SMS pumping fraud is the silent line item draining your verification budget while your real signups stay flat. Bots flood your OTP endpoint, your provider delivers real messages to attacker-controlled premium-rate numbers, and you pay the bill. Whether you call it artificially inflated traffic (AIT), SMS toll fraud, or International Revenue Share Fraud (IRSF), the attack pattern is the same — and it cost brands $1.16 billion in 2023, according to Enea and Mobilesquared.
This guide gives you the detection signals, runnable code patterns, and carrier-level defenses to stop SMS pumping fraud before it reaches your invoice.
What Is SMS Pumping Fraud?
SMS pumping fraud — also called artificially inflated traffic (AIT) or SMS toll fraud — is a scheme where attackers exploit OTP and verification endpoints to generate massive volumes of fake SMS messages. Those messages route to premium-rate phone numbers the attacker controls. Every message you send earns them revenue through carrier termination fees.
The terminology varies by context, but the attack is identical:
| Term | Context |
|---|---|
| SMS pumping | Industry-standard name for the attack pattern |
| Artificially Inflated Traffic (AIT) | Carrier and regulatory term |
| SMS toll fraud | Telecom billing perspective |
| IRSF (International Revenue Share Fraud) | When routing crosses international borders |
| SMS traffic pumping | Variant used in carrier fraud reports |
The scale is staggering. Between 19.8 billion and 35.7 billion fraudulent AIT messages were sent in 2023, representing 4.8% of global A2P messaging traffic.
The most public case: as reported by Plivo, citing Elon Musk’s disclosure and LANCK Telecom’s analysis, Twitter (now X) lost approximately $60 million annually to SMS pumping fraud, involving over 390 telecom operators worldwide. Twitter’s response was to cut off SMS-based two-factor authentication entirely.
How Does SMS Pumping Work?
Every SMS pumping attack follows the same chain. Understanding it is the first step to breaking it.
Step 1: Reconnaissance
The attacker identifies an unprotected OTP or verification endpoint — a signup form, password reset, or phone verification flow that sends an SMS without meaningful bot protection. Public-facing forms without CAPTCHA or rate limiting are the primary targets.
Step 2: Bot-Driven OTP Requests
Automated scripts submit phone numbers in bulk to the target endpoint. The numbers belong to premium-rate ranges or international destinations where the attacker has revenue-share agreements with the terminating carrier.
A single bot campaign can generate thousands of requests per minute. Each request triggers a real SMS delivery — and a real charge on your account.
Step 3: Message Routing and Revenue Collection
Your SMS provider delivers the messages through standard carrier routes. The terminating carrier collects a delivery fee for each message. A portion of that fee flows back to the attacker through their revenue-share arrangement.
In Africa, these routes often hop through multiple intermediary operators before reaching the destination — each hop a potential collusion point.
Step 4: Scale and Repeat
The attacker scales the campaign across multiple endpoints and rotates phone number ranges to avoid detection. Sophisticated operations time their bursts around legitimate traffic peaks — payday cycles, holiday weekends — to mask the artificial volume inside real spikes.
Without detection controls, a pumping campaign can run for weeks before the invoice reveals the damage.
How to Detect SMS Pumping Attacks
Detection starts in your logs. These five signals, monitored together, catch the vast majority of pumping campaigns within minutes of onset.
| Signal | What to Measure | Suspicious Threshold | Confidence |
|---|---|---|---|
| Burst rate | OTP requests per minute per endpoint | >10x your 7-day rolling baseline | High |
| Verify-to-send ratio | OTP verifications ÷ OTP sends (rolling 1-hour window) | Below 30% (healthy: 60–85%) | Very high |
| Country-code anomaly | OTP sends to country codes outside your top 5 | Any sudden spike to an unused country code | High |
| IP/device clustering | Unique phone numbers per IP per hour | >5 numbers from one IP in 60 minutes | High |
| First-message-fail rate | OTPs returning operator-side delivery failures | Sudden rise alongside cost spike | Medium |
The verify-to-send ratio is the most reliable single metric. Legitimate users verify. Bots do not. A drop from 70% to 25% over an hour is artificially inflated traffic — full stop.
