The Silent Drain: How SMS Pumping Is Bleeding Digital Marketplaces Dry

This is SMS pumping fraud. Also known as Artificially Inflated Traffic (AIT) or SMS toll fraud, it represents one of the most financially damaging and technically underappreciated threats facing identity and risk teams at consumer-facing platforms today.

Unlike traditional account takeover or credential stuffing attacks, SMS pumping doesn't require stolen credentials, social engineering, or any user interaction at all. Its victims,  marketplace platforms, often don't discover the attack until the telecom invoice arrives.

What Is SMS Pumping and How Does It Work?

SMS pumping is a revenue-sharing scam that exploits the economics of the global SMS routing ecosystem. To understand it, you need to understand how SMS traffic and interconnection fees actually work.

When a platform sends an SMS, like a one-time passcode, to a phone number, that message doesn't travel directly from the platform's servers to the user's handset. It passes through a chain of intermediaries: the platform's SMS aggregator, international carriers, regional operators, and finally a terminating carrier that delivers the message to the end device. At each handoff, fees are negotiated and collected.

In many countries, particularly in Africa, Southeast Asia, Eastern Europe, and parts of Latin America, terminating carriers are permitted to set their own interconnect rates, which are the fees charged to route traffic to their numbers. And here's the vulnerability: the platform pays these fees regardless of whether a human ever reads the message.

Fraudsters exploit this by acquiring or colluding with small mobile operators (known as "premium range" or "grey route" operators) that control number ranges with elevated interconnect fees. They then systematically flood those number ranges with requests for SMS verification codes, triggering mass OTP sends, and collect a revenue share from the inflated traffic.

The Infrastructure Behind an Attack

Modern SMS pumping operations are not one-person schemes. They involve layered infrastructure that spans multiple jurisdictions and technical layers:

Bot networks and automation frameworks programmatically trigger registration or login flows on target platforms, submitting fabricated or harvested phone numbers that map to attacker-controlled ranges. These bots mimic realistic user behavior: varying request cadence, rotating IP addresses through residential proxies, and cycling device fingerprints.

Phone number range acquisition is handled through a combination of legitimate MVNO registrations (which in some jurisdictions require minimal documentation) and partnerships with complicit terminating carriers. The fraudster needs only to control numbers in a range, not individual SIM cards.

Revenue distribution flows through opaque revenue-sharing agreements between the fraudster and the carrier. In many cases, the carrier itself may not be actively complicit; it is simply an unwitting beneficiary of inflated interconnect revenue from upstream resellers.

These numbers are difficult to pin down with precision because SMS pumping is, by design, hard to detect. Platforms often mistake inflated SMS send volumes for organic growth signals. Fraud teams focused on account takeover or payment fraud are rarely calibrated to spot this kind of infrastructure-layer attack.

What's clear from the platforms that have investigated and disclosed attacks is that the damage accumulates fast. High-volume marketplaces with millions of registered users (the very platforms with the most active SMS-based verification flows) are the most lucrative targets. A platform sending 10 million OTPs per month and experiencing 15% fraudulent traffic is paying for 1.5 million phantom messages, often at international premium rates that can reach $0.08–$0.15 per message. That's $120,000–$225,000 per month, silently vanishing.

Why Digital Marketplaces Are Prime Targets

Not all platforms are equally exposed. Digital marketplace platforms are disproportionately vulnerable for structural reasons rooted in how they handle identity and trust.

High-Volume, Low-Friction Registration

Marketplace growth is measured in supply and demand: drivers, gig workers, caregivers, contractors on one side; riders, customers, and families on the other. To optimize funnel conversion, most marketplaces have deliberately minimized friction at registration. SMS OTP is positioned as the lightweight identity signal that unlocks access: send a code, confirm the number, done.

This creates a structural attack surface: any automated system that can submit phone numbers and complete the OTP loop can generate verified accounts, or simply drain SMS budget, at scale.

The Trust Signal Problem

Marketplaces use phone number verification for more than just account creation. Phone number ownership is often treated as a trust signal throughout the user lifecycle for things like fraud risk scoring, for matching supply and demand participants, for dispute resolution. If the phone number verification layer is compromised, downstream trust decisions built on top of it are also compromised.

Consider a platform that uses phone number confirmation as part of its worker onboarding process. If attackers can flood that confirmation flow with synthetic numbers, they can create ghost worker accounts that collect sign-on bonuses, referral credits, or promotional incentives without ever performing a real job, while also generating SMS charges at the platform's expense.

