When Bots Pump Your OTPs (SMS Pumping)

A few years ago, I spent several months chasing a weird kind of fraud — the kind that doesn’t steal data, doesn’t hack users, but still burns real money.

It’s called SMS Pumping.

At first, it looked like just “spam traffic.” Then it became a full-time cat-and-mouse game between our defenses and whoever was behind it.
Here’s the story, what we tried, what failed, and what I’d recommend if you’re running authentication systems today.

💬 The World Still Runs on SMS

Even in 2025, SMS is still everywhere.
It’s used for:

• verifying phone numbers,

• logging in,

• and two-factor authentication (2FA).

It’s not perfect, but it’s easy: no app to install, no setup friction, works on every device.
That simplicity is exactly what makes it popular — and exploitable.

If you haven’t met SMS Pumping, here’s the quick version:

Fraudsters abuse your “send me an OTP” endpoint to trigger thousands of messages to phone numbers they control. Those numbers are premium-rate or international routes that generate a profit when messages are sent.
You pay the bill; they take the cut.

As Twilio explains, it’s a form of Artificially Inflated Traffic (AIT) or Toll Fraud — a telecom problem repackaged for web apps.
Or, as Datadome puts it:

Bots exploit OTP systems by injecting premium or international numbers into signup forms, creating massive artificial SMS volumes — and revenue for someone else.

No data breach, no ransomware, just your infrastructure quietly working for them.

🚨 The First Signs

It started subtly. SMS verifications were fine one day, then slightly up the next.
Soon, the metrics showed an order-of-magnitude increase in OTP requests.
Nothing else had changed — no marketing campaign, no new feature rollout, no real user growth.

The pattern was clear only when zoomed in:

• Many numbers followed each other sequentially (like blocks).

• Most of them never completed verification.

• Traffic looked “normal enough” to pass basic filters.

It wasn’t always a single big spike. It was distributed, blended into normal usage.
That’s what makes SMS Pumping tricky — the goal is to make it look like real traffic, so you don’t block it right away.

🧱 What Didn’t Work

We tried every textbook mitigation. Some slowed the fraud down for a while, but none fixed it for good.

1. IP or ASN blocking
Attackers use proxies and mobile networks. The IPs rotate constantly — useless.

2. Per-number rate limits
They just change numbers. Automation makes that trivial.

3. GeoIP-blocking
Cutting off “risky” regions helped for a while, but traffic always found a detour.
Also, legitimate users in new regions occasionally got blocked — not fun.

4. Premium number filters
We used Google’s libphonenumber to reject known premium ranges.
Worked in regulated markets, failed elsewhere. Metadata was incomplete or outdated.

🧰 What Actually Worked

After months of testing, we realized there’s no magic button.
The only winning move was layering multiple imperfect defenses.

✅ Captcha / bot challenges
We deployed reCAPTCHA Enterprise with SMS Fraud protection. We were among the first users to beta test the feature. It's not a perfect solution: false positives were mostly controlled, but still present sometimes. But it really helped stop fraud as we were shifting from the "easy-target" to the "target that requires effort". What ultimately drove the decision was mainly the cheap cost, and the fact that competitor (market leader) was also using it.
However, according to 2captcha.com, solving costs around $2 per thousand CAPTCHAs — and it's not enough to kill fraudsters business model.

✅ Prefix-based rate limiting
Instead of blocking individual numbers, we rate-limited based on the prefix (first N digits).
Fraudsters often used contiguous blocks, so this trapped whole batches.
You just have to tune N carefully — too broad and you block marketing campaigns, too narrow and you miss the pattern.

✅ Geo-permissions on your SMS provider
Use your provider’s “geo-permissions” (Twilio, MessageBird, etc.) to disable delivery in markets where you don’t operate.
Every unnecessary region is free profit for someone else.

✅ Real-time monitoring and anomaly alerts
We built dashboards tracking:

• OTPs requested vs. OTPs completed

• cost per SMS provider

• fraud risk scores from reCAPTCHA

• SMS per region over time

It’s manual work — but without a baseline, you’re blind.

✅ Alternative auth flows
Slowly push users toward non-SMS methods when possible: email links, push notifications, WebAuthN, you name it.
Reducing exposure is the best mitigation you’ll ever have.

🧠 What I Learned

A few lessons stuck with me:

• Fraudsters think in profit margins, not payloads.
  If your SMS endpoint lets them earn, they’ll never stop.

• Security teams need visibility, not just filters.
  The hardest part wasn’t blocking — it was knowing when we were under attack.

• Every control decays.
  Geo rules, blocklists, regexes — they rot the moment you stop updating them.

• No tool beats common sense.
  Automation helps, but understanding your traffic helps more.

🔒 Why SMS Needs to Go

I get it — SMS is easy. But it’s also fragile.
Between SIM swaps, interception, and pumping fraud, it’s more of a tax than a feature.

Modern authentication standards like WebAuthN and passkeys exist for a reason.
They’re phishing-resistant, cheap, and don’t depend on telcos.

So, if your product still uses SMS 2FA and you have the choice — favor no-SMS whenever possible.
SMS should be a fallback, not your default.

🏁 Closing thoughts

SMS authentication isn’t going anywhere, but it’s time to stop pretending it’s secure. If you're still using it, at least make sure you’re not paying fraudsters for the privilege. When SMS is your only viable option, treat it as a security liability — not a solution.
Layer your defenses, monitor relentlessly, and plan your exit strategy. If you can move away from SMS, do it. You'll save money — and sleep.