What is SMS pumping?

SMS pumping is one of the fastest-growing forms of telecoms fraud. Here is what it is, how it works, and how to stop it from draining your messaging budget.

Skip to table of contents

SMS pumping, also known as artificially inflated traffic (AIT), is a type of SMS fraud where attackers use bots to generate fake SMS requests through a business’s app or website. The goal is to trick businesses into sending one-time passwords (OTPs) or app download links to fake or fraudster-controlled phone numbers, driving up messaging costs without producing any real users or results.

OTPs now make up approximately 89% of all international A2P SMS traffic, making them the primary attack surface for SMS pumping fraud.

89% of all international A2P SMS traffic is OTP messages

How does SMS pumping work?

SMS pumping works by exploiting the SMS triggers built into standard web forms and apps. Fraudsters program bots to submit fake or spoofed phone numbers into fields that trigger an SMS, such as OTP login forms or app download links. From the business’s perspective, these look like genuine user requests. In reality, the messages go to numbers controlled by the fraudsters or to premium-rate routes that pay them a revenue share for the inflated traffic.

Here is how the cycle works:

  • Fraudsters identify a web form or app that triggers an SMS, such as an OTP or app download link
  • Bots flood the form with fake phone numbers
  • The business sends thousands of SMS messages to those numbers
  • The fraudster earns a revenue share from the SMS operator for the inflated traffic
  • The business pays for everything, with zero legitimate users reached

How does SMS pumping impact businesses?

$1.15 billion lost to SMS pumping in 2023

89% of international A2P SMS traffic targeted via OTP messages

85% rise in international SMS costs between 2020 and 2024, driven partly by fraud

Sources: Mobilesquared/Enea, XConnect/Mobilesquared

SMS pumping creates three major problems for businesses:

  • Financial loss: You pay for messages sent to fake numbers that generate zero results. Costs can accumulate quickly before anyone notices.
  • Service disruption: An active SMS pumping attack may force you to pause your entire messaging service, cutting off real customers in the process.
  • Operational distraction: Your team shifts focus from growth to fraud response, slowing down everything else.

The scale of the problem is significant.

Elon Musk disclosed in 2022 that Twitter was losing approximately $60 million per year to SMS pumping via 2FA flows, driven by collusion with around 390 telecoms operators. In 2024, Okta tracked a sustained campaign targeting Auth0 and Oracle OCI sign-up flows across multiple enterprise tenants simultaneously.

Where does SMS pumping happen?

Any web form or app that triggers an SMS is a potential entry point. The most common triggers include:

  • Sign-up with SMS OTP
  • Two-factor authentication (2FA) login
  • Change phone number for 2FA
  • Send app download link via SMS
  • Account recovery via SMS

SMS pumping is also more concentrated in certain regions. Africa has the highest density of high-risk markets, followed by Asia and the Caribbean. APAC, MENA, Africa, and CIS remain the most affected globally.

How to detect SMS pumping

There are five key warning signs to watch for.

Quick checklist: Signs you may be under attack

  • Are OTP requests coming in unusually fast or in clusters?
  • Do the phone numbers follow a sequential pattern?
  • Are requests arriving from countries you do not operate in?
  • Are web forms being partially submitted and abandoned?
  • Are OTP conversion rates dropping?
  • Is your SMS budget running out faster than usual?

If you answered yes to most of these, act immediately.

How to prevent SMS pumping

Prevention works best when multiple defenses are layered. The most effective steps:

  • Set rate limits: Restrict how many OTP requests a single IP address or phone number can trigger within a defined time window
  • Add CAPTCHA or bot detection: Introduce friction at the form level to block automated submissions before an SMS is sent
  • Require delays between retries: Enforce a waiting period before a user can request another OTP, making high-volume attacks less efficient
  • Monitor traffic in real time: Use dashboards or alerting tools to catch anomalies before they escalate
  • Use a dedicated fraud prevention solution: Tools like Infobip Signals can detect and block fraudulent traffic automatically without disrupting legitimate users

How Infobip Signals stops SMS pumping

Infobip Signals is a fraud prevention tool built specifically for messaging traffic. It uses AI and machine learning to analyze patterns in real time, identify suspicious activity, and automatically block fraudulent numbers before a message is sent.

When Signals detects suspicious activity, it blocks the flagged numbers automatically. Legitimate traffic continues without interruption. You are not charged for blocked messages.

At Next, we are committed to protecting our customers from fraud while continuing to provide the rich, responsive, and reliable communication that they expect from us. To benefit from the latest anti-fraud technology, we partnered with Infobip to empower us to be proactive in keeping both our customers and infrastructure safe from new and emerging threats. Their AI and machine-learning powered solution Infobip Signals helped block approximately 175,000 artificial messages per month, enabling us to maintain the reliability and security of our SMS messaging by mitigating the risk of fraudulent activity. This means that our customers always receive updates on time, and we can continue to deliver the personalized promotional messaging that they expect.

Raz Razaq

Domain Manager, Customer Contact Experience Technology, Next

Conclusion

SMS pumping is a growing and well-documented threat that has cost businesses billions in wasted spend, and industry reports expect it to continue rising through 2025 and beyond. The attack surface is broad: any form that triggers an SMS is a potential entry point.

The businesses most at risk are those that rely on SMS OTPs for authentication or onboarding, which today covers fintech, e-commerce, gaming, ride-hailing, and many other industries. But the attack is also detectable. Traffic anomalies, sequential number patterns, and dropping conversion rates all signal a problem early, and with the right tools in place, most fraudulent traffic can be blocked before it costs anything.

By combining internal monitoring practices with a proactive fraud detection solution like Infobip Signals, you can protect your SMS channel, maintain service reliability for real customers, and keep your messaging budget where it belongs.

FAQs

Get the latest insights and tips to elevate your business

By subscribing, you consent to receive email marketing communications from INFOBIP. You have the right to withdraw your consent at any time using the unsubscribe link provided in all INFOBIP’s email communications. For more information please read our Privacy Notice