Referral and Incentive Abuse

Most consumer marketplaces run referral programs. "Invite a friend, get $10 credit" is a standard growth mechanic. These programs typically require a new user to verify a phone number to claim an incentive. SMS pumping infrastructure can manufacture thousands of unique phone number verifications, each one claiming a referral bonus, at a cost to the attacker that is far below the value of the incentive, particularly if the SMS fees are themselves being recovered through the pumping scheme.

Global User Bases and International SMS Exposure

Marketplaces operating internationally face compounded exposure. International SMS routes are significantly more expensive than domestic ones, and the premium range operators that fraudsters work with are often concentrated in specific geographic corridors. A marketplace with users in countries that consistently appear on high-risk AIT destination lists, like Nigeria, Indonesia, Bangladesh, or Ukraine — countries that consistently appear on high-risk AIT destination lists, faces elevated per-message costs and higher baseline fraud rates.

Why OTP and SMS-Based 2FA Are Failing

SMS one-time passwords became the default mechanism for phone number verification and second-factor authentication because they solved a real problem elegantly: confirm that a person controls a specific phone number, using infrastructure (the mobile network) that is ubiquitous and independent of the platform.

But the threat model that made SMS OTP reasonable has changed dramatically. The failure is not that SMS OTP is weak in a single dimension, it's that it has become weak in multiple, intersecting dimensions simultaneously.

The Economics Have Inverted

When SMS OTP was designed into platform architectures, the underlying assumption was that sending a code to a phone number was sufficient to establish a meaningful identity signal. The cost of the SMS was a rounding error in the overall cost of user acquisition.

SMS pumping breaks this assumption entirely. The act of sending the SMS is no longer a neutral infrastructure cost. Now, it's a vector for financial extraction. The signal (phone number ownership) has been decoupled from the cost (SMS fee), and the cost can now be weaponized independently of the signal.

SIM Swapping Has Eroded the Authentication Value

Even when SMS OTP is functioning as intended, the security guarantee has degraded. SIM swapping attacks, in which fraudsters social-engineer mobile carriers into transferring a victim's number to an attacker-controlled SIM, have demonstrated that phone number control is not a durable proxy for user identity.

The NIST Digital Identity Guidelines (SP 800-63B) deprecated SMS as a sole second factor for high-assurance authentication contexts in 2017. Their reasons cited precisely these concerns. The financial services industry took note. Consumer technology platforms, for the most part, did not.

The Verification Loop Can Be Gamed Without Human Presence

The fundamental promise of SMS OTP (that it proves a human controls a phone) depends on the assumption that the OTP actually reaches and is entered by a human. This assumption breaks down in several ways.

For example, attackers operating against platforms with predictable or numerically sequential OTP formats can conduct brute-force attacks against verification endpoints with insufficient rate limiting. Synthetic identity farms using SIM farms (banks of physical SIM cards controlled by automation) can complete the full receive-and-submit OTP loop without any human involvement. And SS7 protocol vulnerabilities (the signaling system underlying global SMS routing) allow sophisticated actors to intercept SMS messages in transit on specific network segments, a well-documented attack that has been used in targeted fraud against banking customers.

The Aggregator Layer Is an Opaque Black Box

Most platforms have no visibility into the downstream routing of their SMS traffic. They submit a message to their aggregator API, receive a delivery status callback, and pay the invoice. They cannot easily determine which messages went to which terminating carriers, which number ranges are associated with elevated fraud rates, or whether specific delivery patterns are consistent with pumping activity. 

This opacity is not accidental. It reflects the genuine complexity of international SMS routing, but it means that platforms are flying blind at the layer where the fraud is actually occurring.

‍

Technical Anatomy of an SMS Pumping Attack

Understanding the attack in granular technical detail is essential for designing effective countermeasures. What follows is a detailed breakdown of how a sophisticated SMS pumping campaign is orchestrated against a typical digital marketplace.

Phase 1: Target Reconnaissance

Attackers begin by mapping the target platform's SMS-triggering surfaces. This includes registration flows, login flows, phone number change flows, and any other endpoint that triggers an OTP send. They identify rate limits, cooldown periods, and whether the platform validates phone number format before sending.

The platform's SMS aggregator can often be fingerprinted by observing message timing, format, and sender ID, which gives attackers information about which number ranges will be most profitable to target (since aggregator routing tables vary).

Phase 2: Number Range Selection

Fraudsters select target number ranges based on the revenue share economics of their carrier relationships. High-value ranges, like those with the highest interconnect fees, are prioritized. These are often in countries with less-regulated telecommunications environments where grey-route operators can set artificially elevated termination rates.