Burst-Detection Pseudocode
The core logic fits any language. Track request counts per identifier (phone, IP, device) in a sliding window, and block when thresholds are exceeded.
FUNCTION check_otp_rate_limit(identifier_type, identifier_value):
key = "otp_limit:" + identifier_type + ":" + identifier_value
current_count = INCREMENT(key)
IF current_count == 1:
SET_EXPIRY(key, window_seconds)
RETURN current_count <= max_allowed
FUNCTION handle_otp_request(phone, ip, device_id):
IF NOT check_otp_rate_limit("phone", phone): BLOCK
IF NOT check_otp_rate_limit("ip", ip): BLOCK
IF NOT check_otp_rate_limit("device", device_id): BLOCK
send_otp(phone)
Node.js Implementation with Redis
For production, use Redis for distributed rate-limit counters tied into your OTP send path.
const Redis = require('ioredis');
const redis = new Redis();
const OTP_LIMITS = {
phone: { max: 5, windowSeconds: 3600 },
ip: { max: 10, windowSeconds: 3600 },
device: { max: 5, windowSeconds: 3600 }
};
async function checkRateLimit(type, identifier) {
const key = `otp_limit:${type}:${identifier}`;
const current = await redis.incr(key);
if (current === 1) {
await redis.expire(key, OTP_LIMITS[type].windowSeconds);
}
return current <= OTP_LIMITS[type].max;
}
async function handleOtpRequest(req, res) {
const { phoneNumber } = req.body;
const clientIp = req.ip;
const deviceId = req.headers['x-device-id'] || 'unknown';
const checks = await Promise.all([
checkRateLimit('phone', phoneNumber),
checkRateLimit('ip', clientIp),
checkRateLimit('device', deviceId)
]);
if (checks.some(allowed => !allowed)) {
return res.status(429).json({
error: 'Too many OTP requests. Try again later.'
});
}
const otpResponse = await sendOtp(phoneNumber);
return res.json({ success: true, message: 'OTP sent.' });
}
Python (Flask + Redis) Equivalent
import redis
from flask import Flask, request, jsonify
app = Flask(__name__)
r = redis.Redis()
OTP_LIMITS = {
"phone": {"max": 5, "window": 3600},
"ip": {"max": 10, "window": 3600},
"device": {"max": 5, "window": 3600},
}
def check_rate_limit(limit_type, identifier):
key = f"otp_limit:{limit_type}:{identifier}"
current = r.incr(key)
if current == 1:
r.expire(key, OTP_LIMITS[limit_type]["window"])
return current <= OTP_LIMITS[limit_type]["max"]
@app.route("/api/otp/send", methods=["POST"])
def send_otp_endpoint():
phone_number = request.json.get("phone_number")
client_ip = request.remote_addr
device_id = request.headers.get("X-Device-Id", "unknown")
if not all([
check_rate_limit("phone", phone_number),
check_rate_limit("ip", client_ip),
check_rate_limit("device", device_id),
]):
return jsonify({"error": "Too many OTP requests."}), 429
otp_response = send_otp(phone_number)
return jsonify({"success": True, "message": "OTP sent."})
Rate-Limit Configuration Pattern
Tune these thresholds to your traffic. Start conservative, then relax based on false-positive rates:
| Dimension | Starting Limit | Window | Escalation |
|---|---|---|---|
| Per phone number | 5 OTPs | 1 hour | Block + flag for review |
| Per IP address | 10 OTPs | 1 hour | Block + alert ops team |
| Per device fingerprint | 5 OTPs | 1 hour | Block + require CAPTCHA |
| Global endpoint | 200% of baseline | 5 minutes | Throttle all traffic + alert |
For deeper guidance on rate-limit windows and OTP expiration timing, see our guide on OTP rate limiting and expiration best practices.
Warning Signs Your OTP Endpoint Is Being Pumped
Not every anomaly is an attack, but these patterns together indicate SMS pumping fraud with high confidence.
Traffic Volume Spikes
OTP request volume jumps 5–10x above your normal baseline with no corresponding product launch, marketing push, or seasonal event. The spike concentrates in a narrow time window — minutes, not hours.
