What is SMS traffic pumping fraud?
SMS traffic pumping (also known as Artificially Inflated Traffic (AIT), SMS toll fraud or SMS 2FA Premium Rate Fraud) happens when fraudsters inflate SMS traffic in order to get a share of the revenue.
This could for example happen when fraudsters use a phone number input field to request one-time passwords (OTPs) via SMS. If the system does not have limits to prevent this fraud and keeps responding to the request, then the attackers will be able to have messages sent to a huge range of numbers from a complicit MNO with which they have agreed to receive a share of the revenue generated.
How to tell if this fraud has happened to your account
With this type of fraud, your recent account activity will likely show a lot of messages sent to a bunch of adjacent numbers or with another pattern connecting them, e.g. that they are all sent to remote destinations. Those who use an SMS gateway to send OTPs might also see that the verification cycles for the requested OTPs are incomplete, meaning that the “users” who requested the OTP have not entered the information in the signup/login flow.
How can SMS traffic pumping be avoided?
To help minimize the risk of SMS traffic pumping happening, here are some preventive measures:
- Use our geo permissions feature so that your account only can send SMS messages to enabled countries.
- Set up IP whitelisting so only approved IP addresses can send SMS messages from your account.
- When using systems connected to your GatewayAPI account, set a rate limit so that only a certain number of SMS messages can be sent per minute.
- Install more security on your signup/login flows, e.g. a limit on the number of times an user can request 2FA codes etc.
What to do if you suspect your account has been misused
We are always here to help and give advice, so please reach out to our Support team via our chat.