What is SMS pumping?

SMS pumping, also known as artificially inflated traffic (AIT), is a type of SMS fraud where attackers generate large amounts of fake SMS traffic through a business’ app or website, prompting businesses to send one-time PINs (OTPs) or app download links via SMS to fake numbers.

How does SMS pumping work?

Essentially, fraudsters use bots to generate and send fake OTP requests to businesses. The bots will input fake phone numbers into online forms. It will look like you are getting genuine SMS OTP requests from users, when in reality a large portion of this traffic is illegitimate.  

In the end, you are paying for sending SMS messages to fake numbers that yield zero results. SMS pumping isn’t always easy to detect, and many businesses will continue to spend the majority of their budget on fraudulent traffic without noticing.  

How does SMS pumping impact businesses?

20 bn

fake A2P SMS messages were sent in 2023

5%

of all A2P SMS traffic was fraudulent

$1.16 bn

spent on fake messages in 2023

Source: Mobile Europe

When faced with SMS pumping, businesses run into three key problems:

  1. Overspending – your business is paying for traffic that yields zero results
  2. Interrupted service – when faced with an SMS attack, it may force you to stall your entire SMS service, meaning your real customers can’t reach you
  3. Trade-off of focus – you shift your focus to tackling fraud rather than focusing on core business needs

How does SMS pumping happen?

The most common situations where SMS pumping happens is through web forms and smartphone apps that can trigger A2P SMS, for example:

  • SMS sign up
  • Sign up via SMS with 2FA
  • Change MSISDN for 2FA
  • SMS with app store URL for mobile phone
  • Send SMS with app store link to mobile phone

How to detect SMS pumping attacks?

There are five red flags to look for in your SMS traffic that can raise your suspicions about if you are a SMS pumping target.

1. Location of the numbers asking for OTPs

You know where your customers are, so if you notice that you are starting to get OTP requests from regions or countries that you don’t normally get traffic from, this can be a sign a fraudster is attempting SMS pumping fraud. 

2. Bursts of requests

Do you notice that sometimes you get a random burst of OTP requests on the same day? This could be a sign that a fraudster is spamming you with fake OTP requests to artificially inflate your traffic, and it could look something like this example:

3. Sequential number patterns

If you notice that you get a series of OTP requests from phone numbers that are sequentially similar, this is a tell-tale sign that someone is using SMS traffic pumping to scam your business. The chance that multiple people with almost similar phone numbers are sending you OTP requests at the same time is close to none.  

4. Drop in conversion rates

You might have noticed that your conversion rates on OTPs are lower than you would expect. Fraudsters send you the requests, you graciously (but unknowingly) send them the PINs and of course, nothing comes from that interaction. Pay attention to your average conversion rate in your region, as it varies from country to country. If you notice, for example, a 20% drop in conversion rates for your SMS OTP requests, this could be a sign that SMS pumping fraud is effecting your business.

70%

average SMS OTP conversion rate in September

50%

average SMS OTP conversion rate in October

5. Running out of SMS budget

SMS traffic pumping causes many businesses to quickly eat through their SMS budget because of the large number of OTP requests they send to illegitimate numbers. If you notice you are quickly running out of money in your SMS budget, it’s likely you are a target of SMS pumping fraud.  

Questions to ask yourself if you are unsure if SMS pumping attacks are affecting your business:

  • Are the requests made in a short period of time?
  • Are the phone numbers sequential to each other?
  • Are web forms only partially completed?
  • Are your conversion rates dropping?
  • Are the numbers from countries your business rarely or never has customers in?

If the answer to these questions is yes, you may be dealing with SMS pumping.

How to prevent SMS pumping?

Proactively blocking artificially inflated traffic doesn’t happen often. Most of the time, brands find themselves trying to repair the damage after falling victim to this scam. To minimize the risk of SMS pumping, you can:

  • Set rate limits on your OTP web form input box
  • Implement bot detection solutions
  • Implement delays between verification retry requests
  • Block SMS pumping fraud with Infobip Signals

How can Infobip help with SMS pumping?

Infobip Signals is a security tool that can proactively block and prevent SMS pumping from affecting your business. It automatically stops fraudulent OTP traffic while allowing you to continue to use your messaging service without any interruptions to legitimate traffic.

Think of it like this: 

In some areas, more so than others, tap water is much risker to drink. Similar to how SMS scams are more likely to occur in certain regions like APAC, MENA, Africa and CIS.  

When you fill a glass with tap water, you can’t always be sure that some questionable minerals or chemicals haven’t made it into your glass. After drinking contaminated water for some time, your suspicion might rise that something isn’t quite right, just like how many businesses pay for fraudulent traffic for a while before they notice any red flags. 

Infobip Signals acts as your water filter, cleaning your SMS traffic and blocking any SMS pumping fraud from reaching your business.  

infobip signals

If we notice suspicious patterns, we block those numbers from sending messages to your business. All other traffic is sent directly to your business without interruption, and the fraudulent numbers are blocked. Meaning you are not charged for that fake interaction.  

You could be interested in

Feb 20th, 2024
5 min read