Unusual Geographic Distribution
OTP requests suddenly target country codes where you have no users. A Lagos-based fintech receiving a burst of requests for Maldives or Tonga numbers is not organic growth.
Low Verification Completion Rates
Your verify-to-send ratio drops below 30%. Real users complete verification. Bots trigger the send and move on.
Concentrated Request Patterns
Multiple phone numbers arrive from a single IP, a narrow IP range, or the same device fingerprint. Legitimate signups distribute across diverse IPs and devices.
SMS Cost Anomalies
Your SMS invoice spikes without a matching increase in verified users or completed transactions. The gap between “messages sent” and “users verified” is the financial footprint of artificially inflated traffic.
How to Prevent SMS Pumping Fraud: 7 Defenses
No single technique stops SMS pumping. Attackers adapt. Effective SMS pumping fraud prevention layers multiple controls so that bypassing one still triggers another.
1. Per-Number and Per-IP Rate Limiting
Cap OTP requests per phone number and per IP address within a sliding time window. This is your first line of defense — it limits the volume a single attacker source can generate.
The code examples above implement this pattern. Start with 5 OTPs per phone per hour and 10 per IP per hour, then adjust based on your legitimate traffic patterns.
2. Country Prefix Allow-Listing (Geo-Fencing)
If your application serves users in Ghana, Nigeria, and South Africa, block OTP delivery to every other country code.
const ALLOWED_COUNTRY_CODES = [
'+233', // Ghana
'+234', // Nigeria
'+27', // South Africa
'+254', // Kenya
'+225', // Cote d'Ivoire
];
function isAllowedCountry(phoneNumber) {
return ALLOWED_COUNTRY_CODES.some(
code => phoneNumber.startsWith(code)
);
}
Update the allowlist as you expand to new markets. Default to deny — every unblocked country code is an open door for SMS pumping attacks.
3. CAPTCHA on Verification Endpoints
Place a CAPTCHA challenge before the OTP request — not after. If the bot can trigger the SMS without solving a challenge, the CAPTCHA is useless.
Google reCAPTCHA v3, hCaptcha, and Cloudflare Turnstile all work as invisible challenges that add minimal friction for real users while blocking automated scripts.
The key: the CAPTCHA must gate the API call that triggers SMS delivery. Placing it on the frontend form but not validating server-side leaves the OTP endpoint exposed to direct API calls.
4. Device Fingerprinting
Collect a device fingerprint (browser hash, screen resolution, installed fonts, timezone) and rate-limit per fingerprint. This catches bot farms rotating IP addresses but reusing the same browser automation framework.
Device fingerprinting is most effective as a secondary signal alongside IP-based rate limiting — not as a standalone defense.
5. Carrier-Level Fraud Protection
Providers with direct carrier connections can validate phone numbers before sending. Number-type checks distinguish consumer mobile numbers from premium-rate ranges, VoIP lines, and disposable numbers — blocking the destinations that exist solely to collect termination fees.
Direct network connections also remove the intermediary routing hops where revenue-share fraud arrangements typically operate. For teams in African markets, this matters: OTP routes across MTN, Vodafone, and AirtelTigo networks can traverse multiple intermediaries, and each hop is a potential collusion point.
Arkesel’s Phone Number Verification validates number type, carrier, and line status before delivery — with direct connections into African mobile networks. See how it works →
6. Per-Success Billing Models
Some providers charge per message sent. Others charge per successful verification. Per-success billing shifts the financial risk of pumping from you to the provider — if a bot triggers 1,000 OTP sends but none verify, you pay nothing.
When evaluating providers, ask specifically about their billing model for unverified OTPs. For a detailed comparison, see our OTP API provider comparison for 2026.
7. Real-Time Anomaly Detection and Alerting
Configure spending limits and automated alerts. A monthly cap that triggers a warning at 80% and pauses delivery at 100% prevents runaway costs during an active attack.
Combine cost alerts with verify-to-send ratio monitoring. A sudden cost spike paired with a ratio drop below 30% is a high-confidence SMS pumping signal that should trigger automatic throttling.
