Two-factor authentication PIN code attacks, SMS bot attacks, SMS PIN spam fraud, artificially inflated traffic (AIT) attacks, OTP spoofing – these are all the different names used to refer to a specific type of fraudulent activity called SMS pumping. These attacks affect many online services and applications annually, costing them thousands to millions of dollars.

If you're thinking, “Why are there random numbers from a random country requesting OTPs from us?” chances are that your service is among those being impacted. SMS pumping attacks are costly and are becoming worse and more widespread with time.

What is SMS pumping?

SMS pumping is a type of cybercrime where the perpetrator attacks an app or service by sending SMS generation requests to it in bulk. Since they usually target services that require some sort of two-factor authentication via one-time SMS codes, they're often called SMS OTP fraud. The goal of SMS pumping attacks is to generate more revenue for the mobile network operator that is handling those SMS generation requests and sending out all those SMS messages. Often, the attacker and the mobile network operator (MNO) partner up for this type of text attack and split the money between themselves.

This process is largely automated using SMS attack bots (aka OTP bots or 2FA bots) which are fed lists of mobile numbers by the culprit. These bots are then unleashed onto web forms that have a phone number input field which takes customers' contact numbers as inputs for two-factor authentication, subscription or "opt-in" consent forms, and various other purposes. For every request that SMS bots generate, a text message is sent out by the MNO and billed to the organisation from whom the request originated.

To make the maximum possible amount of money from 2FA scams targeting businesses, the attacker tries to feed premium rate numbers to the SMS OTP bot – it would cost the app or service provider more money to SMS premium numbers. More revenue generated for the MNO means more money for them to split with the attacker.

Why is SMS pumping so prevalent, and how can you detect it?

In general, an artificially generated traffic attack is where rogue third parties use fake traffic to generate profit. However, this type of fraud is now seeping over into SMS technology with artificially inflated SMS PIN code requests. It's made SMS pumping one of the 11 types of horrendous fraud that are crippling A2P messaging frameworks.

Initially, it seemed that fraudulent OTP traffic got sent to a small subset of premium numbers where each SMS message generated income for the attacker. Here at Messente, we became aware of the problem, and as a defence mechanism, we've put filters in place that prevent SMS pumping by blocking the same phone number from initiating too many SMS OTP requests.

Following this precaution, we've analysed the most common SMS pumping fraud cases. We've discovered that fraudulent login attempts and other SMS requests generally come for either consecutive (sequential) phone numbers (e.g., a series containing 001, 002, 003, etc.) or totally random, yet large, sets of numbers belonging to the same provider's range. They also originate from phone numbers that don't follow the correct format for a specific country.

Every now and then, the PIN code requests triggered automatically through bots manage to 'hit' an actual mobile number and reach a real person, who, of course, is confused about receiving an OTP from a company they've never heard of. For businesses affected by such SMS traffic pumping scams, this doesn't convey a great impression.

There are some other ways to tell if you're a target of an SMS flood.

  • If you detect an unusual web and SMS traffic surge (a pattern that doesn't fit your user base's usual activity levels)

  • If you get too many SMS requests from premium rate numbers

  • If you get too many SMS generation requests over a short period of time

  • If the requests are coming from a country where the MNO's client, i.e., your company, doesn't even operate

  • If too many SMS generation requests have been going unanswered (e.g. if too many users request login OTPs but never actually log in, that could indicate incomplete login attempts)

Who are the perpetrators behind SMS pumping attacks?

1. Aggregators

Aggregators can manipulate SMS traffic for two reasons: 1) to make more revenue and profit or 2) to win a bid against another aggregator.

Some aggregators have built a script (a piece of computer code) that exploits loopholes in the SMS verification tool. The bot repeatedly creates fake accounts, each of which generates fraudulent traffic with OTPs for the customer's online form. The aggregator then inserts the code back into their customer's platform, making it look like a successful transaction.

Since the message doesn't actually reach any handsets or operators, the SMS aggregator doesn't pay for it, but they will charge the customer for it and get profit for themselves.

Sometimes, the code isn't inserted back into the customer's platform. When the conversion rate on one aggregator drops below a certain level, the client will switch to an alternative provider. For most large enterprises, the switch is automated between multiple providers, and thus an attack will lead to an automatic switch.

2. Exclusive gateway providers

Exclusive gateway providers often have revenue commitments to the operator, meaning they have to guarantee a portion of revenue to the operator for the exclusive gateway management they have been awarded in a tender.

