Protecting Against SMS Fraud

In this section, you can learn more about the fraudulent SMS scheme known as SMS Pumping and the best practices to avoid it.

  • SMS pumping
  • Best practices on the customer side to avoid SMS fraud
  • Geographic permissions (an upcoming feature of Unifonic)

SMS pumping

  1. SMS Traffic Pumping Fraud happens when fraudsters take advantage of a phone number input field to receive a one-time passcode (OTP) or a download link via SMS.
  2. The attackers can inflate traffic and exploit your app in case there are no adequate controls.
  3. The fraudsters send SMS to a range of numbers controlled by a specific mobile network operator (MNO) and receive a share of the generated revenue.
  4. This type of attack doesn't aim to compromise or steal your credentials such as AppSid but it would inflate traffic from a customer's Unifonic account to a distant destination country and eventually drain the account balance.
  5. As a result, the customer might be seeing a drastic drop in available balance and messages to unknown destinations in their Message Logs.

Geographic permissions (a feature of Unifonic)

Customer participation is essential to efficiently fight against this type of fraud.

Geo-permissions is a customized feature, available at the customer's request.

  • In case you want to limit the countries where you intend to send messages to a specific list, please notify the Unifonic Customer Support team. They would eventually block those SMS without deducting them from your balance.
  • They would configure your Unifonic account for white-listing traffic to specific countries to enable the countries where you perform business operations and would need SMS messaging in them.

Alternatively, you can also implement white-listing on your backend by only allowing OTP requests to specific countries based on the country code.


Country Codes

For a complete list of country codes see Wikipedia article on country codes or use a library like Google Libphonenumber for a more extensive phone number analysis.

Best practices on the customer side

Apply basic rate-limiting
Make sure your application is not sending more than X messages to the same number range within a limited amount of time (a few seconds) - this will help to mitigate the impact from SMS pumping if it happens. Your account balance will still be damaged but at a slower pace and this might make the whole attack not viable for the fraudster. CDN operators like Akamai and Cloudflare have basic rate-limiting capabilities.

CAPTCHA does affect user experience adding small additional friction to your users' journey but might significantly reduce or deter bot traffic where OTP is requested with the help of automation.

Exponential retry delays
Similar to the basic rate limits, implementing exponential delays between OTP requests to the same phone number is a way to prevent rapid sending and reduce the speed of damage to your account balance.

Monitor OTP conversion
One way to quickly detect the ongoing fraudulent SMS pumping attack is to create internal monitors for a conversion rate of verifications (i.e number of OTPs validated by end users divided by the number of OTPs sent to end users). If you notice this rate starting to drop, especially in an unexpected country, trigger an alert for review.