SMS has become a popular channel to engage customers, verify identities, and offer promotions. Unfortunately, this growing reliance on SMS services has attracted a new breed of automated threats: SMS fraud.

As a $10 billion fraud scheme, SMS fraud is taking its toll on businesses.

Let’s dive into the inner workings of SMS fraud along with key steps to stop these attacks.👇

The role bots play in SMS pumping and toll fraud

The perpetrators behind SMS fraud are part of highly organized criminal groups. Their goal is to generate as much revenue as possible without getting caught. As a result, pervasive forms of SMS fraud fly under the radar. Businesses don’t realize they are a target until it’s too late.

So how do fraudsters evade detection? With a little (or in this case, a lot of) help from bots.

We see two primary types of attacks in SMS verification and authentication flows: 1) SMS pumping and 2) toll fraud. While both exploit the premium rate system to inflate traffic for financial gain, SMS pumping and toll fraud differ in their attack methods.

  1. SMS pumping: Occurs when attackers target businesses with these SMS flows and flood SMS messages to controlled premium rate numbers. Traditionally attackers will share the inflated charges’ revenue with wireless carriers or mobile network operators. Targeted businesses end up footing the bill.
  2. Toll fraud: Involves tricking users into sending or receiving premium texts with exorbitant fees. The unsuspecting victims fall prey to these fraudulent premium services, while targeted businesses bear the cost.

A new evolution of SMS fraud

Due to recent awareness and subsequent cracking down on SMS pumping and toll fraud, fraudsters are discovering more creative ways to profit from SMS-related attacks. 

We’re seeing stealthy fraud schemes emerge, including: 

  • SMS API abuse: Hacking internal enterprise APIs to run their own SMS premium messaging campaign that generates revenue for the attackers without the enterprise company knowing.
  • SMS pumping without profit sharing: Cutting out the middlemen (wireless carriers or mobile network operators), enabling them to not only get all of the profits, but also as a means to ensure that they swiftly evade detection.

New schemes of SMS pumping and toll fraud

When these SMS fraud schemes are successful, threat actors will use bots to:

  • Rotate through phone numbers: Strategically changing the phone numbers for SMS requests across multiple accounts.
  • Repeat low and slow attacks: Targeting the same company to trigger the SMS verification or authentication at intermittent intervals to appear legitimate and continue to profit off of their scheme without getting caught.
  • Scale their campaigns to target other companies: Leveraging the same tactics that worked for other companies and quickly pivoting to the next victim on their list.

After seeing how much money companies spend on fake traffic to their SMS systems, you’ll want to ensure it’s not something you’re encountering.

The real impact of SMS fraud on your brand

SMS fraud is not a risk to be underestimated. 

Twitter was a victim of SMS fraud to the order of $60 million per year before they recognized it. 

A tweet from Elon musk saying "Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages"

Twitter’s response was to turn off two-factor authentication (2FA) that relied on SMS to verify someone’s identity, but that solution was not ideal and had security and user experience ramifications. (More info below on what you should do instead.)

SMS-related fraud poses significant risks for online businesses that use SMS services, including:

  • Financial Losses: Attackers generate fraudulent charges related to fake account creation, fraudulent SMS verification, artificially inflated SMS traffic, and other infrastructure-related fees that are ultimately billed back to the originating company, resulting in substantial financial losses.
  • Reputational Damage: SMS fraud can tarnish a company’s reputation – especially when the fraud directly affects the end-user – leading to a loss of customer trust and loyalty.
  • Operational Disruption: Dealing with the aftermath of SMS fraud attacks can disrupt normal operations as companies try to recoup losses and investigate the root cause, diverting valuable resources and time away from other business priorities.
  • Regulatory Compliance Issues: Failure to protect customer data and prevent fraudulent activities may lead to compliance violations and legal repercussions.

One of our customers was suffering financial losses due to SMS fraud. However, by eliminating bot traffic triggering SMS two-factor authentication with Kasada, they managed to save over $2 million.

Red flags and signs of potential SMS fraud

As brands contend with these evolving SMS fraud schemes, it’s crucial to identify early warning signs. Some red flags include:

  • Unusual spikes in web or API traffic
  • An abnormally high volume of account SMS signups
  • Text message traffic being sent to unusual countries
  • Text messages from phone numbers in numerical order
  • Numerous incomplete web forms

What SMS fraud can look like:

a graph showing all the bad bot requests Kasada stopped to protect a customer against SMS toll fraud

As you can see, the bad bot line rarely drops below 20,000 requests. That’s because fraudsters constantly rotate the SMS request premium phone numbers, making it very difficult to detect and stop.

How to combat SMS fraud in 2023

Several companies we’ve been talking to this year have been experiencing an “Oh sh!t” moment with SMS fraud, even with solid attempts to mitigate the problem. 

Almost every vendor recommends using a CAPTCHA to stop SMS fraud. However, even the most sophisticated CAPTCHAs can’t stop the evolving nature of SMS fraud or other bot-driven attacks. In addition, if you rely on a CAPTCHA, you need to implement it on each of your SMS flows, including forms – which don’t provide a great user experience.

Rate limiting and adding SMS restrictions are other common tactics. While these can help reduce SMS fraud, they won’t completely solve the problem. And as a result, it can still cost you millions of dollars if you don’t directly address the bots. 

You need to be able to accurately detect automation and quickly react with dynamic defenses that disrupt and deter bots. 

Strengthen your defenses and cut costs with Kasada

Kasada is purpose-built to protect your company from these costly automated attacks hitting your website, mobile apps, and APIs. We have deflected millions in SMS-related fraud for just one customer and much more across our customer base.

One of our Fortune 100 customers experienced bots driving up chargebacks, SMS verification fees, and infrastructure costs. After working with us to stop the bot traffic and fraud, they saved $5.6 million in SMS charges alone.

Kasada provides robust defense against automated threats, including fake account creation, API abuse, and more without friction:

  • Dynamic, real-time detection: Identifies and blocks suspicious SMS verifications, preventing fraudulent activities.
  • Anomaly detection: Flags unusual SMS verification traffic patterns, enabling proactive mitigation measures.
  • Actionable threat intelligence: Extensive threat intelligence database is continuously updated with the latest attack vectors.
  • Advanced bot detection and mitigation: Stops automated bot attacks responsible for large-scale fraud operations without the need for customization or tuning.
  • Randomized defense mechanisms: Frustrates attackers attempting to reverse engineer by constantly adapting and randomizing our defense mechanisms.

The stealthy tactics employed by organized fraudsters demand proactive protection beyond traditional anti-bot solutions, CAPTCHAs, and rate limiting. By partnering with Kasada for bot mitigation, companies have shielded themselves from financial losses, reputational damage, and operational disruptions caused by SMS fraud and malicious bot attacks.

Want to learn more about how to stay ahead of fraudsters and increase your ROI? Request a demo today.

Want to learn more?

  • The New Mandate for Bot Detection – Ensuring Data Authenticity

    Can the data collected by an anti-bot system be trusted? Kasada's latest platform enhancements include securing the authenticity of web traffic data.

  • The Future of Web Scraping

    If data is the new oil, then web scraping is the new oil rig. The potential impact of web scraping is escalating as the twin forces of alternative data and AI training both rapidly increase in size and complexity.

Beat the bots without bothering your customers — see how.