To win the tender and close the deal, the exclusive gateway providers will make commitments multiple times higher than the actual SMS volumes for the market or operator. This, in turn, means they need to generate fake traffic to reach it. If the market doesn't have enough traffic, they'll simply make more themselves.

3. Operators

Last but not least, some operators also contribute to artificially inflated SMS volumes. When they sell non-allocated number ranges to criminals, these numbers get actively used. Hence, on paper, the operators can show a growth in user statistics.

More users mean more apparent market growth, bigger market penetration and share, and a higher stock price. So the operators have a vested interest in SMS pumping fraud in more ways than one.

What's the financial impact of SMS pumping attacks?

The financial impact of SMS pumping is often severe. We've seen this problem affect companies across various industries, including logistics, financial services, health tech and so on. Because of the way SMS systems work, attacks can easily go undetected. Thus, the losses can quickly accumulate to tens of thousands of euros!

Messente's Anti-Fraud Specialist, Karl Kalvik, shares one incident that a health-tech client of ours faced. They experienced a sudden hike in SMS volumes to Uzbekistan and neighbouring countries over two weeks. It cost them a total of €13,000! Karl says the fraud was difficult to spot because the SMS content itself was legitimate. As a quick fix, we disabled SMS traffic to all markets except for the one in which our client operates. They also worked to put in place a more permanent fix through CAPTCHA verification.

A similar case occurred for a ride-hailing app provider very recently. Thousands of SMS requests were triggered to phone numbers in Bangladesh, costing the company over €2,000. If we hadn't noticed the unusual traffic hike towards this particular destination, the financial impact could've been far more brutal.

What are the top country numbers affected?

SMS PIN code messages are often requested for phone numbers in countries where SMS prices are high, for example, Russia, Ukraine, Azerbaijan, Kazakhstan, Iraq, Kuwait, and Pakistan, to name a few.

A good approach to help you spot SMS traffic pumping fraud is to check whether text messages are being requested to countries where your company doesn't typically operate.

Danger symbol on a smartphone screen signifying SMS traffic pumping

How to avoid SMS traffic pumping attacks

The following tried and tested SMS scam protection measures will help save you from significant losses.

1. Set up CAPTCHA verification

Presenting a CAPTCHA each time someone requests an OTP via SMS on your website or mobile app is one of the best ways to stop SMS pumping.

While this is an extra step for real users, it will eliminate the possibility of someone running an SMS pumping attack. A single attacker requesting PIN codes to different phone numbers and manually completing each CAPTCHA would simply be too time-consuming.

2. Set your account to pre-pay

Say you are paying a few thousand euros monthly, and the account is set to postpay – one SMS fraud attack can easily double your monthly bill, if not worse. But if the account runs on a prepaid system and has a fixed number of credits only for that one month, then that's the maximum you'll lose, no matter how many spam requests your site or app gets during that time.

3. Limit the number of SMS PIN code requests

Another SMS protection strategy is to set rate limits on the number of requests per IP address or session. If the limit is exceeded, the system will throw a signal stopping SMS requests from being fulfilled for that source. So, if an SMS pumping bot tries to initiate more than five requests from the same IP within, say, 30 minutes, all additional requests could be rejected internally.

While public IP addresses can be spoofed, potential hackers would need to switch IP addresses after a certain number of requests, which would again be a lot of hassle.

4. Disable the delivery of SMS messages to destinations you don't need

The SMS service is global, but if your clients are based only in selected countries, there is no need to enable worldwide SMS delivery.

Messente can easily disable delivery to all destinations where you don't want to send SMS messages. Then, whenever someone tries to send an SMS to a ‘disabled' country via Messente, we reject the request at our end at no cost to you. While it won't protect you from SMS bot attacks in your target market, this method will markedly reduce the risk to your business.

5. Pick a provider you can trust

Thoroughly evaluate whoever you decide to partner with for your business messaging needs. Try to find out how much they really know about OTP messaging scams and other SMS vulnerabilities. Look into what processes and alerts they have implemented (or are working on) to minimise or prevent SMS pumping. And finally, check how transparent they are in sharing information about their business processes.

Person using an old-school mobile phone sending a text message via a trusted provider

Messente can help you tackle SMS pumping fraud

It's not easy to detect SMS pumping attacks. One can't tell right away which SMS requests were generated by a bot and which ones from a real user because the content is identical and coming from the same source. However, regularly monitoring your account and message statistics is one way to see whether cybercriminals are targeting your company.

If you think SMS pumping fraud is impacting your application or business, reach out to us immediately – we want to help! Rest assured, we'll do our best to find a solution for your case.