Protecting Against SMS Fraud

In this section, you can learn more about the fraudulent SMS scheme known as SMS Pumping and the best practices to avoid it.

  • SMS pumping
  • Geographic permissions (feature of Unifonic)
  • Best practices on the customer side to avoid SMS fraud

SMS pumping

  1. SMS Traffic Pumping fraud also known as OTP Flood happens when fraudsters take advantage of a phone number input field to receive a one-time passcode (OTP) or a download link via SMS.
  2. The attackers can inflate traffic and exploit your app in case there are no adequate controls.
  3. The fraudsters send SMS to a range of numbers controlled by a specific mobile network operator (MNO) and receive a share of the generated revenue.
  4. This type of attack doesn't aim to compromise or steal your credentials such as AppSid but it would inflate traffic from the account to a distant destination country and eventually drain the account balance.
  5. As a result, you might be seeing a drastic drop in available balance and a spike in messages to unknown destinations in the Message Logs.

Geographic permissions (feature of Unifonic)

Customer participation is essential to efficiently fight against this type of fraud.

Geo-permissions is a customized feature, available at the customer's request.

  • In case you want to limit the countries where you intend to send messages to a specific list, please notify the Unifonic Customer Support team. They would eventually block those SMS without deducting them from your balance.
  • They would configure your Unifonic account for white-listing traffic to specific countries to enable the countries where you perform business operations and would need SMS messaging in them.

Alternatively you can also implement white-listing on your backend by only allowing OTP requests to specific countries based on the country code.


Country Codes

For a complete list of country codes see Wikipedia article on country codes or use a library like Google Libphonenumber for a more extensive phone number analysis.

Best practices on the customer side

Apply basic rate-limiting
Make sure your application is not sending more than X messages to the same number range within a limited amount of time (a few seconds) - this will help to mitigate the impact from SMS pumping if it happens. Your account balance will still be damaged but at a slower pace and this might make the whole attack not viable for the fraudster. CDN operators like Akamai and Cloudflare have basic rate-limiting capabilities.

CAPTCHA does affect user experience adding small additional friction to your users' journey but might significantly reduce or deter bot traffic where OTP is requested with the help of automation.

Exponential retry delays
Similar to the basic rate limits, implementing exponential delays between OTP requests to the same phone number is a way to prevent rapid sending and reduce the speed of damage to your account balance.

Monitor OTP conversion
One way to quickly detect the ongoing fraudulent SMS pumping attack is to create internal monitors for a conversion rate of verifications (i.e number of OTPs validated by end users divided by the number of OTPs sent to end users). If you notice this rate starting to drop, especially in an unexpected country, trigger an alert for review.