SMS Pumping Fraud (AIT): What It Is and How to Stop It in 2026
What is SMS pumping fraud?
SMS pumping—also known as artificially inflated traffic (AIT) or SMS toll fraud—is a scheme in which attackers use bots to trigger massive volumes of text messages from your application to phone numbers they profit from. The typical target is your OTP or "text me the app link" form: it sends a message instantly, without authentication, to any number a visitor enters. Each delivered message generates termination revenue for a complicit carrier or number-range owner, who kicks a share back to the fraudster.
The economics are brutal for the victim. A pumping run can multiply your monthly SMS spend 5–50x within hours, and unless you're watching the right metrics, the first sign is the invoice. Industry estimates put AIT losses to businesses in the billions of dollars per year, and by 2026 the fraud has expanded beyond OTP into referral invites, download links, and survey forms—any public endpoint that sends an SMS.
How does an SMS pumping attack work?
- The attacker acquires a number range. They partner with a rogue mobile operator, MVNO, or reseller controlling premium or high-termination-fee number blocks—typically in countries with expensive inbound SMS rates.
- They find your trigger. Any unauthenticated form that sends a text: signup OTP, login 2FA, "send me the link," referral invite.
- Bots submit numbers at scale. Scripts iterate through the attacker's range—often sequentially—requesting thousands of messages per hour, frequently at night or over weekends.
- Revenue flows. Your gateway delivers the messages; the terminating operator collects fees; the fraudster gets a cut. Nobody ever enters a verification code.
- You get the bill. With per-message costs of $0.05–$0.30 in target corridors, 100,000 fake requests can burn five figures before Monday.
How do you detect SMS pumping?
Four metrics expose an attack early. Put all four on a dashboard with alerts—our deliverability monitoring guide covers the tooling:
| Signal | Healthy | Under attack |
|---|---|---|
| Send-to-verify ratio | 70–95% verified | Below 40%, often near 0% for affected corridors |
| Requests per country per hour | Stable, matches your user base | Sudden spikes to countries with no users |
| Unique numbers per IP / device | ~1 | Dozens to thousands |
| Cost per successful verification | Stable baseline | Climbing sharply with flat signups |
Additional near-certain indicators:
- Sequential number patterns: +263 71 000 0001, 0002, 0003…
- Verification rate of zero for an entire number range or carrier
- Latency-insensitive traffic: real users retry when codes are slow; bots don't
- Off-hours bursts that don't match your product's usage curve
How do you prevent SMS pumping?
No single control stops AIT; the goal is stacking cheap layers until the attacker's ROI dies. Work down this checklist:
- Geo-permissions (highest impact, lowest effort). Only allow SMS to countries where you actually have users. Most businesses can block 80% of the world's high-risk corridors with zero user impact. Review the allowed list quarterly.
- Rate-limit everything. Per phone number (max 3 codes / 15 min), per IP, per device fingerprint, and per session. Add exponential backoff to resend buttons.
- Bot detection before send. An invisible CAPTCHA or proof-of-work challenge on the OTP form filters scripted requests without adding friction for humans.
- Block high-risk number types. Reject premium-rate, VoIP, and known-abused ranges at request time using number-lookup data. Sequential-pattern detection catches range walking.
- Deferred and asymmetric flows. Small delays before sending (500–1500 ms), or requiring email verification first for suspicious signals, destroy bot throughput economics while being invisible to people.
- Spend alerts and circuit breakers. Cap hourly SMS spend per corridor and auto-pause any destination whose volume jumps, say, 500% above baseline. A circuit breaker that pauses Zimbabwe for review costs you minutes; the alternative costs thousands.
- Choose a gateway that fights AIT with you. Route-level fraud screening, per-corridor anomaly detection, and honest delivery data matter. Providers running carrier-matched routing can also spot when traffic terminates on ranges that never convert—shared low-cost aggregators often can't, and some quietly profit from the inflated volume.
What should you do during an active attack?
- Pause the affected corridors immediately—your gateway should let you block destination countries in one action.
- Preserve the evidence: request logs, IPs, number ranges, timestamps.
- Tighten rate limits and enable bot checks on the exposed endpoint.
- Contact your provider to dispute traffic where possible and confirm the ranges involved.
- Post-mortem the endpoint: every SMS-sending route in your product should carry the controls above before you re-open the corridor.
FAQ: SMS pumping fraud
What is SMS pumping fraud?
A scheme where attackers use bots to trigger large volumes of SMS—usually OTP codes—from your app to number ranges they profit from. It's also called artificially inflated traffic (AIT) or SMS toll fraud.
How do I detect SMS pumping?
Monitor send-to-verify ratio (below ~40% is suspicious), per-country request spikes, unique numbers per IP, and cost per successful verification. Sequential destination numbers are a near-certain giveaway.
How do I stop SMS pumping without blocking real users?
Stack low-friction layers: geo-permissions, per-number and per-IP rate limits, invisible bot detection, premium/VoIP range blocking, resend backoff, and spend circuit breakers.
Who profits from SMS pumping?
The fraudster and a complicit carrier or number-range owner who earns termination fees on every delivered message and shares the revenue.
Does SMS pumping only affect OTP endpoints?
No—any public form that triggers an SMS is a target, including app-download links, referral invites, and surveys.
Conclusion: make yourself unprofitable
SMS pumping persists because most victims make it easy: open endpoints, no geo-limits, no verify-rate monitoring, and a provider with no incentive to flag inflated volume. Every layer above raises the attacker's cost and cuts their yield; two or three together usually push them to a softer target. Combine endpoint controls with a gateway that gives you per-corridor analytics and honest delivery data—then check your OTP delivery setup so the legitimate traffic that remains actually converts.
Dach SMS Lab