Protecting Against The $6.7Bn SMS Pumping Fraud Scam

SMS pump fraud has exploded in recent years thanks to organised crime spotting and exploiting the inherent vulnerabilities of mobile devices. So, if you’re not already familiar with ‘SMS pumping’, it’s worth investigating because the targets are businesses, not end-users. 

Also known as ‘Toll Fraud’ and AIT (Artificially Inflated Traffic), this criminal activity takes advantage of businesses who use SMS One-Time Passwords (OTPs) as part of a two-factor authentication (2FA) process for users or employees. 

Criminals have been quick to exploit a previously unknown vulnerability in the online account sign-up process. They create hundreds of thousands of fake accounts and insert premium-rate phone numbers into account sign-up forms and send out SMS OTPs, often to remote destinations across the world. The premium rate charges are billed to the business and the fraudsters pocket all the money; the larger the organisation, the higher the traffic and so the harder it is for them to spot this fraudulent activity. 

SMS pump fraud is already big business involving a sophisticated network of participants. The Communications Fraud Control Association (CFCA) estimated that, in 2021, its cost was more than $6.7 billion across the world and it’s still growing.

X (Twitter) is one of very few companies to have gone public about this kind of fraud. In January 2023, Elon Musk claimed that Twitter had lost more than $60m to SMS pumping (not including North America) and implicated over 390 different telecoms firms in the fraud. 

The involvement of multiple parties highlights just how sophisticated a scam it is. Unscrupulous smaller or virtual mobile network operators are able inflate their traffic, and therefore revenue, on the back of SMS pumping through a revenue share model with the perpetrator. 

This kind of fraud is on the rise because legacy technology creates the vulnerabilities that criminals are quick to exploit. Email and SMS are the two most common mediums for identity verification today but they are both fundamentally messaging protocols.

SMS pumping is just another in the line of threats exploiting the shortcomings of a messaging protocol for security. 

Neither email and SMS have anything built-into them related to security and identity verification. While an SMS OTP is a convenient way to authenticate a user’s identity, it’s not the best way - the SIM card in our mobile device is a much safer way to do that.  

SIM-based verification operates on the basis of something called Silent Network Authentication (SNA). It verifies a mobile phone number directly with the network operator over an encrypted connection. This makes it a secure form of authentication and takes advantage of the ease of a mobile device without risking the vulnerabilities of SMS or email. It’s invisible to the end-user because it happens automatically in the background. 

Silent Network Authentication has proven its security credentials; it’s what allows us to make a call on our mobile phone or use it when we switch it on in the morning without needing to identify ourselves. Network carriers use this SIM-based authentication to conduct security checks without interrupting or asking anything of the end-user. Since SNA operates in the background, the vulnerability associated with passwords, pin codes and authenticator app passcodes - and malware - is removed; there’s no room for error and nothing to steal. It can also be used to detect SIM-swaps. 

However, SIM-based authentication isn’t the answer to SMS pumping in all situations - it’s ability to protect against this fraud is 100% only in a mobile-first set-up where mobile applications are at play. But in these cases, Silent Network Authentication not only completely removes the threat from scams like SMS pumping, it actually also improves the user experience since the user never leaves the app to be authenticated. And it’s a much cheaper and easier security solution than hardware biometrics.

By accelerating our shift to a ‘mobile-first’ approach we are all better placed to take advantage of newer, smarter approaches to authentication like SNA, helping us to move completely away from the need for passwords and SMS, and our security reliance on messaging protocols. This has an especially big upside in emerging markets like India and Mexico where being mobile-first is already widespread. 

While new measures to prevent scams like SMS pump fraud slowly get introduced across the global telecoms industry, Silent Network Authentication presents a simple, secure and quick solution using the existing and secure mobile network infrastructure to bring fraud like this to an end. 

This doesn’t mean businesses should be complacent - it’s critical that we scrutinise our network traffic immediately for anomalies and take appropriate action but there is an effective next step for prevention that we can take which is positive for our bottom line and brand. 
 
Paul McGuire is CEO of TruID                            Image: Andrey Metelev

You Might Also Read:  

Mobile Authentication: The Good, The Bad & The Ugly:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Beyond Traditional Security
Staying Ahead Of Cyberthreats »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

BSI Group

BSI Group

BSI is the business standards company that equips businesses with the necessary solutions to turn standards of best practice into habits of excellence

Dubex

Dubex

Dubex is Denmark's leading business-oriented IT security specialist.

SecurityScorecard

SecurityScorecard

SecurityScorecard provides the most accurate security ratings & continuous risk monitoring for vendor and third party risk management.

SEPPmail

SEPPmail

SEPPmail is a patented e-mail encryption solution to secure your electronic communication.

Safetica

Safetica

Safetica Technologies is a Czech software company that delivers data protection solutions for businesses of all types and sizes.

Elliptic

Elliptic

Elliptic solve the crucial problem of identity in cryptocurrencies, with the sole purpose of combating suspicious and criminal activity.

Morphus Information Security

Morphus Information Security

Morphus is an information security company providing Red Team, Blue Team and GRC services as well as conducting research in cybersecurity and threat analysis.

Intel Capital

Intel Capital

Intel Capital, Intel's strategic investment organization, backs innovative technology startups and companies worldwide. We invest in a broad range of hardware, software, and services.

East Midlands Cyber Resilience Centre (EMCRC)

East Midlands Cyber Resilience Centre (EMCRC)

The East Midlands Cyber Resilience Centre is set up to support and help protect businesses across the region against cyber crime.

TekSynap

TekSynap

TekSynap is a full spectrum Information Technology services provider to federal government agencies.

HLB Mann Judd (Fiji)

HLB Mann Judd (Fiji)

HLB Mann Judd (Fiji) (formerly known as HLB Crosbie & Associates) is a well-established firm of accountants and business advisers in Fiji.

Protexxa

Protexxa

Protexxa is a B2B SaaS cybersecurity platform that leverages Artificial Intelligence to rapidly identify, evaluate, predict, and resolve cyber issues for employees.

Custodia Continuity

Custodia Continuity

Custodia Continuity manage your Security, Backup, Continuity and Compliance. You get on with your business.

Zyber 365

Zyber 365

Zyber 365 are providing a robust, decentralized, and cyber-secured operating system which adheres to the fundamental principles of environmental sustainability.

Spec

Spec

Spec is the only no-code orchestration platform that protects enterprise fraud defenses from being blocked, bypassed, and manipulated by modern attack tactics.

Security Awareness Special Interest Group (SASIG)

Security Awareness Special Interest Group (SASIG)

The Security Awareness Special Interest Group (SASIG) addresses the human aspects of security and fraud prevention in an initiative to improve trust and confidence in the online environment.