Key Takeaways
- SMS pumping is also known as AIT (Artificially Inflated Traffic) is a growing menace in the telecommunications industry
- Cybercriminals manipulate SMS traffic to inflate charges for SMS messages of premium or high rate destinations
- A real life example of an SMS pumping attack is the 2022 SMS pumping attack on Twilio's customers
- The dangers and intricacies of an SMS pumping attack are very different and should be understood to be identified
- There are various indicators of an SMS pumping attack like high volume of incomplete login attempts, unexpected traffic spikes etc.
According to a report by Mobilesquared, SMS pumping which is also known as AIT (Artificially Inflated Traffic) is one of the major concerns in A2P messaging industry followed by increase in international termination rates and exclusive deals.
While businesses are continually innovating their communication strategies with hi-tech, the advent of this technology comes the rise of a new form of fraud known as SMS Pumping, a growing menace in the telecommunications industry.
This is widely prevalent in SMS as the same is used for transactional use cases like SMS verification and promotional use cases like coupons. Promotional use cases can also use RCS, which are mostly SMS with rich media and for which you get sent as SMS via server instead of read receipts.
What is SMS Pumping?
SMS pumping, also known as SMS traffic pumping or International Revenue Share Fraud (IRSF), is a type of fraud where cybercriminals manipulate mobile networks to inflate charges for SMS messages sent to premium or high-cost destinations. This form of fraud specifically targets online forms and applications that generate automated OTP SMS, making it a substantial challenge for digital businesses.
Example of an SMS Pumping Attack
Twilio customers in 2022 became the victim of an SMS pumping attack. This specifically included small companies which did not have proper measures in place. The ones with the auto top pup options were harmed heavily. Now, Twilio offers protection tools like Twilio verify fraud guard and SMS pumping protection.
The Intricacies of SMS Pumping Fraud
SMS pumping is a relatively complex scheme. In these attacks, fraudsters send SMS messages to a range of numbers controlled by a specific mobile network operator (MNO). By working with an MNO, a fraudster can use automated systems to send thousands of text messages to high-cost destinations, thereby inflating the cost of the attack for a business and hence being ‘Artificially Inflated Traffic’. It is then responsible for covering the fraudulent SMS charges.
The Dangers of SMS Pumping
SMS pumping fraud can take many forms. Attacks may be targeted at web forms that ask a consumer for a mobile number in exchange for product or subscription discounts. Another attack vector is websites that send one-time passcodes i.e. OTP SMS for login attempts. In either case, the business could end up sending thousands of messages to high-cost SMS destinations or premium rate phone numbers, leading to substantial financial damage.
Now that OTP SMS API integration is very easy and providers like Message Central which let you bypass DLT registration in India and A2P 10DLC in the US, you can get started in minutes. This all has led to a lot of brands adopting OTP SMS for user authentication and this has made them quite vulnerable to such attacks.
Recognizing Signs of SMS Pumping Fraud
Detecting SMS pumping requires vigilance and prompt action. Here are some strategies to uncover warning signs:
1) Monitor for high volumes of incomplete login attempts.
2) Watch for adjacent number inputs in rapid succession.
3) Look for unexpected traffic spikes.
4) Look for a high number of messages being sent to unusual or high-cost countries like Russia, Ukraine, Kazakhstan, Iraq, Kuwait etc.
5) Alerts for SMS budgets.
Proactive Measures Against SMS Pumping
To protect against SMS pumping, businesses can adopt certain practices, such as setting message limits, using two-factor authentication (2FA) or multi-factor authentication (MFA) for premium services, and using a CAPTCHA to stop bot traffic.
Rate Limiting: By limiting the number of messages that can be sent from a single source in a given period, businesses can effectively mitigate the risk of SMS pumping attacks.
Blocking List: By creating a list of blocked countries, you can prevent messages from being sent to numbers in those areas.
Detect and Deter Bots with CAPTCHA: Fraudsters often use malicious bots, which are software designed to automate tasks online. Using CAPTCHA can effectively detect and deter bots from infiltrating your SMS system.
The Role of the Communications Provider
Communication providers such as Message Central, and others also play a crucial role in combating SMS pumping. Providing tools and support assistance to avoid and deal with SMS pumping is usually done by the provider especially in the case of OTP service providers.
Conclusion
SMS pumping is a serious threat that can cause significant financial damage to businesses through toll fraud. However, with a comprehensive understanding of the threat, diligent monitoring, and proactive protective measures, businesses can significantly reduce their risk of falling victim to this form of fraud. Adopting these strategies will not only protect businesses from unnecessary costs but also keep criminals from profiting, thereby maintaining the integrity and reliability of SMS as a preferred communication channel.