What is SMS Pumping?
SMS Pumping occurs when a fraudster pretends to be a user and causes your company to send SMS messages to premium rate numbers. Your company is charged by your telephony provider (Twilio, Vonage, Plivo, Telnyx, etc.) for delivery to premium rate numbers. The telephony provider then pays a premium to the mobile network operator (MNO) that owns that number. The MNO then shares that revenue with the fraudster.
The most common forms of SMS Pumping occur when a fraudster exploits an API (or phone number input field) to receive an app download link, a one-time password, 2fa code, QR Code or similar message via SMS.
How expensive is SMS Pumping?
According to a study published by the Communications Fraud Control Association (CFCA), fraud resulted in global losses amounting to $39.89 billion in 2021. This amounts to 2.22% of the total revenue of the global telecommunications sector. The primary contributor to these losses was SMS Pumping, which alone was responsible for $4.54 billion.
If you’re reading this, your company has likely been impacted by SMS Pumping. What percentage of your outbound SMS messages did not result in the expected conversion? How much of that loss was due to SMS Pumping?
How we fight SMS Pumping
We’ve created an API that crowd-sources real-time intelligence across all of our customers. We proactively identify phone numbers, adjacent phone numbers, IP addresses, and adjacent IP addresses controlled and exploited by fraudsters. We do this by monitoring the entire authentication cycle which allows us to provide reputation scores on IP addresses and phone numbers.
Authentication Cycle (Unprotected):
- A user attempts to sign in to your app or is sent a download link or QR code by providing their phone number.
- Your API sends the user an SMS.
-
- If the user is real, they will complete the next step (login to the app, tap a link, etc.)
- If the user is a fraudster, they will instruct your API to send additional SMSs to other premium rate numbers.
Authentication Cycle (Protected by the SMS Guard API):
- A user attempts to sign in to your app or request a link by providing their phone number.
- Your API requests a reputation score from the SMS Guard API for the phone number and the IP address in question.
- Our API responds with reputation scores for the phone number, adjacent phone numbers, IP address, and adjacent IP addresses.
-
- If the reputation scores are healthy, your API will send the user an SMS.
- If the reputation scores are suspicious, your API will require the user to complete a captcha before sending the SMS. Alternatively, your API could drop the request.
- Your API will inform the SMS Guard API that you have just sent an SMS to a specific phone number and IP address.
- When the user authenticates (or performs the next action), your API will inform the SMS Guard API.
Closing the loop
By matching phone numbers and IP addresses from steps 5 and 6, we can track which phone numbers and IP addresses successfully authenticate (or convert). The ratio of successful vs. unsuccessful authentications allows us to create reputation scores.
Reputation Scores
Crowdsourcing Intelligence
Fraudsters will indiscriminately target any API that will send an SMS to a premium rate number. We crowdsource signal from a variety of customers. This enables us to more accurately SMS Guard for all of our customers. SMS Guard continuously adds new customers so we can increase the accuracy of our service for all of our customers.
Adjacent Phone Numbers
Premium Rate Numbers are sold in contiguous blocks. This means that the reputation scores of adjacent phone numbers provide an actionable signal.
IP Addresses and Networks
Fraudsters will often send malicious API requests from VPNs, Proxies, and Tor. They have access to a wide variety of IP addresses. Some Internet Service Providers / Hosting Providers, which control networks of IP addresses, do their best to be good Internet citizens. Accordingly, they’ll attempt to detect and block malicious outbound traffic. Sometimes they succeed. Sometimes they do not. Other ISPs / Hosting Providers do not attempt to be good Internet citizens and provide hosting services to scammers, spammers, fraudsters, bot networks, etc.
Regardless of whether or not an ISP or Hosting Provider attempts to block outbound malicious traffic, we maintain reputation scores of individual IPs and networks of adjacent IPs.
Why our approach is better
A few telephony providers offer fraud prevention tools. However, they aren’t very effective, and you’ll still waste alarming amounts of money sending SMSs to premium rate numbers controlled by fraudsters. Telephony providers merely pay lip service to reduce SMS Pumping. Their incentives are not aligned with yours.
We crowdsource intelligence across a variety of customers, regardless of which telephony provider you use. This allows us to provide the most effective service for blocking SMS Pumping and SMS pumping.
Schedule a call
Please schedule a call with us or send us an e-mail.