Protecting Against The $6.7Bn SMS Pumping Fraud Scam

SMS pump fraud has exploded in recent years thanks to organised crime spotting and exploiting the inherent vulnerabilities of mobile devices. So, if you’re not already familiar with ‘SMS pumping’, it’s worth investigating because the targets are businesses, not end-users. 

Also known as ‘Toll Fraud’ and AIT (Artificially Inflated Traffic), this criminal activity takes advantage of businesses who use SMS One-Time Passwords (OTPs) as part of a two-factor authentication (2FA) process for users or employees. 

Criminals have been quick to exploit a previously unknown vulnerability in the online account sign-up process. They create hundreds of thousands of fake accounts and insert premium-rate phone numbers into account sign-up forms and send out SMS OTPs, often to remote destinations across the world. The premium rate charges are billed to the business and the fraudsters pocket all the money; the larger the organisation, the higher the traffic and so the harder it is for them to spot this fraudulent activity. 

SMS pump fraud is already big business involving a sophisticated network of participants. The Communications Fraud Control Association (CFCA) estimated that, in 2021, its cost was more than $6.7 billion across the world and it’s still growing.

X (Twitter) is one of very few companies to have gone public about this kind of fraud. In January 2023, Elon Musk claimed that Twitter had lost more than $60m to SMS pumping (not including North America) and implicated over 390 different telecoms firms in the fraud. 

The involvement of multiple parties highlights just how sophisticated a scam it is. Unscrupulous smaller or virtual mobile network operators are able inflate their traffic, and therefore revenue, on the back of SMS pumping through a revenue share model with the perpetrator. 

This kind of fraud is on the rise because legacy technology creates the vulnerabilities that criminals are quick to exploit. Email and SMS are the two most common mediums for identity verification today but they are both fundamentally messaging protocols.

SMS pumping is just another in the line of threats exploiting the shortcomings of a messaging protocol for security. 

Neither email and SMS have anything built-into them related to security and identity verification. While an SMS OTP is a convenient way to authenticate a user’s identity, it’s not the best way - the SIM card in our mobile device is a much safer way to do that.  

SIM-based verification operates on the basis of something called Silent Network Authentication (SNA). It verifies a mobile phone number directly with the network operator over an encrypted connection. This makes it a secure form of authentication and takes advantage of the ease of a mobile device without risking the vulnerabilities of SMS or email. It’s invisible to the end-user because it happens automatically in the background. 

Silent Network Authentication has proven its security credentials; it’s what allows us to make a call on our mobile phone or use it when we switch it on in the morning without needing to identify ourselves. Network carriers use this SIM-based authentication to conduct security checks without interrupting or asking anything of the end-user. Since SNA operates in the background, the vulnerability associated with passwords, pin codes and authenticator app passcodes - and malware - is removed; there’s no room for error and nothing to steal. It can also be used to detect SIM-swaps. 

However, SIM-based authentication isn’t the answer to SMS pumping in all situations - it’s ability to protect against this fraud is 100% only in a mobile-first set-up where mobile applications are at play. But in these cases, Silent Network Authentication not only completely removes the threat from scams like SMS pumping, it actually also improves the user experience since the user never leaves the app to be authenticated. And it’s a much cheaper and easier security solution than hardware biometrics.

By accelerating our shift to a ‘mobile-first’ approach we are all better placed to take advantage of newer, smarter approaches to authentication like SNA, helping us to move completely away from the need for passwords and SMS, and our security reliance on messaging protocols. This has an especially big upside in emerging markets like India and Mexico where being mobile-first is already widespread. 

While new measures to prevent scams like SMS pump fraud slowly get introduced across the global telecoms industry, Silent Network Authentication presents a simple, secure and quick solution using the existing and secure mobile network infrastructure to bring fraud like this to an end. 

This doesn’t mean businesses should be complacent - it’s critical that we scrutinise our network traffic immediately for anomalies and take appropriate action but there is an effective next step for prevention that we can take which is positive for our bottom line and brand. 
 
Paul McGuire is CEO of TruID                            Image: Andrey Metelev

You Might Also Read:  

Mobile Authentication: The Good, The Bad & The Ugly:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Beyond Traditional Security
Staying Ahead Of Cyberthreats »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Prolinx

Prolinx

Prolinx provide secure Data Centre hosting services and other fully managed security services for networks and information systems.

Northbridge Insurance

Northbridge Insurance

Northbridge is a leading Canadian business insurance provider. Services offered include Cyber Risk insurance.

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center is a not-for-profit organization focused on regional cybersecurity excellence and readiness, with a special emphasis on the maritime community.

Cryptshare

Cryptshare

Cryptshare is a communication solution that enables you to share e-mails and files of any size securely.

ReliaQuest

ReliaQuest

ReliaQuest’s GreyMatter solution connects existing technology, people, and process – then equips security teams with unified, actionable insights across their entire environment.

Fortalice

Fortalice

Fortalice provide customizable consulting services built on proven methodology to strengthen your business cyber security defenses.

TechStak

TechStak

TechStak is the easiest way for businesses to find and connect with IT Pros and other technology solution providers in their area.

ARCON

ARCON

ARCON offers a proprietary unified governance framework, which addresses risk across various technology platforms.

OmniCyber Security

OmniCyber Security

Omni is a cyber security firm specialising in Penetration Testing, Managed Security and Compliance.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

Nemstar

Nemstar

Nemstar is a specialist in Information Security & Cyber Training with over 25 years' industry experience.

Ermes

Ermes

Ermes – Intelligent Web Protection provides companies with a solution that effectively secures them against web threats.

Apollo Secure

Apollo Secure

Apollo is an automated cybersecurity platform for startups and small businesses to achieve and maintain security compliance.

Closed Door Security

Closed Door Security

Closed Door Security is the only cybersecurity team in the north of Scotland offering everything from IASME Certification to CREST-Accredited penetration testing.

EGUARDIAN

EGUARDIAN

EGUARDIAN serves as a Value-Added Distributor and technology enabler in the APAC region with the aim of further expanding globally and cater to the needs of the demands with the emerging technology.

EK3 Technologies

EK3 Technologies

EK3 Technologies mission is to provide comprehensive cybersecurity and IT solutions that allow our clients to focus on sustaining their business.