How to mitigate SMS pumping without breaking signup

SMS pumping is easy to miss because it does not look like an account attack. Nobody needs to steal a password, intercept a code, or complete a login. The attacker only needs your application to send the SMS.

That makes the early signals easy to misread. Verification requests go up. Message volume goes up. At a glance, it can look like more users are entering the funnel. But if OTP sends are rising while successful verifications stay flat, you may not be looking at growth. You may be paying for someone else's telecom revenue.

The fraud works by turning a normal phone verification flow into a billing machine. Bots trigger real OTP messages to real phone numbers, often on networks where someone in the chain can share in the termination fees. The code itself is irrelevant. The send is the payout.

This post covers how SMS pumping works, why simple checks miss it, and the controls that reduce exposure without making signup painful for legitimate users.

What is SMS pumping

SMS pumping is the abuse of message-sending endpoints, usually SMS OTP flows for signup, login, or password reset, to generate traffic you did not intend to send. You may also see it called SMS toll fraud, artificially inflated traffic (AIT), or international revenue share fraud (IRSF) when cross-border routing is involved.

The scheme is not complicated. A fraudster controls, rents, or has a revenue-share relationship with numbers on a particular mobile network. They then use bots to trigger OTP messages to those numbers. Every delivered SMS creates a termination fee, and part of that fee makes its way back to the fraudster or their partner network.

The attacker does not need the code. They are not trying to take over an account. The send itself is the payout.

The scale is large enough to matter outside the security team. Juniper Research put global enterprise losses to AIT at a peak of $2.1 billion in 2023. Other industry estimates have put losses around $1.1 billion to $1.2 billion a year, with roughly a fifth of OTP traffic on unprotected platforms suspected to be artificial. The best-known public example is X, which said in 2023 that it was losing about $60 million a year to fake 2FA traffic routed through roughly 390 telecom operators before it restricted SMS 2FA for non-paying users.

How attackers find the right flows

SMS pumping usually starts with: can this form send an SMS before the application knows enough about the person making the request?

That makes phone-first signup, account verification, and password reset flows obvious targets. The risk rises when the form accepts numbers from many countries, has no meaningful bot challenge, and uses rate limits that can be avoided with rotating IPs or synthetic identities.

Attackers often send to blocks of adjacent numbers that share a prefix. Those numbers may sit on the same operator, which is exactly where the fraudster wants the traffic to land.

The important signal is what happens after the message is sent: nothing. The user never submits the OTP. There is no successful verification, no real account, no conversion. A sudden gap between "codes sent" and "codes verified" is often the first sign of pumping, and it may show up before the invoice does.

Why the obvious fixes are not enough

SMS pumping is awkward to defend against because it does not look like a normal account attack.

The numbers can be real. Fraudsters are not limited to disposable VoIP numbers or obvious fake ranges. They may use live numbers on legitimate networks, so a simple number validation or carrier lookup can tell you the number exists without telling you whether the request is useful.

The traffic may come from countries you actually serve. Better operators do not always route through obviously unusual destinations. They can work inside your existing markets, where a volume increase might be misread as growth, a campaign spike, or a regional launch taking off.

Some of the economics sit inside the telecom ecosystem. The carrier receiving the traffic may be a licensed operator or MVNO, even if the traffic pattern is abusive. In some regions, fraud groups have reportedly acquired operator or MVNO licenses to participate directly in these schemes. That makes "block bad carriers" a weaker control than it sounds.

The pacing can also be patient. Instead of sending one giant burst, attackers spread requests across time, IPs, prefixes, and fake user identities. By the time the pattern is obvious, the cost may already be material.

Where the risk concentrates

SMS pumping can happen anywhere, but it pays better in places with high SMS termination rates, weaker telecom oversight, or operators willing to participate in revenue-share abuse.

Industry risk lists often highlight parts of Africa, Asia and APAC, the Caribbean, the Middle East and North Africa, and some CIS markets. Countries that commonly appear in high-risk discussions include Nigeria, Ethiopia, Tanzania, Kenya, and the DRC in Africa; Vietnam, the Philippines, Bangladesh, Pakistan, Indonesia, and Myanmar across Asia; plus scattered destinations in MENA and Latin America.

That does not mean users from those countries are suspicious. Most are legitimate. The risk is structural: in some routes, fraudulent traffic is simply more profitable.

What actually works

There is no single setting that stops SMS pumping. The resilient approach is layered: reduce the number of situations where you send SMS at all, add controls before the send happens, and make sure your provider can help limit damage when an attack gets through.

Route higher-risk countries through other channels

If you serve a country but see elevated pumping risk there, consider moving signup OTPs to WhatsApp OTP, email, or another channel for that market.

