Every time a digital marketplace sends a one-time passcode to verify a user's phone number, it's writing a check. Most of the time, that check goes to a legitimate user. But an increasingly sophisticated ecosystem of fraudsters has found a way to intercept that payment — without ever touching the user.
This is SMS pumping fraud. Also known as Artificially Inflated Traffic (AIT) or SMS toll fraud, it represents one of the most financially damaging and technically underappreciated threats facing identity and risk teams at consumer-facing platforms today.
Unlike traditional account takeover or credential stuffing attacks, SMS pumping doesn't require stolen credentials, social engineering, or any user interaction at all. Its victims — the platforms — often don't discover the attack until the telecom invoice arrives.
What Is SMS Pumping — and How Does It Work?
At its core, SMS pumping is a revenue-sharing scam that exploits the economics of the global SMS routing ecosystem. To understand it, you need to understand how SMS traffic and interconnection fees actually work.
When a platform sends an SMS — say, a one-time passcode to a phone number — that message doesn't travel directly from the platform's servers to the user's handset. It passes through a chain of intermediaries: the platform's SMS aggregator, international carriers, regional operators, and finally a terminating carrier that delivers the message to the end device. At each handoff, fees are negotiated and collected.
In many countries, particularly in Africa, Southeast Asia, Eastern Europe, and parts of Latin America, terminating carriers are permitted to set their own interconnect rates — the fees charged to route traffic to their numbers. And here's the vulnerability: the platform pays these fees regardless of whether a human ever reads the message.
Fraudsters exploit this by acquiring or colluding with small mobile operators (known as "premium range" or "grey route" operators) that control number ranges with elevated interconnect fees. They then systematically flood those number ranges with requests for SMS verification codes — triggering mass OTP sends — and collect a revenue share from the inflated traffic.
The fraudster controls the number range. The platform pays per SMS sent. The fraudster collects a cut of every message that arrives. No one needs to "receive" anything — the money flows the moment the message is sent.
The Infrastructure Behind an Attack
Modern SMS pumping operations are not one-person schemes. They involve layered infrastructure that spans multiple jurisdictions and technical layers:
Bot networks and automation frameworks programmatically trigger registration or login flows on target platforms, submitting fabricated or harvested phone numbers that map to attacker-controlled ranges. These bots mimic realistic user behavior: varying request cadence, rotating IP addresses through residential proxies, and cycling device fingerprints.
Phone number range acquisition is handled through a combination of legitimate MVNO registrations (which in some jurisdictions require minimal documentation) and partnerships with complicit terminating carriers. The fraudster needs only to control numbers in a range — not individual SIM cards.
Revenue distribution flows through opaque revenue-sharing agreements between the fraudster and the carrier. In many cases, the carrier itself may not be actively complicit — it's simply an unwitting beneficiary of inflated interconnect revenue from upstream resellers.
The Scale of the Problem
These numbers are difficult to pin down with precision — because SMS pumping is, by design, hard to detect. Platforms often mistake inflated SMS send volumes for organic growth signals. Fraud teams focused on account takeover or payment fraud are rarely calibrated to spot this kind of infrastructure-layer attack.
What's clear from the platforms that have investigated and disclosed attacks is that the damage accumulates fast. High-volume marketplaces with millions of registered users — the very platforms with the most active SMS-based verification flows — are the most lucrative targets. A platform sending 10 million OTPs per month and experiencing 15% fraudulent traffic is paying for 1.5 million phantom messages, often at international premium rates that can reach $0.08–$0.15 per message. That's $120,000–$225,000 per month, silently vanishing.
"The fraud doesn't show up in your fraud metrics. It shows up in your cloud bill — or more precisely, your SMS aggregator invoice."
The telecommunications industry body GSMA has formally designated SMS pumping as a category of "Artificial Inflation of Traffic" (AIT) and has issued guidance to carriers. But the financial incentives for complicit operators are significant, and the enforcement landscape is fragmented across jurisdictions.
