SMS pumping fraud is a rising threat – and it can affect any business, large or small, that uses SMS for verification or to communicate with users. In this blog, we’ll explain who is affected by this fraud, how it works… and the secure alternative that provides a solution for all types of SMS fraud.
In January 2023, Twitter owner and CEO Elon Musk claimed that Twitter had lost more than $60m to a specific scam known as SMS pump fraud – also known as SMS toll fraud or Artificially Inflated Traffic (AIT). The scam relies on collusion between telecoms networks and international premium-rate number providers (IPRNs) to generate fake SMS traffic.
He implicated over 390 different telecoms firms in the fraud, and while Twitter denied Musk's claim and issued a statement saying that it takes action against spam and bot accounts on the platform, it did draw attention to the issue. As of March 20, Twitter removed SMS-based identify verification (2FA) from its platform for most users.
SMS-based verification is now the standard ‘second factor’ for many online businesses, given the ease at which hackers can now intercept standard email + password login systems.
By far the simplest way to eliminate fake SMS traffic and stop SMS pumping fraud is to use an alternative to SMS OTP for mobile number verification, such as SIM-based authentication from tru.ID.
This blog will help to outline how the fraud works, and what businesses can do to stop SMS toll fraud from affecting their traffic.
What is SMS pumping?
This kind of fraud is often carried out by organised criminal groups, who can use sophisticated techniques to bypass traditional fraud detection measures. The impact of SMS pumping fraud can be severe, with businesses facing large bills for calls or messages they did not make. Mobile Network Operators (MNOs) may also be exposed to financial losses due to fraudulent traffic passing through their network.
In the type of fraud claimed by Musk, fraudsters take advantage of premium rate numbers or services that charge high fees for calls or messages, by using various application-to-person (A2P) tactics such as auto-dialing, robocalling or SIM boxing to generate a large volume of calls or SMS messages to these numbers.
How does SMS pumping fraud work?
In this type of SMS fraud, the perpetrator generates traffic to international premium rate numbers that charge high rates per minute, and deliver larger potential profits.
The fraudster typically generates traffic to these numbers through robocalls or SMS messages – it relies on collaboration with IPRNs and mobile networks, and as such typically originates from areas of the world where there is weaker regulation.
If you’re not tracking everything, fraudulent transactions are difficult to stop. Photo by Mathieu Stern on Unsplash
Any business that uses SMS can be a target, but larger global companies who use SMS verification to confirm a user’s digital identity are particularly vulnerable. They generate very high volumes of traffic, meaning fraudulent transactions are easier to hide, and may not see high volumes of SMS requests from far-flung remote locations (where the fraud often originates) as particularly unusual.
However, even if a business knows fraudulent activity is at work, it can be difficult to work out how to solve the problem, since it is tied into the process of security.
To stop SMS pump fraud, mobile networks can implement various measures such as monitoring call patterns, blocking premium rate numbers, and implementing fraud detection software. Businesses can also protect themselves by adopting technology that can detect unusual spikes in activity; whether that is the timing of messages, volume of messages or location.
However, as with any widespread change, it will be slow for any new measures to roll out across the telecoms industry, due to the amount of inter-business – and international – collaboration and agreement required.
More simply, businesses with mobile apps can take action now: prevent SMS scams by phasing out SMS-based verification entirely, using SIM-based verification offered by tru.ID instead.
How tru.ID can help mobile apps prevent SMS pumping
There is now a new way to prove possession of a mobile phone number – without needing to use SMS. That means you can stop artificially inflated traffic and eliminate the risk of SMS pump fraud, as well as improving security and making life easier for your users.
SIM based-verification from tru.ID allows you to perform mobile phone number verification directly with the mobile network over an encrypted data connection. This secure, low-friction approach is a quick and easy way to verify possession of a mobile number, without the need for SMS.
Unlike checks performed by SMS or email, there are no PIN codes or passwords that could be intercepted by a fraudster. This has multiple benefits – it reduces the risk of phishing and social engineering attacks; it streamlines the login experience for users, and it eliminates any SMS pump fraud.
How to get started
tru.ID’s technology is quick and easy to deploy and available for all mobile operating systems.