Industry experts warn of increasing risks to corporate profits from so-called SMS pumping scams, which exploit one-time password (OTP) generation to make money for cybercriminals.
The scale of the threat was highlighted by Elon Musk last month when he claimed Twitter is scammed out of $60 million a year with fake two-factor authentication (2FA) SMS messages.
Henry Cazalet, director of TheSMSWorks, says the cybersecurity industry has taken note of his response to withdraw text message-based OTPs for non-subscribers, but the real question remains unresolved. .
“Small businesses and start-ups are particularly vulnerable to SMS pumping scams. They are unlikely to have the necessary resources to make their web forms more secure,” he said. Information security.
“To keep speed and costs down, they are often ready to cut corners, making their services vulnerable to ambushes by fraudsters.”
To run SMS pumping campaigns, scammers typically sign up for services or accounts that require 2FA or generate OTPs or links of users for security/authentication. If is not included, attackers can enter premium rate numbers to fund the attackers and their associated mobile network operators (MNOs).
In some cases the MNO is the party to the fraud, and in other cases the fraud is committed without their knowledge. Bots are usually used to give scammers big profits.
Also known as “artificially generated traffic” (AGT) or “SMS OTP fraud,” this scam accounts for 6% of all SMS traffic and 10% of revenue, according to Lanck Telecom.
According to the company’s research, 30-60% of all mobile traffic can be AGT, depending on the major brands, and as high as 80% depending on the network.
TheSMSWorks says there are some telltale signs that web forms are being abused by scammers.
- Exponential growth in web traffic and auto-generated SMS messages
- Unusual countries are being sent a lot of texts
- Text triggered into batches of numbers in numerical order
- Web forms not partially filled by bots
“There are some relatively simple measures that organizations can take to mitigate risk,” advises Cazalet.
“Disable SMS OTP from countries we don’t operate in. Set rate limits on the number of SMS that can be sent to any range of mobile numbers to detect and deter bots. Also, SMS OTP traffic levels to identify and monitor spikes in
