Protecting Against SMS Fraud

In this section, you can learn more about the fraudulent SMS scheme known as SMS Pumping and the best practices to avoid it.

  • SMS pumping
  • Geographic permissions (feature of Unifonic)
  • Best practices on the customer side to avoid SMS fraud

SMS pumping

  1. SMS Traffic Pumping Fraud happens when fraudsters take advantage of a phone number input field to receive a one-time passcode (OTP) or a download link via SMS. This is also known as OTP Flood attack.
  2. The attackers can inflate traffic and exploit your app in case there are no adequate controls.
  3. The fraudsters send SMS to a range of numbers controlled by a specific mobile network operator (MNO) and receive a share of the generated revenue.
  4. This type of attack doesn't aim to compromise or steal your credentials such as AppSid, but it would inflate traffic from a customer's Unifonic account to a distant destination country and eventually drain the account balance.
  5. As a result, the customer might be seeing a drastic drop in available balance and messages to unknown destinations in their Message Logs.

Geographic permissions (a feature of Unifonic)

Customer participation is essential to efficiently fight against this type of fraud.

Geo-permissions is a customized feature, available at the customer's request.

  • In case you want to limit the countries where you intend to send messages to a specific list, please notify the Unifonic Customer Support team. They would eventually block those SMS without deducting them from your balance.
  • They would configure your Unifonic account for white-listing traffic to specific countries to enable the countries where you perform business operations and would need SMS messaging in them.

Alternatively, you can also implement white-listing on your backend by only allowing OTP requests to specific countries based on the country code. While there are valid reasons why a user might register with a phone number from a different country, this behavior can also be associated with fraudulent activities. For example, fraudsters might use foreign phone numbers to conceal their actual identity and location, making it difficult to track or investigate their activities.

Best practices on the customer side

Validate phone number input

International telephone input validation libraries (e.g. Google Libphonenumber) are an essential tool for providing users with a seamless and user-friendly experience, especially when dealing with diverse phone number formats from various regions around the world. Also, separating the country code from the phone number input enables users to input their phone numbers in their respective country's format, which can be transformed into the globally recognized E.164 format, which makes sure all numbers are unique across the globe.


Country Codes

For a complete list of country codes see Wikipedia article on country codes or use a library like Google Libphonenumber for a more extensive phone number analysis.

Apply basic rate-limiting
Make sure your application is not sending more than a certain amount of messages to the same number within a limited time lapse - this will help to mitigate the impact from SMS pumping in case it happens. Your account balance will still be damaged but at a slower pace and this might make the whole attack not viable for the fraudster. CDN operators like Akamai and Cloudflare have basic rate-limiting capabilities for API requests.

CAPTCHA does affect user experience adding small additional friction to your users' journey but might significantly reduce or deter bot traffic where OTP is requested with the help of automation.

Exponential retry delays
Similar to the basic rate limits, implementing exponential delays between OTP requests to the same phone number at the mobile or web app is a way to prevent rapid sending and reduce the speed of damage to your account balance. Retry buffers might be set to 30 seconds or 1 minute as a good practice meaning that a user will only be able to request OTP again after this timer expires.

Monitor OTP conversion
One way to quickly detect the ongoing fraudulent SMS pumping attack is to create internal monitors for a conversion rate of verifications (i.e number of OTPs validated by end users divided by the number of OTPs sent to end users). If you notice this rate starting to drop, especially in an unexpected country, trigger an alert for review.