Protecting Against The $6.7Bn SMS Pumping Fraud Scam

SMS pump fraud has exploded in recent years thanks to organised crime spotting and exploiting the inherent vulnerabilities of mobile devices. So, if you’re not already familiar with ‘SMS pumping’, it’s worth investigating because the targets are businesses, not end-users. 

Also known as ‘Toll Fraud’ and AIT (Artificially Inflated Traffic), this criminal activity takes advantage of businesses who use SMS One-Time Passwords (OTPs) as part of a two-factor authentication (2FA) process for users or employees. 

Criminals have been quick to exploit a previously unknown vulnerability in the online account sign-up process. They create hundreds of thousands of fake accounts and insert premium-rate phone numbers into account sign-up forms and send out SMS OTPs, often to remote destinations across the world. The premium rate charges are billed to the business and the fraudsters pocket all the money; the larger the organisation, the higher the traffic and so the harder it is for them to spot this fraudulent activity. 

SMS pump fraud is already big business involving a sophisticated network of participants. The Communications Fraud Control Association (CFCA) estimated that, in 2021, its cost was more than $6.7 billion across the world and it’s still growing.

X (Twitter) is one of very few companies to have gone public about this kind of fraud. In January 2023, Elon Musk claimed that Twitter had lost more than $60m to SMS pumping (not including North America) and implicated over 390 different telecoms firms in the fraud. 

The involvement of multiple parties highlights just how sophisticated a scam it is. Unscrupulous smaller or virtual mobile network operators are able inflate their traffic, and therefore revenue, on the back of SMS pumping through a revenue share model with the perpetrator. 

This kind of fraud is on the rise because legacy technology creates the vulnerabilities that criminals are quick to exploit. Email and SMS are the two most common mediums for identity verification today but they are both fundamentally messaging protocols.

SMS pumping is just another in the line of threats exploiting the shortcomings of a messaging protocol for security. 

Neither email and SMS have anything built-into them related to security and identity verification. While an SMS OTP is a convenient way to authenticate a user’s identity, it’s not the best way - the SIM card in our mobile device is a much safer way to do that.  

SIM-based verification operates on the basis of something called Silent Network Authentication (SNA). It verifies a mobile phone number directly with the network operator over an encrypted connection. This makes it a secure form of authentication and takes advantage of the ease of a mobile device without risking the vulnerabilities of SMS or email. It’s invisible to the end-user because it happens automatically in the background. 

Silent Network Authentication has proven its security credentials; it’s what allows us to make a call on our mobile phone or use it when we switch it on in the morning without needing to identify ourselves. Network carriers use this SIM-based authentication to conduct security checks without interrupting or asking anything of the end-user. Since SNA operates in the background, the vulnerability associated with passwords, pin codes and authenticator app passcodes - and malware - is removed; there’s no room for error and nothing to steal. It can also be used to detect SIM-swaps. 

However, SIM-based authentication isn’t the answer to SMS pumping in all situations - it’s ability to protect against this fraud is 100% only in a mobile-first set-up where mobile applications are at play. But in these cases, Silent Network Authentication not only completely removes the threat from scams like SMS pumping, it actually also improves the user experience since the user never leaves the app to be authenticated. And it’s a much cheaper and easier security solution than hardware biometrics.

By accelerating our shift to a ‘mobile-first’ approach we are all better placed to take advantage of newer, smarter approaches to authentication like SNA, helping us to move completely away from the need for passwords and SMS, and our security reliance on messaging protocols. This has an especially big upside in emerging markets like India and Mexico where being mobile-first is already widespread. 

While new measures to prevent scams like SMS pump fraud slowly get introduced across the global telecoms industry, Silent Network Authentication presents a simple, secure and quick solution using the existing and secure mobile network infrastructure to bring fraud like this to an end. 

This doesn’t mean businesses should be complacent - it’s critical that we scrutinise our network traffic immediately for anomalies and take appropriate action but there is an effective next step for prevention that we can take which is positive for our bottom line and brand. 
 
Paul McGuire is CEO of TruID                            Image: Andrey Metelev

You Might Also Read:  

Mobile Authentication: The Good, The Bad & The Ugly:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Beyond Traditional Security
Staying Ahead Of Cyberthreats »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

K&D Insurance Brokers

K&D Insurance Brokers

K&D provide insurance for all sectors of industry and commerce including cyber risk cover.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

AuthenTrend

AuthenTrend

AuthenTrend provide biometric authentication products to achieve high security with extreme ease-of-use for the user.

Datacom Systems

Datacom Systems

Datacom Systems is a leading manufacturer of network visibility solutions.

RevenueStream

RevenueStream

RevenueStream uses an innovative algorithmic approach to intercept and prevent payment fraud before it even happens.

TruSTAR Technology

TruSTAR Technology

TruSTAR is a threat intelligence exchange platform built to protect and incentivize information sharing.

Khipu Networks

Khipu Networks

Khipu Networks is an award winning Cyber Security Company delivering a wide range of network, wireless and security solutions, technologies and services across multiple sectors.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Robert Walters

Robert Walters

Robert Walters is one of the world's leading global specialist professional recruitment and recruitment process outsourcing consultancies.

Ironhack

Ironhack

Ironhack provide intensive training courses & bootcamps in Web Development, UX/UI Design, Data Analytics & Cybersecurity.

Condition Zebra

Condition Zebra

Condition Zebra has wide experience in providing IT Security Services, Training, and Certification in the field of cybersecurity.

NewAE Technology

NewAE Technology

NewAE Technology is revolutionizing the hardware security market by making every engineer and designer aware of side-channel power analysis and glitching as important attack vectors.

Forta

Forta

Forta is a real-time detection network for security & operational monitoring of blockchain activity.

Fibernet

Fibernet

Fibernet's innovative solutions in the fields of cybersecurity and fiber optics range from telecommunications infrastructure to small business cybersecurity.

Vector Choice Technologies

Vector Choice Technologies

Vector Choice Technology Solutions has a long standing reputation in cyber security consulting since 2008.

SecureLake

SecureLake

SecureLake (formerly Managni) is one of the most trusted US-based IT security and infrastructure companies.