Number ranges are typically selected to be superficially plausible: they pass basic E.164 format validation, they correspond to real country codes and plausible area codes, and they don't appear on publicly published blocklists. Sophisticated attackers rotate across ranges to avoid pattern detection.

Phase 3: Bot Deployment

The attack infrastructure typically includes residential proxy networks (to distribute request origins across diverse, legitimate-looking IP addresses), browser automation frameworks (Puppeteer, Playwright, or custom headless browser tooling capable of bypassing standard bot detection), and in some cases, CAPTCHA-solving services that employ human workers to complete challenges in near-real-time.

Phase 4: Traffic Shaping to Evade Detection

Native implementations of SMS pumping are relatively easy to detect: sudden spikes in OTP sends to a specific country code or number prefix are obvious anomalies. Sophisticated operations use traffic shaping to blend fraudulent requests into the organic noise floor of the platform's activity.

This includes mimicking the platform's organic diurnal traffic patterns (more requests during business hours in a given timezone), targeting number ranges that overlap with geographic regions where the platform has legitimate users, and pacing attacks below the thresholds of any rate-limit monitoring the platform has deployed.

Phase 5: Avoiding Backlash Signals

Fraudsters track whether platforms are implementing countermeasures in real time. If a specific number range starts getting blocked, they rotate to a new one. If a country code starts getting flagged, they shift campaigns to a different corridor. The attack infrastructure is designed for rapid iteration, and the cost of pivoting is much lower for the attacker than the cost of responding is for the platform.

‍

‍

How the Prove Identity Platform Fights Back

The Prove Identity Platform is built around a foundational insight: phone numbers are not just a delivery channel for verification codes; they are themselves identity artifacts with rich, verifiable histories. Prove's approach shifts the verification model from "send a code and wait" to "assess the phone number before the first byte of traffic is sent."

This pre-send intelligence, combined with carrier-grade network data that most platforms cannot access directly, is what enables Prove to detect and block SMS pumping attempts before they generate a single fraudulent SMS charge.

Phone Number Intelligence at the Source

Stopping the Attack Before the Invoice Arrives

The practical implication of Prove's architecture for identity and risk teams is a fundamental shift in where the fraud boundary sits. Instead of detecting SMS pumping retrospectively, after the charges have been incurred, after the analytics team flags an anomaly in the aggregator dashboard, Prove enables platforms to evaluate and block fraudulent requests at the point of submission.

This matters because the economics of SMS pumping are entirely front-loaded for the attacker. If the SMS is blocked before it's sent, the attacker receives nothing. If it's detected after the fact, the platform can block future requests from the same number range, but the charges for the messages that already went out are not recoverable.

Reducing Dependency on the OTP Loop

For platforms that want to structurally reduce their exposure to SMS-based fraud rather than simply improving their detection of it, Prove's passive verification capabilities provide an alternative path. By leveraging network-level device-to-number binding, Prove can confirm phone number ownership without triggering an OTP send at all in many cases.

This isn't just a fraud prevention benefit. It also reduces friction for legitimate users, eliminates SMS costs for verifications that don't need them, and moves the platform toward a verification model that is fundamentally more resistant to the class of attacks that SMS OTP was never designed to withstand.

Operational Integration for Risk Teams

Prove's platform is designed to integrate into existing identity and risk stacks via API, with risk signals surfaced as structured scores and decision outputs that can be consumed by existing fraud decisioning systems. For risk teams working with orchestration layers, Prove signals slot into challenge/friction/block decision trees without requiring architectural changes to the verification flow itself.

Prove also provides observability tooling that gives risk teams visibility into the carrier-level signals that are normally opaque, including which number ranges are generating elevated risk scores, which geographic corridors are seeing elevated AIT activity, and how the platform's verification traffic patterns are evolving over time.

The Path Forward

SMS pumping is not a problem that will be solved by carrier enforcement alone, nor by any single platform improving its rate limiting. The incentive structures that sustain it, like elevated interconnect fees, opaque revenue-sharing arrangements, fragmented international regulatory oversight, are deeply embedded in the telecommunications ecosystem.

What platforms can control is the quality and completeness of the identity signals they use for verification and whether they continue to treat the SMS OTP loop as a sufficient identity check in an environment where it demonstrably is not.

The platforms most exposed to SMS pumping share a common characteristic: they made phone number verification a commodity infrastructure decision, delegated to whoever offered the cheapest per-message rate. The platforms that are closing their exposure are the ones treating phone number intelligence as a first-class identity signal with the data infrastructure to match.

The fraud is sophisticated. The defenses need to be too.