SMS Pumping in Africa: Mobile Money and Fintech Scenarios
Global guides treat artificially inflated traffic as a US/EU problem. Developers shipping across MTN, Vodafone, and AirtelTigo footprints see a different threat surface.
Cross-Border Pumping via Inter-Operator Routes
African telecom routes hop across multiple operators before terminating. An OTP sent from a Lagos signup form can transit two or three intermediaries before reaching the destination handset. Each hop is a potential collusion point — and a fraud route that doesn’t show up on standard country-code allowlists.
The defense: prefer providers with direct connections into the destination networks. Direct termination removes the intermediary leg where pumping arrangements typically live.
Premium-Rate Number Ranges on Local Carriers
MTN, Vodafone, and AirtelTigo each maintain premium-rate number ranges for legitimate revenue-share services. Attackers acquire or spoof numbers in these ranges and point your OTP endpoint at them. Because the numbers are technically valid mobile numbers on real local carriers, naive carrier-lookup checks let them through.
The defense: number-type validation that distinguishes consumer mobile ranges from premium-rate ranges within the same carrier. This requires a provider with carrier-level intelligence, not just country-code logic.
Mobile Money Verification Fraud
Fintech platforms in Ghana, Nigeria, Kenya, South Africa, and Tanzania face a specific variant: pumping attacks targeting mobile money signup and transaction verification OTPs. The attacker profits from the SMS termination fees while the platform’s OTP budget absorbs the cost.
For regulated fintech workloads, the OTP layer needs both SMS pumping protection and transaction-grade reliability. Our guide on OTP for fintech and banking covers the compliance and audit-log requirements that sit alongside these defenses.
Bursty Patterns on Local-Holiday Schedules
Pumping campaigns targeting African endpoints frequently spike around local payday cycles and public holidays, when legitimate signup volume is also elevated — masking the artificial burst inside a real spike. The verify-to-send ratio is the only signal that survives this overlap.
How to Respond When SMS Pumping Is Detected
When your monitoring flags an active pumping attack, move through this sequence:
- Block suspicious country prefixes immediately. If the attack targets country codes outside your operating regions, add them to your deny list within minutes. This stops the bleeding.
- Throttle the verification endpoint. Reduce allowed request rates across all identifiers — phone, IP, and device. Legitimate users experience a brief delay; the attacker’s throughput collapses.
- Review carrier invoices for anomalous charges. Compare “messages sent” against “verifications completed” for the attack window. The gap is your exposure.
- Report to your carrier and request a fraud investigation. Carriers have fraud teams and revenue-share audit trails. Reporting builds a case for refunds and gives the carrier grounds to block the premium-rate numbers involved.
- Implement permanent prevention controls. Use the attack as the forcing function to deploy the layered defenses above — rate limiting, geo-fencing, CAPTCHA, and carrier-level validation. A complete SMS pumping fraud prevention strategy combines all seven defenses from this guide.
Choosing an OTP Provider with Built-In Fraud Protection
Not every OTP provider treats SMS pumping prevention as a first-class concern. When evaluating providers, prioritize these capabilities:
- Built-in rate limiting at the platform level, not just documentation telling you to build your own
- Phone number intelligence — number-type validation, carrier lookup, premium-rate detection before delivery
- Direct carrier connections in your operating markets, removing intermediary routing hops
- Real-time delivery analytics that surface verify-to-send ratio, geographic distribution, and cost anomalies
- Geographic controls configurable from a dashboard without API changes
- Per-success or hybrid billing that limits your exposure to unverified OTP sends
Arkesel’s Phone Number Verification delivers these capabilities with direct connections into MTN, Vodafone, and AirtelTigo networks across Ghana, Nigeria, Kenya, South Africa, and Tanzania. The Arkesel SMS Platform adds delivery analytics, anomaly detection, and geographic controls at the infrastructure level.
For a head-to-head comparison of fraud protection across providers, see our OTP API provider comparison for 2026.
The Regulatory Landscape: Industry Response to AIT
The industry is fighting back. As reported by Infosecurity Magazine, citing Juniper Research, global subscriber losses from SMS fraud will decline from $80 billion in 2025 to $71 billion in 2026, an 11% decrease — driven by stronger carrier-side fraud detection and regulatory action.
