SMS pumping or SMS pumping fraud or Artificially Inflated Traffic is a type of bot attack in which huge volumes of SMS to premium rate numbers which results in fraudulent SMS charges. This can lead to huge losses to businesses. It can sometimes amount to millions of dollars. This happens when cybercriminals take undue advantage of the SMS system connected to web apps and forms. They misuse a phone number input field to receive a one-time password (OTP), an app download link, etc. via SMS. This way cybercriminals can generate traffic and exploit your application. They send SMS to a range of numbers that are controlled by mobile network operators (MNOs). They either exploit the MNOs or work with MNOs to artificially increase their revenue from premium-rate phone numbers.
How SMS Pumping Works?
In these attacks, cybercriminals send SMSs to a range of numbers controlled by a specific mobile network operator (MNO). A criminal organization may try to involve an MNO to generate revenue by exploiting the provider’s phone numbers. Working with an MNO, a cybercriminal can use automated systems to send thousands of text messages to high-cost destinations. This inflates the cost of the attack for a business, which is then charged millions of dollars of fraudulent SMS charges.
The network traffic routes involved are complex and varied. This makes it difficult for businesses to detect cybercriminals and prevent this unethical activity from happening. This process usually involves multiple groups, that include aggregators, content providers, and mobile carriers. Each group uses its own routing mechanisms to forward messages, hiding the source of the fraudulent activity. This results in detecting and stopping SMS pumping extremely challenging for businesses.
SMS Pumping Fraud Examples
SMS pumping fraud can be of many types. The two most common ones are
- Web Form Attacks
Cyber attacks may be in the form of web forms that ask a consumer for a mobile number in exchange for product or subscription discounts or other benefits. Here a business that collects mobile numbers in a popup web form is put into trouble when a fraudster uses bots to enter thousands of numbers into the phone number input field. Thus the business ends up sending thousands of messages to high-cost SMS destinations or premium-rate phone numbers. The business believes it is sending messages to potential customers, but in reality, it’s a case of SMS pumping.
- SMS OTP Fraud
This is a type of SMS pumping where websites send one-time passcodes (OTP) for login attempts. The banking industry is a frequent target of this type of SMS pumping. Cybercriminals often focus on websites that send a one-time passcode for login attempts. They obtain a cache of stolen credentials on the dark web. Then, they use OTP bots to rapidly attempt a large number of logins on the targeted website or app. The targeted company will then face huge costs for the delivery of a large number of OTPs. this will result in a high number of fraudulent login attempts. The company will have to spend a huge sum of money due to the high number of SMS messages diverted to high-cost SMS nations.
Detection of SMS Pumping Attacks
The initial detection of SMS pumping attacks is when an unusual number of SMS notifications are requested or when a spike in certain types of phone numbers like premium rate numbers. Requests of SMS notifications are detected. To detect SMS pumping attacks organizations need to pay attention to the phone numbers being used on password reset, registration, and webpage forms. They have to understand the device ID and reputation of the site that plugs in these unusual numbers. Then they have to detect spikes in the SMS requests.
Some of the few ways to detect SMS pumping attacks are
- The success rate of OTP delivery- You have to monitor the success of OTP verification and check high volumes of incomplete login attempts- this is a very effective way as cybercriminals often attempt to access accounts using fraudulent credentials. Also, a high number of incomplete login attempts can be a sign of SMS pumping.
- You have to watch adjacent number inputs in rapid succession- Cybercriminals may use automated tools or bots to generate high volumes of messages. They generate these messages often from sequential phone numbers. This is a way to bypass spam filters and detection mechanisms. In case there is a sudden spike in messaging activity from unknown numbers or patterns of sequential numbers. Then you have to notify your mobile carrier or traffic provider immediately. Immediate responses are better than late responses when the situation becomes unmanageable.
