SMS Traffic Pumping Fraud, also known as Artificially Inflated Traffic, happens when fraudsters take advantage of a phone number input field to receive a one-time passcode (OTP), an app download link, or anything else via SMS. If this form does not have adequate controls, the attackers can inflate traffic and exploit your app. The fraudsters send SMS to a range of numbers controlled by a specific mobile network operator (MNO) and receive a share of the generated revenue.
This happens in one of two scenarios:
In the second case, smaller MNOs get paid by larger MNOs for subscribers and traffic. In this situation it is possible for a fraudster to create a fake company and promise large amounts of traffic. The MNO may not care what the source of the traffic is and ends up supporting the fraud. In either case, you’re more likely to see this type of fraud occur with smaller MNOs.
How can I determine if I'm experiencing an SMS Pumping attack?
You will likely see a spike of messages sent to a block of adjacent numbers (i.e. +1111111110, +1111111111, +1111111112, +1111111113 etc.), often to remote destination countries. If you're sending SMS for a one-time passcode (OTP) use case, you will likely not see a completed verification cycle for these OTPs.
Best practices for preventing SMS Traffic Pumping Fraud
Enable Twilio Verify Fraud Guard
Migrating to Verify will allow you to utilize Verify Fraud Guard. This tool helps prevent SMS related fraud by blocking SMS transmissions to any destination deemed fraudulent.
Verify is a multi-channel solution built specifically for verifying new and returning users with minimal friction. To learn more, go to: Migrate from Programmable Messaging to Verify.
Disable Geo-Permissions for unused countries
Ensuring that countries to which you do not intend message are disabled will lower the likelihood of SMS Traffic Pumping Fraud.
SMS Geo-Permissions are controlled for your Twilio project in the Console on the Messaging Geographic Permissions page.
Set rate limits
Make sure your app will not send more than 1 message per X seconds to the same mobile number range or prefix. Implement rate limits by user, IP, or device identifier. You can use a CDN like Cloudflare or implement modules in your web server like Nginx and Apache for basic rate limiting.
Rate limits may not prevent 100% of fraud but can significantly mitigate the damage that an attacker can do and may even deter them if they decide that it's not worth it to go after your app.
Detect bots and refresh your user experience to prevent them
Libraries like botd or CAPTCHAs can help detect and deter bot traffic. Small changes to your user experience like ensuring that your users confirm their email address before enrolling in 2FA introduce a small amount of friction for legitimate users but can deter automated scripts and bots.
Implement exponential delays between verification retry requests
Similar to rate limits, implementing exponential delays between requests to the same phone number is one way to prevent rapid sending.
For more information, check out the following additional resource: Best Practices for Managing Retry Logic with SMS 2FA
Look up the phone number before sending
Use Carrier Lookup to get the line type of a number and only send SMS to mobile numbers. You can also use this API request to determine the carrier and block carriers that may be (knowingly or not) causing inflated traffic.
For more information, check out the following additional resource: Build a Carrier Block List with Twilio Lookup
Monitor one-time passcode (OTP) conversion rates and create alerts
Create internal monitors for conversion rate of verifications (i.e number of OTPs validated by end users / number of OTPs sent to end users). If you notice this rate starting to drop, especially in an unexpected country, trigger an alert for review.
You can also configure a usage trigger on your Twilio account to alert you when your usage goes above a certain threshold.
Notice: If you want to prevent SMS Traffic Pumping Fraud in the Twilio Verify product, you can enable the Fraud Guard feature in your Twilio Console. This feature will automatically block the prefix of the destination of the suspected fraud when there are unusual fluctuations in SMS traffic patterns in a specific location.
What do I do if I suspect fraud on my Twilio account?
Email firstname.lastname@example.org if you are facing messaging abuse. Please include the following details in your message:
- Account SID
- Product Type (e.g. Verify, Programmable Messaging)
- Date/time Range
- To/Recipient Country
- Description of Activity
Does Twilio have a tool for this?
Twilio Verify is a tool you can use to validate users with SMS, voice, email, push, WhatsApp, and time-based one-time passwords. Verify can help you fight fraud, protect user accounts, and build trust between you and your customers with purpose-built, multichannel verification.