Key regulatory developments:
- Carrier-side AIT filtering. Major carriers now deploy machine learning to flag abnormal traffic patterns before message delivery, automatically blocking suspected pumping campaigns.
- Revenue-share audits. Regulators in multiple markets require carriers to audit their revenue-share partners, making it harder for fraudsters to establish the termination agreements that fund pumping operations.
- Industry collaboration. Organizations like the MEF (Mobile Ecosystem Forum) and the GSMA publish anti-fraud best practices and maintain shared databases of known premium-rate fraud numbers.
Regulation reduces the total attack surface, but it does not eliminate your responsibility. The SMS pumping fraud prevention defenses in this guide protect your endpoints regardless of how effective carrier-side filtering becomes.
Implementation Checklist
Use this checklist to audit your current SMS pumping protection and identify gaps:
- Rate limiting active — per phone number, per IP, and per device fingerprint with sliding time windows
- Country code allowlist enforced — OTP delivery restricted to your operating markets only
- CAPTCHA gates the OTP trigger — server-side validation, not just frontend
- Verify-to-send ratio monitored — alerting threshold set at 30%
- Spending caps configured — monthly budget with 80% warning and 100% pause
- Phone number validation active — number type, carrier, and premium-rate checks before delivery
- Geographic anomaly alerts configured — notification on OTP sends to unexpected country codes
- Incident response plan documented — team knows the block → throttle → review → report sequence
- Provider fraud capabilities evaluated — direct carrier connections, per-success billing, real-time analytics
For teams building OTP systems from scratch, the OTP API integration guide covers the full implementation path with built-in fraud controls.
Frequently Asked Questions
What is SMS pumping fraud?
SMS pumping fraud — also called artificially inflated traffic (AIT) or SMS toll fraud — is an attack where bots flood an OTP or verification endpoint, sending real SMS messages to premium-rate numbers the attacker controls. The attacker earns a share of the termination fee on every message sent.
How do you detect SMS pumping in your logs?
Monitor five signals together: burst rate per IP (>10x baseline), verify-to-send ratio (below 30% is suspicious), country-code anomaly (sudden volume to an unused country code), unique phone numbers per IP per hour (>5 from one IP), and first-message-fail rate. The verify-to-send ratio is the single most reliable signal — real users verify, bots don’t.
What is the difference between SMS pumping and smishing?
SMS pumping generates fraudulent outbound traffic through your endpoints to earn carrier revenue. Smishing sends inbound phishing messages to your users to steal credentials. Pumping costs you money directly through inflated SMS bills. Smishing targets your users’ data. Different attack vectors, different defenses.
How much does SMS pumping cost businesses annually?
AIT fraud cost brands $1.16 billion in 2023. Individual company losses vary widely — Twitter reported $60 million per year before eliminating SMS-based 2FA. For your platform, the cost depends on your OTP volume, your rate limiting, and how quickly you detect the attack.
What is artificially inflated traffic (AIT)?
AIT is the industry and regulatory term for SMS pumping — artificially generated message volume designed to inflate carrier termination revenue. The terms are interchangeable. AIT appears more frequently in carrier billing disputes and regulatory filings.
How can African businesses defend against SMS pumping?
Layer three controls: geo-fence OTP delivery to your operating country codes (Ghana +233, Nigeria +234, South Africa +27, Kenya +254, Tanzania +255), validate phone numbers against carrier premium-rate ranges before sending, and use a provider with direct connections into African mobile networks. Direct network connections eliminate the intermediary routing hops where pumping fraud arrangements operate. See our guide on OTP security best practices for the full security framework.
Protect Your OTP Endpoints from SMS Pumping
SMS pumping fraud is a solvable problem. Rate limiting, geo-fencing, phone number validation, and carrier-level protection — layered together — stop the vast majority of attacks before they reach your invoice.
Arkesel delivers fraud-resistant OTP delivery with direct carrier connections across Africa’s major networks. Talk to Arkesel about fraud-resistant OTP delivery on direct carrier connections, or create a free account to test the OTP flow in your staging environment.
