Protecting Against The $6.7Bn SMS Pumping Fraud Scam

SMS pump fraud has exploded in recent years thanks to organised crime spotting and exploiting the inherent vulnerabilities of mobile devices. So, if you’re not already familiar with ‘SMS pumping’, it’s worth investigating because the targets are businesses, not end-users. 

Also known as ‘Toll Fraud’ and AIT (Artificially Inflated Traffic), this criminal activity takes advantage of businesses who use SMS One-Time Passwords (OTPs) as part of a two-factor authentication (2FA) process for users or employees. 

Criminals have been quick to exploit a previously unknown vulnerability in the online account sign-up process. They create hundreds of thousands of fake accounts and insert premium-rate phone numbers into account sign-up forms and send out SMS OTPs, often to remote destinations across the world. The premium rate charges are billed to the business and the fraudsters pocket all the money; the larger the organisation, the higher the traffic and so the harder it is for them to spot this fraudulent activity. 

SMS pump fraud is already big business involving a sophisticated network of participants. The Communications Fraud Control Association (CFCA) estimated that, in 2021, its cost was more than $6.7 billion across the world and it’s still growing.

X (Twitter) is one of very few companies to have gone public about this kind of fraud. In January 2023, Elon Musk claimed that Twitter had lost more than $60m to SMS pumping (not including North America) and implicated over 390 different telecoms firms in the fraud. 

The involvement of multiple parties highlights just how sophisticated a scam it is. Unscrupulous smaller or virtual mobile network operators are able inflate their traffic, and therefore revenue, on the back of SMS pumping through a revenue share model with the perpetrator. 

This kind of fraud is on the rise because legacy technology creates the vulnerabilities that criminals are quick to exploit. Email and SMS are the two most common mediums for identity verification today but they are both fundamentally messaging protocols.

SMS pumping is just another in the line of threats exploiting the shortcomings of a messaging protocol for security. 

Neither email and SMS have anything built-into them related to security and identity verification. While an SMS OTP is a convenient way to authenticate a user’s identity, it’s not the best way - the SIM card in our mobile device is a much safer way to do that.  

SIM-based verification operates on the basis of something called Silent Network Authentication (SNA). It verifies a mobile phone number directly with the network operator over an encrypted connection. This makes it a secure form of authentication and takes advantage of the ease of a mobile device without risking the vulnerabilities of SMS or email. It’s invisible to the end-user because it happens automatically in the background. 

Silent Network Authentication has proven its security credentials; it’s what allows us to make a call on our mobile phone or use it when we switch it on in the morning without needing to identify ourselves. Network carriers use this SIM-based authentication to conduct security checks without interrupting or asking anything of the end-user. Since SNA operates in the background, the vulnerability associated with passwords, pin codes and authenticator app passcodes - and malware - is removed; there’s no room for error and nothing to steal. It can also be used to detect SIM-swaps. 

However, SIM-based authentication isn’t the answer to SMS pumping in all situations - it’s ability to protect against this fraud is 100% only in a mobile-first set-up where mobile applications are at play. But in these cases, Silent Network Authentication not only completely removes the threat from scams like SMS pumping, it actually also improves the user experience since the user never leaves the app to be authenticated. And it’s a much cheaper and easier security solution than hardware biometrics.

By accelerating our shift to a ‘mobile-first’ approach we are all better placed to take advantage of newer, smarter approaches to authentication like SNA, helping us to move completely away from the need for passwords and SMS, and our security reliance on messaging protocols. This has an especially big upside in emerging markets like India and Mexico where being mobile-first is already widespread. 

While new measures to prevent scams like SMS pump fraud slowly get introduced across the global telecoms industry, Silent Network Authentication presents a simple, secure and quick solution using the existing and secure mobile network infrastructure to bring fraud like this to an end. 

This doesn’t mean businesses should be complacent - it’s critical that we scrutinise our network traffic immediately for anomalies and take appropriate action but there is an effective next step for prevention that we can take which is positive for our bottom line and brand. 
 
Paul McGuire is CEO of TruID                            Image: Andrey Metelev

You Might Also Read:  

Mobile Authentication: The Good, The Bad & The Ugly:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Beyond Traditional Security
Staying Ahead Of Cyberthreats »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

Zimperium

Zimperium

Zimperium offers enterprise class protection for mobile devices against the next generation of advanced mobile attacks.

Huntsman Security

Huntsman Security

Huntsman Security provides technology to enable real-time security monitoring and immediate visibility of advanced threats and compliance issues.

Secret Double Octopus

Secret Double Octopus

Secret Double Octopus offers the world’s only keyless multi-shield authentication technology for users and things.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

Inter-American Cooperation Portal on Cyber-Crime

Inter-American Cooperation Portal on Cyber-Crime

The Inter-American Cooperation Portal on Cyber-Crime was created to facilitate and streamline cooperation and information exchange among government experts from OAS member states.

ClearBlade

ClearBlade

ClearBlade is the Edge Computing software company enabling enterprises to rapidly engineer and run secure, real-time, scalable IoT applications.

Applied Science and Technology Research Institute Company Limited (ASTRI)

Applied Science and Technology Research Institute Company Limited (ASTRI)

ASTRI's mission is to enhance Hong Kong’s competitiveness in technology-based industries through applied research in areas including Security & Data Sciences which encompasses cybersecurity.

ResponSight

ResponSight

ResponSight is a data science company focusing specifically on the challenge of measuring risk and identifying changes in enterprise/corporate networks using behavioural analytics.

Intuity

Intuity

The Intuity suite of services provides companies with a complete awareness of their security status and helps them in an efficient, efficient and sustainable improvement process.

Tech-Recycle

Tech-Recycle

Tech-Recycle was formed to help companies and individuals securely, ethically and easily recycle their IT and office equipment. We destroy all data passed to us safely and securely.

ThreatSwitch

ThreatSwitch

ThreatSwitch a software platform for cleared federal contractors to get and stay compliant with NISPOM and Conforming Change 2.

Etonwood

Etonwood

Etonwood specialises in infrastructure and vendor technology recruitment in areas including cloud platforms, cyber security and service management.

Third Point Ventures

Third Point Ventures

Third Point brings deep technical expertise, a strong network of relationships, and decades of investing experience to add value to our partners throughout their journey from idea to IPO and beyond.

Qevlar AI

Qevlar AI

Qevlar AI empowers SOC teams, to eliminate redundant tasks and refocus on what truly matters - making the most of every employee within the SecOps team.

Systems Engineering

Systems Engineering

Systems Engineering is a SOC 2, Type 2-certified IT strategy and managed technology services provider.