What is SMS pumping?

SMS pumping also known as artificially inflated traffic (AIT), is a type of fraud where attackers generate large amounts of fake SMS traffic through a business’ app or website to receive one-time PINs (OTPs) or app download links via SMS.

How does SMS pumping work?

Not all cyber-attacks are aimed at stealing information.

In SMS pumping, fraudsters use bots that generate fake accounts to automatically input phone numbers into online forms connected to SMS systems to trigger an OTP SMS. So, businesses send OTP messages to fraudsters and pay for that illegitimate interaction that yields zero results.

How does SMS pumping impact businesses?

When faced with SMS pumping, businesses run into three key problems:

  1. Overspending – your business is paying for traffic that yields zero results
  2. Interrupted service – when faced with an SMS attack, it may force you to stall your entire SMS service, meaning your real customers can’t reach you
  3. Trade-off of focus – you shift your focus to tackling fraud rather than focusing on core business needs

How does SMS pumping happen?

The most common situations where SMS pumping happens is through web forms and smartphone apps that can trigger A2P SMS, for example:

  • SMS sign up
  • Sign up via SMS with 2FA
  • Change MSISDN for 2FA
  • SMS with app store URL for mobile phone
  • Send SMS with app store link to mobile phone

How to detect SMS pumping attacks?

The easiest way to detect SMS pumping is when you see a spike of messages sent to a block of similar numbers or in a short period of time. For example, when only the last number changes (i.e., +1111111110, +1111111111, +1111111112, +1111111113).

Questions to ask yourself if you are unsure of SMS pumping attacks are:

  • Are the requests made in a short period of time?
  • Are the phone numbers sequential to each other?
  • Are web forms only partially completed?
  • Are your conversion rates dropping?
  • Are the numbers from countries your business rarely or never has customers in?

If the answer to these questions is yes, you may be dealing with SMS pumping.

How to prevent SMS pumping?

To minimize the risk of SMS pumping, you can:

  • Set rate limits on your OTP web form input box
  • Implement bot detection solutions
  • Implement delays between verification retry requests
  • Block SMS pumping fraud with Infobip Signals

How can Infobip help with SMS pumping?

Infobip Signals automatically blocks fraudulent OTP traffic while allowing you to continue to use your messaging service without any interruptions to legitimate traffic.

It automatically spots suspicious numbers sending OTPs and blocks them, protecting you from an attack.

You could be interested in

Sep 13th, 2023
2 min read