What is SMS toll fraud aka SMS pumping?
SMS toll fraud, sometimes known as SMS pumping, is a form of fraud where bad actors partner with complicit telecom providers to send large amounts of traffic to unprotected SMS endpoints.
While the fraud mechanism itself is complex, the implications are fairly simple: if you choose to use SMS One-Time Passcodes (OTPs) as an authentication method for your app, you should take precautions to ensure that your SMS endpoints are protected from abuse. While Stytch has some built-in precautions in place to help prevent this, you are ultimately responsible for the SMS or WhatsApp costs that your Stytch Project uses which can in cases of large attacks cost thousands of dollars.
In this guide, we’ll provide additional context on how toll fraud works, explain what protections Stytch has in place, and offer suggestions for how to prevent it for your own app.
How Toll Fraud Works
For toll fraud, the end goal is to generate revenue for the telecom operators that SMS vendors, like Twilio and MessageBird, pay to deliver SMS to end users. In SMS pumping attacks, fraudsters collude with telecom Mobile Network Operators (MNOs) in exchange for a share of the profits that MNOs receive from charging SMS vendors to deliver SMS messages to the MNO’s users.
For fraudsters, the attack playbook for SMS pumping is as follows:
- Find apps that expose a way to send SMS messages.
- Use bots to send SMS messages to tens of thousands of phone numbers, often spoofing simple characteristics like IP address and User-Agent to avoid detection.
- The fraudsters running the bots take a percentage of the inflated revenue received by MNOs who deliver the messages locally for third parties like Twilio.
This is a classic example of the game theory of application security in action: anytime an internet resource (such as SMS endpoints) that provides enough monetization potential is exposed, fraudsters will find a way to exploit it. It’s the same reason compute platforms are commonly abused by crypto miners to receive free computation resources.
Early warning indicators of SMS toll fraud
If you’re experiencing a toll fraud / SMS pumping attack, you may notice one or many of the following factors:
A sudden increase in SMS message quantity or velocity
- Since the fraud is usually performed with bots, you’ll notice a large number of messages being sent over a short period of time.
Messages sent to consecutive phone numbers or a single geography
- Often during toll fraud attacks, attackers will use ‘blocks’ of numbers that are consecutive or have similar prefixes, e.g. the first seven digits match. This also means that toll fraud tends to be concentrated in a single geography.
- These similar numbers are likely all managed by the same mobile network operator, which is a telltale sign of SMS toll fraud.
A low SMS send to authentication ratio
- Since the intent of the attacker is not to takeover a user’s account or create new accounts, only to send SMS messages, there will be no attempt to authenticate any of the OTP codes that are sent.
- As a result, if a low percentage of SMS OTP users are actually authenticating, this may be an indicator of toll fraud.
- This could also indicate true messaging downtime, i.e. messages aren’t making it to end users, check out our guide on how to troubleshoot SMS and WhatsApp messages.
How Stytch helps mitigate toll fraud across our platform
We take several steps to help prevent toll fraud on our platform above and beyond what our messaging providers offer.
- Since attacks tend to have common patterns like those mentioned above, we have several layers of rate limiting in place to mitigate the size and scope of toll fraud attacks across our platform.
- Because toll fraud and real user traffic can sometimes look similar, e.g. a big launch to a new geo-locale, we balance their sensitivity to ensure that we won’t ever block real user traffic.
Smart country selection
- By default, Stytch disables a number of high risk countries. You can find the full list on our unsupported countries reference.
- For customers who used Stytch SMS OTP before October 2023, we allow SMS to be sent to any supported international country by default. However, we also let you restrict that list to just USA and Canada; just reach out to email@example.com and we can help you do so.
- For customers who did not use SMS prior to October 2023, SMS to phone numbers outside of the US and Canada is disabled by default (if you're interested in sending international SMS, please reach out to firstname.lastname@example.org, and we can enable it for you).
Alerting and monitoring
- Our on-call team has robust alerting and monitoring in place across several factors to ensure that we’re aware of and able to help mitigate manually if attackers have compromised your app.
While these protections are able to lower the impact of a toll fraud attack, they typically will not fully prevent them. We want to ensure that the balance tips in the favor of protecting your uptime and not preventing real users from logging into your app.
We usually see these built-in protections lower the impact of the attack by 75-90%. However, we still strongly recommend taking additional precautions to limit your risk as large attacks may generate thousands of dollars in SMS costs. Note, the SMS send attempts still occur from your app but Stytch will prevent them from being sent and thus you incurring the cost of sending an SMS.