- You have to check for unexpected traffic spikes- This is one of the key strategies to prevent SMS pumping. You have to report unexpected spikes in traffic and investigate their source immediately. You can check anomalies using monitoring tools. These can detect any unusual surges in messaging volumes or login attempts. When detected, you should investigate the source of the traffic to determine if it’s legitimate or a result of SMS pumping fraud.
Prevention of pumping attacks
A business can implement these practices to avoid SMS pumping threats on their application.
- CAPTCHA or BotD
By using these on your website signup pages you can weed out bots from your organization. CAPTCHA forces cybercriminals to submit their phone numbers manually. This slows down attacks and makes them less prominent.
- Set a rate limit on the number of SMSs being sent
You can use CPaaS providers to allow rate limiting of SMSs i.e. how many SMSs can be sent over a period of time. This prevents the systems from sending an unlimited number of SMS messages to the same phone number. This may not be successful in preventing SMS pumping, but will surely discourage the attackers from targeting your app.
- Delay verification retries
Users sometimes need to resubmit their phone number to get an OTP or similar form shortly after their first attempt which causes delay. Users request many SMSs in a short duration. This eliminates multiple retries within seconds of each other. This slows down the entire process and frustrates the attackers.
- Use geographic permissions
You have to disable sending SMSs to numbers from countries where your company doesn’t do business. This restricts where attackers can use premium-rate phone numbers and reduces potential cybercrime charges.
- Verify numbers before sending SMS
You have to determine whether the phone number submitted in the form is a regular phone number, not a premium rate one. Carrier lookup services from API communication platforms like Twilio, report which carrier provides a number. This helps organizations to decide whether it’s worth blocking the carrier or not.
- Require additional information from the users
With this users are required to provide more information than just their phone numbers in any online form. This may affect user experience but refrains cybercriminals from targeting an organization. This reduces the ability to easily use bots to generate traffic.
- Remove 2FA SMS
You can remove the option to send OTPs to SMS numbers for 2-step verification. This may not always be possible but OTPs aren’t the strongest option for verification. However, 2FA offers cost and UX benefits.
SMS Pumping Prevention Tools
- Twilio Verify
It is a tool offered by Twilio to prevent SMS pumping. This is used to validate users with SMS, voice, email, push, WhatsApp, and time-based one-time passwords. It helps in fighting fraud, protecting user accounts, and building trust between the business and its customers. Twilio Verify provides multichannel verification. It solves multiple complex development challenges like carrier regulations, device-specific capabilities, mission-critical communication variables, verifies spots, etc. All of these lead to delivering your message successfully.
Its machine learning-powered bot and online fraud protection prevent SMS pumping attacks. It integrates with your tech slack and determines the problem. It has a real-time dashboard that shows the problems that are there or have a possibility of occurring.
- Soprano Connect
Soprano Connect is one of the best CPaaS (Communications Platform as a Service) spaces. It offers a wide range of features that help to protect its clients and their end message recipients.
It has a Fraud Detection and Prevention Service feature which is a stand-alone API that detects and indicates all the possible Fraudulent mobile numbers on the platform. By setting configurable parameters you can start filtering for fraudulent numbers. It assigns values to three indicators of risk i.e. SIM Swapping, Trusted Network, and Call Forwarding. The fraud checks are assigned the weightage value where the sum of all three values must be added to 100.
You can choose to check for all three, two, or a single Fraud type. Users can decide whether to send SMS or not based on a predetermined risk threshold configured within the platform when the license is purchased. They also have to take into consideration the HTTP API and Connect API SMS which allows them to send sensitive messages (like one-time passwords) and withhold messages from numbers or devices. This indicates that they might be part of or targets of fraud.
If your business is into SMS marketing or even any form of digital marketing then you must be aware of this malpractice of SMS pumping. SMS Pumping could lead to a huge financial loss for your company. Apart from that it will also tarnish your company’s image and reputation among the masses. This will take your customers and clients away from you and your business will suffer a lot. Hence companies must know about this practice and should take preventive steps to avoid the losses that incur due to this malpractice. If you want insight about SMS pumping and how you can prevent and control it then this article will really help you.