Why Digital Marketplaces Are Prime Targets
Not all platforms are equally exposed. Digital marketplaces — platforms like Uber, DoorDash, Instacart, Care.com, TaskRabbit, Thumbtack, and their international equivalents — are disproportionately vulnerable for structural reasons rooted in how they handle identity and trust.
High-Volume, Low-Friction Registration
Marketplace growth is measured in supply and demand — drivers, gig workers, caregivers, contractors on one side; riders, customers, and families on the other. To optimize funnel conversion, most marketplaces have deliberately minimized friction at registration. SMS OTP is positioned as the lightweight identity signal that unlocks access: send a code, confirm the number, done.
This creates a structural attack surface: any automated system that can submit phone numbers and complete the OTP loop can generate verified accounts — or simply drain SMS budget — at scale.
The Trust Signal Problem
Marketplaces use phone number verification for more than just account creation. Phone number ownership is often treated as a trust signal throughout the user lifecycle — for fraud risk scoring, for matching supply and demand participants, for dispute resolution. If the phone number verification layer is compromised, downstream trust decisions built on top of it are also compromised.
Consider a platform that uses phone number confirmation as part of its worker onboarding process. If attackers can flood that confirmation flow with synthetic numbers, they can create ghost worker accounts that collect sign-on bonuses, referral credits, or promotional incentives without ever performing a real job — while also generating SMS charges at the platform's expense.
Referral and Incentive Abuse
Most consumer marketplaces run referral programs. "Invite a friend, get $10 credit" is a standard growth mechanic. These programs typically require a new user to verify a phone number to claim an incentive. SMS pumping infrastructure can manufacture thousands of unique phone number verifications, each one claiming a referral bonus, at a cost to the attacker that is far below the value of the incentive — particularly if the SMS fees are themselves being recovered through the pumping scheme.
SMS pumping rarely operates in isolation. A single attack campaign can simultaneously generate SMS fraud costs, claim referral incentives, create synthetic account inventory for follow-on fraud, and corrupt the platform's phone number quality signals — all at once.
Global User Bases and International SMS Exposure
Marketplaces operating internationally face compounded exposure. International SMS routes are significantly more expensive than domestic ones, and the premium range operators that fraudsters work with are often concentrated in specific geographic corridors. A marketplace with users in Nigeria, Indonesia, Bangladesh, or Ukraine — countries that consistently appear on high-risk AIT destination lists — faces elevated per-message costs and higher baseline fraud rates.
Why OTP and SMS-Based 2FA Are Failing
SMS one-time passwords became the default mechanism for phone number verification and second-factor authentication because they solved a real problem elegantly: confirm that a person controls a specific phone number, using infrastructure (the mobile network) that is ubiquitous and independent of the platform.
But the threat model that made SMS OTP reasonable has changed dramatically. The failure is not that SMS OTP is weak in a single dimension — it's that it has become weak in multiple, intersecting dimensions simultaneously.
The Economics Have Inverted
When SMS OTP was designed into platform architectures, the underlying assumption was that sending a code to a phone number was sufficient to establish meaningful identity signal. The cost of the SMS was a rounding error in the overall cost of user acquisition.
SMS pumping breaks this assumption entirely. The act of sending the SMS is no longer a neutral infrastructure cost — it's a vector for financial extraction. The signal (phone number ownership) has been decoupled from the cost (SMS fee), and the cost can now be weaponized independently of the signal.
SIM Swapping Has Eroded the Authentication Value
Even when SMS OTP is functioning as intended — verifying a real person with a real phone — the security guarantee has degraded. SIM swapping attacks, in which fraudsters social-engineer mobile carriers into transferring a victim's number to an attacker-controlled SIM, have demonstrated that phone number control is not a durable proxy for user identity.
