SMS Pumping Fraud: How to Detect & Stop AIT (2026)
SMS Pumping Fraud: How to Detect and Stop AIT in 2026
Quick answer: SMS pumping — also called artificially inflated traffic (AIT) — is a fraud scheme in which attackers use bots to trigger thousands of SMS messages (usually one-time passcodes) toward phone number ranges they control. They collect a share of each message's termination fee, while your business pays the full sending cost. You stop it with OTP conversion monitoring, rate limiting, geographic controls, and bot detection.
Global SMS fraud losses are projected to reach $71 billion in 2026, and AIT is the fastest-growing category. One high-profile example: Twitter reported losing roughly $60 million per year to SMS pumping before it restricted SMS 2FA. If your product sends verification codes, you are a target.
What Is SMS Pumping?
SMS pumping is a form of International Revenue Share Fraud (IRSF) applied to application-to-person messaging. Fraudsters exploit any public form that triggers an SMS — signup verification, login 2FA, "text me the app" links — and automate requests to numbers in ranges where they receive a cut of termination revenue.
The economics are simple: an SMS to a high-cost destination can cost $0.10–$0.50. A bot can request thousands of codes per hour. Every message is real, billable traffic — it just serves no user.
How Does SMS Pumping Work?
The scheme follows four steps:
- Range acquisition. The fraudster partners with a rogue mobile operator or number range holder — usually in a country with high termination fees — and agrees to split per-message revenue.
- Target selection. They find businesses with public SMS triggers: registration forms, OTP login flows, password resets, referral invites.
- Automation. Bots submit thousands of phone numbers from the controlled range, often rotating IPs through residential proxies to evade basic blocking.
- Collection. Messages terminate into the controlled range. Nobody reads them. The operator bills upstream, and the fraudster collects their share.
Because each message is technically delivered, the traffic looks legitimate on invoices — until you check whether the codes were ever used.
What Are the Warning Signs of SMS Pumping?
Watch for these seven signals:
| Signal | Legitimate traffic | Pumping traffic |
|---|---|---|
| OTP conversion rate | 70–95% of codes verified | Under 20% verified |
| Volume pattern | Follows user activity curves | Sudden spikes, off-hours bursts |
| Destinations | Match your customer base | High-cost countries with no users |
| Number patterns | Random, distributed | Sequential or same-prefix blocks |
| Session behavior | Form filled at human speed | Sub-second submissions |
| Retry pattern | Occasional resend requests | Maximum resends on every number |
| IP diversity | Normal geographic mix | Proxy/datacenter concentration |
The single most reliable metric is verification conversion rate by destination country. Calculate it weekly: codes verified ÷ codes sent. Any country below 30% deserves investigation; below 10% is almost certainly fraud.
How Do You Prevent SMS Pumping? (9 Defenses)
- Rate limit aggressively. Cap OTP requests per phone number, per IP address, and per session — for example, 3 codes per number per hour and 10 per IP per day.
- Geo-permission your traffic. Maintain an allowlist of country codes where you actually operate. Reject everything else at the application layer.
- Monitor conversion by destination. Alert automatically when any country's verification rate drops below your threshold.
- Add bot friction before the send. Require a CAPTCHA, proof-of-work, or device attestation before triggering any SMS. Invisible challenges stop most automation without hurting real users.
- Use device fingerprinting. IPs rotate cheaply through residential proxies; device and browser fingerprints persist and expose botnets.
- Detect sequential-number attacks. Flag bursts of requests to adjacent numbers in the same range — a pattern real users never produce.
- Delay and batch suspicious traffic. Fraud bots need instant delivery to confirm the scheme works. A short delay on suspicious requests breaks their feedback loop at minimal UX cost.
- Offer alternative verification. Email links, authenticator apps, passkeys, and silent network authentication reduce your dependence on SMS OTP as the only channel.
- Negotiate fraud terms with your provider. Ask for real-time AIT detection, per-country spend caps, and automatic circuit breakers that pause traffic on anomaly detection.
What Should You Do During an Active Attack?
If you discover pumping in progress:
- Pause SMS delivery to the affected country codes immediately.
- Enable or tighten CAPTCHA on all SMS-triggering forms.
- Drop per-number and per-IP rate limits to minimum values.
- Export the affected traffic logs — numbers, timestamps, IPs — for your provider.
- Review the invoice window and ask your provider about AIT credits.
Most attacks stop within hours once messages stop terminating — the fraudster's revenue depends entirely on your continued sending.
How ViteMobile Protects Against AIT
ViteMobile monitors verification conversion rates per destination in real time, applies network-level velocity checks before messages reach carriers, and lets you set per-country spend caps that act as automatic circuit breakers. Suspicious traffic is flagged in your dashboard before it becomes an invoice surprise.
Key Takeaways
- SMS pumping (AIT) makes fraudsters money on every fake OTP your platform sends — global SMS fraud losses are projected at $71 billion in 2026.
- The clearest detection signal is OTP conversion rate by country: below 20% means investigate now.
- The strongest defenses are rate limiting, country allowlists, pre-send bot checks, and conversion monitoring — deployed together.
- Refunds are rare because the messages genuinely delivered. Prevention and contractual fraud protections are your real safety net.
Frequently Asked Questions
Q: What is SMS pumping fraud? A: SMS pumping (artificially inflated traffic, or AIT) is a scheme where fraudsters use bots to trigger large volumes of SMS — usually OTP codes — to number ranges they control, earning a share of each message's termination fee while your business pays the sending cost.
Q: How do I know if my business is affected? A: Check your OTP conversion rate by destination country. If fewer than 20–30% of codes sent to a country are ever verified, that traffic is likely artificial. Volume spikes without user growth and sequential-number request bursts confirm it.
Q: Who profits from SMS pumping? A: The fraudster and a complicit party in the delivery chain — typically a small operator or number range holder in a high-termination-cost country — split the per-message revenue your business pays.
Q: Does blocking countries stop SMS pumping? A: Geo-blocking is the fastest single fix and eliminates most losses if you have no users in high-risk destinations. Combine it with rate limiting and bot detection, because attacks can shift to permitted countries.
Q: Can I get a refund for pumped traffic? A: Usually no — the messages were delivered and are billable. Some enterprise contracts include AIT credits or caps; negotiate these protections before an incident, not after.