SMS Traffic Pumping Fraud

What is SMS Traffic Pumping Fraud?

SMS Traffic Pumping Fraud, also known as Artificially Inflated Traffic, happens when fraudsters take advantage of a phone number input field to receive a one-time passcode (OTP), an app download link, or anything else via SMS. If this form does not have adequate controls, the attackers can inflate traffic and exploit your app. The fraudsters send SMS to a range of numbers controlled by a specific mobile network operator (MNO) and receive a share of the generated revenue. 

twilio_sms_pumping.png

This happens in one of two scenarios:

  1. The MNO is complicit in the scheme and has a revenue sharing agreement with the fraudsters.
  2. The MNO is unknowingly exploited by the fraudsters

In the second case, smaller MNOs get paid by larger MNOs for subscribers and traffic. In this situation it is possible for a fraudster to create a fake company and promise large amounts of traffic. The MNO may not care what the source of the traffic is and ends up supporting the fraud. In either case, you’re more likely to see this type of fraud occur with smaller MNOs.

 

How can I determine if I'm experiencing an SMS Pumping attack?

You will likely see a spike of messages sent to a block of adjacent numbers (i.e. +1111111110, +1111111111, +1111111112, +1111111113 etc.), often to remote destination countries. If you're sending SMS for a one-time passcode (OTP) use case, you will likely not see a completed verification cycle for these OTPs.

Best practices for preventing SMS Traffic Pumping Fraud

Disable Geo-Permissions for unused countries

Ensuring that countries to which you do not intend message are disabled will lower the likelihood of SMS Traffic Pumping Fraud.

SMS Geo-Permissions are controlled for your Twilio project in the Console on the Messaging Geographic Permissions page.

Set rate limits

Make sure your app will not send more than 1 message per X seconds to the same mobile number range or prefix. Implement rate limits by user, IP, or device identifier. You can use a CDN like Cloudflare or implement modules in your web server like Nginx and Apache for basic rate limiting.

Rate limits may not prevent 100% of fraud but can significantly mitigate the damage that an attacker can do and may even deter them if they decide that it's not worth it to go after your app.

Detect bots and refresh your user experience to prevent them

Libraries like botd or CAPTCHAs can help detect and deter bot traffic. Small changes to your user experience like ensuring that your users confirm their email address before enrolling in 2FA introduce a small amount of friction for legitimate users but can deter automated scripts and bots.

Implement exponential delays between verification retry requests

Similar to rate limits, implementing exponential delays between requests to the same phone number is one way to prevent rapid sending.

For more information, check out the following additional resource: Best Practices for Managing Retry Logic with SMS 2FA

Look up the phone number before sending

Use Carrier Lookup to get the line type of a number and only send SMS to mobile numbers. You can also use this API request to determine the carrier and block carriers that may be (knowingly or not) causing inflated traffic.

For more information, check out the following additional resource: Build a Carrier Block List with Twilio Lookup

Monitor one-time passcode (OTP) conversion rates and create alerts

Create internal monitors for conversion rate of verifications (i.e number of OTPs validated by end users / number of OTPs sent to end users). If you notice this rate starting to drop, especially in an unexpected country, trigger an alert for review.

You can also configure a usage trigger on your Twilio account to alert you when your usage goes above a certain threshold.

What do I do if I suspect fraud on my Twilio account?

Email fraud@twilio.com if you are facing messaging abuse. Please include the following details in your message:

  • Account SID
  • Product Type (e.g. Verify, Programmable Messaging)
  • Date/time Range
  • To/Recipient Country
  • Description of Activity

Does Twilio have a tool for this?

Twilio Verify is a tool you can use to validate users with SMS, voice, email, push, WhatsApp, and time-based one-time passwords. Verify can help you fight fraud, protect user accounts, and build trust between you and your customers with purpose-built, multichannel verification.

Additional Resources

Have more questions? Submit a request
Powered by Zendesk