WhatsApp is often a strong option in high-risk regions because it is widely used, runs over internet messaging rather than the SS7 telecom network, and does not create the same SMS termination-fee incentive. The implementation can be straightforward: inspect the country code when the user submits the number, then route high-risk destinations to WhatsApp instead of SMS.

Most major messaging providers support this kind of channel routing. For legitimate users in WhatsApp-heavy markets, the conversion impact is often lower than teams expect.

If you do not serve a country at all, disable it. Geo-permissions are one of the least glamorous controls, but they are also one of the cheapest ways to remove unnecessary exposure.

Rate limit the send, not just the session

Rate limiting is table stakes, but it needs to be applied at the right levels.

• Per phone number: cap repeated sends to the same number, for example three per hour, then back off further after repeated failures.
• Per prefix or number range: detect when one prefix starts receiving a disproportionate share of OTPs. This is one of the clearest fingerprints of pumping.
• Per IP and device: still useful for basic bot pressure, though not enough on its own when IP rotation is cheap.
• Per country: use tighter limits in markets where normal signup volume is low, and looser limits where you have a proven user base.

Prefix-level controls are especially important because pumping often concentrates around number blocks tied to a profitable route.

Verify without sending an SMS

Silent network authentication is one of the more promising ways to reduce SMS exposure. The GSMA Open Gateway Number Verification API, built on the CAMARA standard, lets an application ask the mobile operator whether the device making the request is associated with the phone number being verified.

The user does not read or type a code. The operator returns a yes or no. No SMS is sent, so there is no message for a fraudster to pump.

Coverage is still uneven, but it is improving. A practical pattern is to attempt silent network authentication first, then fall back to SMS only when the number or carrier is not supported. Every successful silent verification removes one SMS from the attack surface.

Move returning users away from SMS

The best long-term mitigation is to stop using SMS as the default authenticator.

Passkeys are now built into iOS, Android, Windows, and macOS. They authenticate users cryptographically with the device's biometric check or PIN, which means there is no OTP to send and no message endpoint to abuse.

You do not need to migrate everyone at once. Start by prompting passkey enrollment after successful login. Make passkeys the default for returning users who enroll. Keep SMS for first-time verification and account recovery where you still need it.

As passkey adoption rises, SMS volume falls. That is good for security, conversion, and cost.

Choose the channel at runtime

Static SMS policies age badly. A better model is to decide the verification channel at the moment of authentication, using the risk signals available for that request.

For example:

• If the country code is high-risk, route to WhatsApp or email.
• If the user has a passkey or authenticator enrolled, skip SMS.
• If a prefix matches a known abusive range, block or challenge before sending.
• If velocity, timing, device fingerprint, or IP reputation looks bot-like, require a CAPTCHA or stronger check.

This kind of routing is much easier to manage when it lives in configurable authentication rules rather than scattered application code. The point is not to make the system complicated. The point is to make it adjustable when attackers change routes.

Get your SMS provider involved early

Your SMS provider should not be a passive billing pipe. Provider-side controls cannot replace application-level rules, but they are a useful backstop when abusive traffic gets through.

Look for:

• Pumping-specific fraud detection. Ask what patterns they detect automatically, how quickly blocks are applied, and whether blocked traffic is visible in reporting.
• Spend limits. Daily or monthly caps will not prevent an attack, but they limit the blast radius and force an alert.
• Volume alerts. You want to know when sends cross a baseline while there is still time to respond.
• Geo-permission controls. Disable countries you do not serve, and review the list regularly.
• Number intelligence. Carrier and number lookup can help flag risky numbers, SIM-swap indicators, or suspicious routes, although it should not be your only control.

A mitigation stack that holds up

The strongest SMS pumping defenses share the same shape.

Passkeys handle returning users wherever possible, so SMS is no longer part of the routine login path. WhatsApp, email, or another non-SMS channel handles signups in higher-risk markets. Silent network authentication verifies supported users without sending a code. Rate limits run at the phone number, prefix, IP, device, and country level. Runtime rules choose the channel based on risk. Provider-side fraud detection, spend caps, alerts, and geo-permissions catch what remains.

SMS is not disappearing soon. It is still useful for onboarding, recovery, and markets where other channels are not reliable enough. The goal is not to remove SMS everywhere overnight. The goal is to stop treating every phone-number submission as a message worth paying for.

Every SMS should have to earn the right to be sent.

Authsignal helps teams orchestrate authentication flows with adaptive channel selection, passkeys, step-up rules, and configurable fraud controls. If you are reviewing your SMS exposure or trying to cut toll fraud costs, talk to us.

‍