Experts Warn of SMS Pumping Fraud Epidemic

June 4, 2023

The SMS pumping fraud epidemic schemes use bots to quickly collect numbers on websites and apps that require either one-time password (OTP) or two-factor authentication (2FA). The attacks may raise the amount owed by a business to its mobile network operator.

Firms must comprehend how these schemes operate and take proactive measures against them. These may range from rate limits to more complex measures like implementing a CAPTCHA or libraries designed to deter bot traffic.

1. SMS OTP fraud

Experts Warn of SMS Pumping Fraud Epidemic

Businesses are facing a surge in fraudulent activity via mobile devices, with text message (SMS) fraud being one of the most prevalent forms. According to a survey of 300 North American fraud prevention decision-makers, nearly everyone reported their organization has experienced mobile fraud within the past year.

In this type of attack, hackers steal personal information from victims and use that data to send a text message triggering an one-time password (OTP) or other authentication code sent directly to their phone. This allows fraudsters to access accounts and make fraudulent purchases using the victim’s credit card – often without them even knowing it’s happening!

Businesses should adopt a robust security policy and guarantee their websites have adequate protections against abuse. This includes restricting the amount of personal data collected on web forms and making sure these forms only accept minimal information needed for services to function optimally.

One way to reduce the number of SMS OTPs sent is by switching to a different authentication technology. This could include hardware tokens or software tokens that store a unique OTP that you enter into an online field when accessing apps, websites or portals.

Advanced solutions like behavioral biometrics authenticate users by learning their unique patterns – like how they hold their phones, swipe screens and type. These patterns are much harder to replicate and can thwart account takeover attacks that use OTPs or other forms of user authentication.

These solutions also have the capacity to bolster their fraud detection rules and triggers, blocking traffic to suspicious numbers or users. This helps reduce fraudulent transactions and boost conversion rates – some companies have seen conversion rates double or even triple in specific countries after using this tool!

To protect against this type of fraudulence, businesses should invest in a scalable and secure solution that integrates various capabilities – including behavioral biometrics. Furthermore, it should use one unified platform to safeguard all accounts while offering consumers an effortless experience.

2. One-time password (OTP) fraud

OTP (One-Time Passcode) authentication is a form of two-factor authentication used to protect online accounts. It generates a one-time passcode which is sent directly to the user via SMS or mobile app.

OTPs (One-Time Passwords) have become a widely used authentication method to verify users before accessing services. Unlike regular passwords, an OTP is unique and only valid for a short period before expiring – providing strong protection against account takeover fraudsters who might reuse stolen credentials across multiple websites and services.

Although OTPs are considered secure, they have also been targeted by fraudsters. According to a recent report, OTP-based scams increased by 25% between August and March 2018.

In these scams, criminals call customers pretending to be from a bank or other trusted organization and request an OTP. This can be risky since it exposes sensitive information about digital accounts; ultimately leading to the account being hijacked and money moving without the victim’s knowledge.

People have been warned to remain alert and vigilante against these scams. The most important rule to remember is never divulge your OTPs to anyone unless it is absolutely necessary for security purposes.

Another way to protect yourself is by not clicking on links attached to text messages, especially if the sender or source are unknown. Many times these sites are malicious and can infect your phone with viruses or other destructive programs.

These links could provide hackers with access to your data and OTPs. To guard against this, check your texts regularly to confirm that no OTP has been generated without consent.

Experts Warn of an SMS Pumping Fraud Epidemic

The OTP (One Time Password)-based fraud epidemic is becoming an increasing problem for businesses and consumers. This trend stems from the increasing reliance on OTP authentication in digital spaces, which allows malicious actors to exploit weaknesses in telephony infrastructure and steal OTPs to gain unauthorized access to online accounts – these attacks being known as Account Takeovers (ATOs).

3. Two-factor authentication (2FA) fraud

October is Cyber Security Awareness Month and experts are warning that the skyrocketing costs of SMS pumping fraud will cause a severe crisis for businesses. Not only do such scams cause financial losses, but they can also result in public relations disasters for organizations.

SMS pumping fraud involves criminals sending fraudulent one-time passwords (OTPs) to mobile network operators in order to generate revenue for themselves and their partnering MNOs. Attackers use various numbers to send OTPs, app download links and other malicious content to targeted businesses, resulting in a large proportion of their total SMS traffic – placing an immense strain on resources and costs for the mobile network operator.

Experts advise that if you must use SMS as an authentication method, do so carefully and encrypt the messages to prevent hacker interception. Furthermore, use a trusted mobile number that you verify; this will prevent hackers from accessing your accounts or information, as well as guard against fraudsters who attempt to steal both phone number and text message data.

Another form of 2FA utilizes hardware tokens, such as security keys or biometric sensors, to verify login attempts. This more recent type of 2FA, known as WebAuthn, helps protect your sensitive data and account details from unauthorized users.

Two-factor authentication is an essential security measure for e-commerce sites, online banking services and social media platforms alike. It’s especially helpful in sensitive areas of these applications such as admin panels or those storing credit card and personal data.

Furthermore, two-factor authentication can help businesses defend against brute force and dictionary attacks that attempt to guess a username or password. It’s possible for malicious actors to hack these methods, but it becomes much harder for them to gain access to an application or account with 2FA in place.

The healthcare industry is particularly vulnerable to cyberattacks due to its sensitive patient information and data. Implementing 2FA can help healthcare facilities prevent data breaches and safeguard patients’ sensitive information. It can be combined with an existing password authentication system for added protection within healthcare organizations.

4. Text message fraud

Text message fraud is one of the most frequent types of identity theft. Criminals take advantage of unsuspecting victims by sending them personal information such as passwords, bank account numbers or Social Security numbers via text message.

Many scammers will send personalized messaging that appears to come from a company or person you know, but which actually isn’t. While these messages can be difficult to spot, you can check the sender’s phone number and inline URLs to determine whether it’s genuine.

If the message uses poor grammar, misspellings or awkward language, it could be a scam. Reputable businesses and organizations will always use proper grammar, spelling and punctuation when communicating with customers.

Another prevalent scam involves phony text messages claiming to be from your bank or government agency and asking you to click a link to verify account details. These scams often involve money theft and law enforcement officials are concerned about these messages.

In some cases, fraudulent texts will claim to be from a family member who is in trouble or has gone missing. You may feel compelled to send money directly to the supposed victim; however, always contact the individual first to confirm they really have gone missing or are ill before sending any money.

The latest variation of this scam involves text message alerting you that a delivery service is having issues with a package. In such cases, you’ll be instructed to click a link and provide your account number and other personal data.

Cybercriminals have already stolen funds for hundreds of thousands of people through SMS pumping fraud attacks, which are estimated to be responsible for 6% of all SMS traffic and 10% of mobile network operators’ (MNO) total revenue.

Experts warn that text scams are on the rise and predicted to become even more common in the future. To stay ahead of scammers, it’s essential for consumers to recognize and report text scams as soon as possible.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us