Hitching A Ride: Fraudsters Use Mobile Number Input Fields To Send SMS Messages

Email teams venturing into texting better watch their backs: SMS senders are now being victimized by a high-tech scam called pumping. 

What is SMS pumping? Also known as Artificially Inflated Traffic, it is a “type of fraud where “fraudsters take advantage of mobile number input fields on websites or in apps to send messages to numbers they control, driving up costs for the business sending them,” Twilio writes in an alarming new report called The State of SMS pumping fraud.  

Twilio estimates that 1.1% of all SMS global traffic is SMS pumping, adding up to billions of potentially fraudulent messages. Excluding the U.S. and Canada, the percentage rises to 5.4% of all international traffic.

The bad actors are “taking advantage of phone number input fields on websites or in apps, such as for one-time passcodes, promotional codes, or app download links, and then get a share of the fraudulently generated revenue from the mobile network operators (MNOs),” the report continues.  



The result: Businesses sending messages to the numbers entered into their mobile number input fields are paying for every message sent.  

Not that we want to spread use-case ideas to fraud artists, but Twilio lists this as the main ones: 

User authentication &. Identity  —  Businesses send users one- time passcodes (OTPs) to sign up, log in to their accounts, and complete transactions. Fraudsters take advantage of this by having these codes sent to numbers they control. 

Marketing & Promotion This occurs when businesses offer a mobile number input field to send a customer a unique discount code or a link to a product, for example. 

SMS Pumping is more prevalent in certain parts of the world, including Africa and the middle East, although North America also seems to have its share.  

What can you do about it? Twilio recommends these measures: 

Monitor Conversion rates — A big decline could signal that you are experiencing SMS pumping fraud 

Set geographic limit — Use geo-permissions to disable messaging in countries where you do not do business.

Use rate limits — Set a maximum number of messages that will go to the same number or mobile prefix in a minute. 

Check whether a phone number has been used in fraud schemes — This will enable you to decide which traffic to block or allow with for a given use case. 

Enable machine learning-driven SMS pumping detection and prevent technology — you can protect your brand without taking additional actions. 

Twilio cites statistics from the Mobile Ecosystem Forum projecting that by 2025, 1.62 trillion A2P SMS messages will be sent per year.




Next story loading loading..