The NIST Digital Identity Guidelines (SP 800-63B) deprecated SMS as a sole second factor for high-assurance authentication contexts in 2017 — citing precisely these concerns. The financial services industry took note. Consumer technology platforms, for the most part, did not.
The Verification Loop Can Be Gamed Without Human Presence
The fundamental promise of SMS OTP — that it proves a human controls a phone — depends on the assumption that the OTP actually reaches and is entered by a human. This assumption breaks down in several ways:
Attackers operating against platforms with predictable or numerically sequential OTP formats can conduct brute-force attacks against verification endpoints with insufficient rate limiting. Synthetic identity farms using SIM farms (banks of physical SIM cards controlled by automation) can complete the full receive-and-submit OTP loop without any human involvement. And SS7 protocol vulnerabilities (the signaling system underlying global SMS routing) allow sophisticated actors to intercept SMS messages in transit on specific network segments — a well-documented attack that has been used in targeted fraud against banking customers.
The Aggregator Layer Is an Opaque Black Box
Most platforms have no visibility into the downstream routing of their SMS traffic. They submit a message to their aggregator API, receive a delivery status callback, and pay the invoice. They cannot easily determine which messages went to which terminating carriers, which number ranges are associated with elevated fraud rates, or whether specific delivery patterns are consistent with pumping activity.
This opacity is not accidental — it reflects the genuine complexity of international SMS routing — but it means that platforms are flying blind at the layer where the fraud is actually occurring.
Technical Anatomy of an SMS Pumping Attack
Understanding the attack in granular technical detail is essential for designing effective countermeasures. What follows is a detailed breakdown of how a sophisticated SMS pumping campaign is orchestrated against a typical digital marketplace.
Phase 1: Target Reconnaissance
Attackers begin by mapping the target platform's SMS-triggering surfaces. This includes registration flows, login flows, phone number change flows, and any other endpoint that triggers an OTP send. They identify rate limits, cooldown periods, and whether the platform validates phone number format before sending.
The platform's SMS aggregator can often be fingerprinted by observing message timing, format, and sender ID — giving attackers information about which number ranges will be most profitable to target (since aggregator routing tables vary).
Phase 2: Number Range Selection
Fraudsters select target number ranges based on the revenue share economics of their carrier relationships. High-value ranges — those with the highest interconnect fees — are prioritized. These are often in countries with less-regulated telecommunications environments where grey-route operators can set artificially elevated termination rates.
Number ranges are typically selected to be superficially plausible: they pass basic E.164 format validation, they correspond to real country codes and plausible area codes, and they don't appear on publicly published blocklists. Sophisticated attackers rotate across ranges to avoid pattern detection.
Phase 3: Bot Deployment
The attack infrastructure typically includes residential proxy networks (to distribute request origins across diverse, legitimate-looking IP addresses), browser automation frameworks (Puppeteer, Playwright, or custom headless browser tooling capable of bypassing standard bot detection), and in some cases, CAPTCHA-solving services that employ human workers to complete challenges in near-real-time.
Phase 4: Traffic Shaping to Evade Detection
Naive implementations of SMS pumping are relatively easy to detect: sudden spikes in OTP sends to a specific country code or number prefix are obvious anomalies. Sophisticated operations use traffic shaping to blend fraudulent requests into the organic noise floor of the platform's activity.
This includes mimicking the platform's organic diurnal traffic patterns (more requests during business hours in a given timezone), targeting number ranges that overlap with geographic regions where the platform has legitimate users, and pacing attacks below the thresholds of any rate-limit monitoring the platform has deployed.
Phase 5: Avoiding Backlash Signals
Fraudsters track whether platforms are implementing countermeasures in real time. If a specific number range starts getting blocked, they rotate to a new one. If a country code starts getting flagged, they shift campaigns to a different corridor. The attack infrastructure is designed for rapid iteration, and the cost of pivoting is much lower for the attacker than the cost of responding is for the platform.
