SMS Pumping: The multi-billion dollar fraud
Learn more about SMS Pumping fraud, and how you can protect your SMS generating endpoints against this threat.
Published Apr 13, 2025
Note: This article represents my personal opinion and has not been vetted by AWS peers.
During my 2024 conversations with customers in the Middle East about security topics, I've observed a sharp rise in a specific type of cyber attack called SMS Pumping. The consequence is typically an unpleasant surprise: a significant bill corresponding to abnormally high outbound SMS volume.
Many companies send SMS messages to their customers for various reasons, notably in authorization and authentication workflows. For example, when you sign up for a new service online, your mobile number is verified using an SMS one-time password (OTP). These workflows present a significant opportunity for fraudsters looking to monetize your OTP-generating endpoints.
In its simplest form, fraudsters send automated traffic to your OTP-generating endpoint to trigger SMS messages to premium-rate numbers they own, allowing them to collect money from these messages. Such premium-rate numbers are typically used for subscription services, voting, and charity donations. This basic technique is relatively easy to detect and block because the destination phone numbers have distinctive patterns. However, it is just a fraction of the fraud activities. To fully understand SMS pumping, we need to examine the Application-to-Person (A2P) SMS ecosystem.
The main actors in the A2M SMS ecosystem:
- Your Application sends SMS via an API provided by an SMS sending service (like AWS End User Messaging)
- SMS Sending Services connect to SMS Aggregators
- SMS Aggregators buy bulk SMS traffic from mobile operators globally and may use other aggregators for certain routes
- Mobile Operators deliver the SMS to end users' devices
Fraud mainly occur at the aggregator level.
SMS Trashing: A fraudulent SMS aggregator might simply not deliver (or "trash") a percentage of SMS messages to destination mobile operators while still returning fake delivery receipts. For example, if you're sending discount codes to customers, the aggregator might trash 10% of messages but charge you as if they were delivered, effectively inflating their margins by reducing payments to mobile operators.
Artificially Inflated Traffic (AIT): More sophisticated fraudsters don't wait for organic traffic. They create artificially inflated traffic by using automated bots to trigger SMS-generating endpoints, sending messages to destinations that route through their network, and then potentially trashing these messages. Sometimes they deliver the messages to meet minimum volume commitments with mobile operators, which helps them maintain aggressive pricing and win contracts.
This advanced fraud is harder to detect because the messages are sent to legitimate phone numbers.
According to Fortune Business Insights, the A2P SMS market was valued at USD 50.99 billion in 2023, and is projected to grow to USD 76.18 billion by 2032. Juniper Research reports that Artificially Inflated Traffic accounted for 18% of all A2P SMS traffic in 2023.
Simple math reveals that SMS Pumping represents a multi-billion dollar fraud opportunity.
SMS pumping fraudsters follow the path of least resistance, targeting systems with inadequate protections. When you strengthen your defenses, they typically move to the next easier target.
They aim to maximize profits by sending SMS to high-cost destinations while maintaining volumes that stay under the radar. Applications in countries with large populations and high SMS sending costs are particularly vulnerable. The Asia-Pacific region generally, and the Middle East specifically, are prime targets.
- Modify the OTP flow: Make it harder for fraudsters to abuse your OTP generating endpoints by introducing preliminary steps before sending an SMS, such as solving a CAPTCHA or verifying an email address first.
- Implement detection and mitigation techniques: You can either use available managed services from the market or build your own using AWS services. I've created an example repository demonstrating some of the protection techniques using AWS services: https://github.com/achrafsouk/sms-pumping
If you're interested in learning more about these techniques or would like to try implementing some of these protections, please reach out to me.