SMS pumping fraud is a rising threat – and it can affect any business, large or small, that uses SMS for verification or to communicate with users. In this blog, we’ll explain who is affected by this fraud, how it works… and the security alternative that can solve the problem.
In January 2023, Twitter owner and CEO Elon Musk claimed that Twitter had lost more than $60m to a specific scam known as SMS pump fraud. The scam relies on collusion between telecoms networks and international premium-rate number providers (IPRNs) to generate fake SMS traffic.
He implicated over 390 different telecoms firms in the fraud, and while Twitter denied Musk's claim and issued a statement saying that it takes action against spam and bot accounts on the platform, it did draw attention to the issue. As of March 20, Twitter removed SMS-based identify verification (2FA) from its platform for most users.
SMS-based verification is now the standard ‘second factor’ for many online businesses, given the ease at which hackers can now intercept standard email plus password login systems. But SMS is relatively easy for hackers to intercept, it can cost businesses significant sums to manage, and is also prone to fraud. The global body Communications Fraud Control Association (CFCA) estimated that SMS pump fraud resulted in losses of over $6.7 billion globally in 2021.
By far the simplest way to remove the operational expense, user inconvenience and mitigate the risks of SMS pumping fraud is to implement SIM-based authentication methods such as those offered by tru.ID. This blog will help to outline how the fraud works and what businesses can do to reduce it.
What is SMS pumping fraud?
This kind of fraud is often carried out by organised criminal groups, who can use sophisticated techniques to bypass traditional fraud detection measures. The impact of SMS pumping fraud can be severe, with businesses facing large bills for calls or messages they did not make. Mobile Network Operators (MNOs) may also be exposed to financial losses due to fraudulent traffic passing through their network.
In the type of fraud claimed by Musk, fraudsters take advantage of premium rate numbers or services that charge high fees for calls or messages, by using various application-to-person (A2P) tactics such as auto-dialing, robocalling or SIM boxing to generate a large volume of calls or SMS messages to these numbers.
How does SMS pumping fraud work?
In this type of fraud, the perpetrator generates traffic to international premium rate numbers that charge high rates per minute, and deliver larger potential profits. The fraudster typically generates traffic to these numbers through robocalls or SMS messages – it relies on collaboration with IPRNs and mobile networks, and as such typically originates from areas of the world where there is weaker regulation.
If you’re not tracking everything, fraudulent transactions are difficult to stop. Photo by Mathieu Stern on Unsplash
Any business that uses SMS can be a target, but larger global companies who use SMS messaging to confirm a user’s digital identity are particularly vulnerable. They generate very high volumes of traffic, meaning fraudulent transactions are easier to hide, and may not see high volumes of SMS requests from far-flung remote locations (where the fraud often originates) as particularly unusual.
However, even if a business knows fraudulent activity is at work, it can be difficult to work out how to solve the problem, since it is tied into the process of security. As many IAM professionals and regulatory bodies are now advising, it’s time to switch SMS to a more secure mobile security solution.
What can be done to prevent SMS pump fraud?
To prevent SMS pumping fraud, mobile networks can implement various measures such as monitoring call patterns, blocking premium rate numbers, and implementing fraud detection software. Businesses can also protect themselves by adopting technology that can detect unusual spikes in activity; whether that is the timing of messages, volume of messages or location.
However, as with any widespread change, it will be slow for any new measures to roll out across the telecoms industry, due to the amount of inter-business – and international – collaboration and agreement required.
More simply, businesses with mobile apps can take action now: phase out SMS-based verification entirely by using SIM-based verification offered by tru.ID instead.
How tru.ID can help mobile apps solve SMS pump fraud
There is now a new way to prove possession of a mobile phone number – without needing to use SMS. That means you can eliminate the risk of SMS pump fraud, as well as improving security and making life easier for your users.
SIM based-verification from tru.ID allows you to verify a mobile number by checking the phone directly with the mobile network over an encrypted data connection. This secure, low-friction approach is a quick and easy way to verify possession of a mobile number, without the need for SMS.
Unlike checks performed by SMS or email, there are no PIN codes or passwords that could be intercepted by a fraudster. This has multiple benefits – it reduces the risk of phishing and social engineering attacks; it streamlines the login experience for users, and it eliminates any SMS pump fraud.
Get started
tru.ID’s technology is quick and easy to deploy and available for all mobile operating systems.
.png)
