up process. This will be no issue for genuine customers but will create a hurdle for automated bots.
Allow only one one text to be sent to mobile number
Restrict the number of texts that a single mobile number can receive in any given time period.
Monitor conversion rates
If the conversion rate of customers suddenly drops, this could be an indication of SMS pumping in action. You could consider setting alerts to trigger if conversion drops below expected or normal levels.
How should the issue of toll fraud be tackled?
Toll fraud has been underreported so far.
Thousands of companies have been impacted but it has somehow gone under the radar until recently.
The news from Twitter will certainly shine a light on the issue and solutions will no doubt emerge.
Phil Warner, Technical Director of The SMS Works said:
“The staggering scale of SMS toll fraud at Twitter demonstrates the scale of the issue. App developers need to understand their potential exposure to this risk and work together with their SMS API providers to find practical solutions to minimise the damage.”
What is SMS trashing? How is it different to SMS pumping fraud.