SMS Traffic Fraud Pumping: What It Is and How to Protect Your Brand Against It

​​With today’s digital landscape changing at rapid speed, it can be a challenge to balance growth while protecting your brand and your customers against fraudulent behavior and bad actors. One rising threat is SMS traffic pumping fraud, a scheme designed to exploit vulnerabilities and collect revenue at the expense of brands. If you’re an SMS marketer or looking to launch an SMS program, it’s important to know how SMS traffic pumping works and the safeguards you can put in place to prevent it.

To help brands address this problem, let’s take a look at the SMS ecosystem, what SMS traffic fraud pumping is, and safeguards you can put in place to help protect your brand.

The backstory: The SMS ecosystem and how SMS messages get delivered

In order to understand what SMS traffic pumping fraud is and how it works, it’s helpful to have some background on the SMS ecosystem and the parties involved in the delivery of SMS marketing messages.

For an SMS marketing message to go from a customer engagement platform (like Braze) to a consumer’s device, it goes through several steps:

• First, the SMS message is created and sent from an SMS marketing or customer engagement platform.
• After the marketer deploys the SMS message, it gets passed to an SMS aggregator, who acts as an intermediary between the customer engagement platform and the mobile carrier. The aggregator determines which mobile carrier a given message should be passed to based on a number of factors, including the country code of the consumer’s phone number (e.g. +1 for the US, +44 for the UK) and the carrier associated with the consumer’s phone number (e.g. Verizon or Vodafone).
• Once the SMS aggregator passes the SMS message to the appropriate mobile carrier, the mobile carrier (also known as a ‘carrier’ or ‘cellular network’) delivers the message to the consumer’s device. Each party in the SMS delivery chain charges a fee for the sending, processing, and delivery of SMS marketing messages.

It’s also important to note that before a marketer can send an SMS marketing message, they must collect the consumer’s phone number and get express consent to send marketing messaging. There are many ways to collect opt-ins. One popular way is through SMS sign-up forms that you can run on your website, landing pages, mobile app, or via QR code.

What is SMS traffic pumping fraud?

In order to kick off the SMS delivery chain, something needs to trigger sending the SMS. Sometimes that will be a proactive send from a brand and sometimes it'll be in response to a consumer request. For example, filling out a form to opt into a brand’s SMS messaging or a password reset. This is where the fraudsters look to jump in.SMS traffic pumping occurs when fraudsters find a way to trigger SMS message sends to phone numbers not associated with real customers in order to collect fraudulent revenue. How do they do this? First, they set up premium rate phone numbers—in other words, phone numbers with country codes where SMS messaging is more costly. Then, they exploit brands’ online forms, such as the SMS opt-in form that a brand has on their website or a one-time password form designed to trigger SMS for password resets or account logins. These bad actors direct the high volume of SMS messages to a local mobile carrier (who is responsible for the delivery of the messages) and then claim a revenue share from the local mobile carrier. This scheme generates fraudulent charges to the brand, effectively stealing from the company sending the messages in question. SMS traffic pumping can cost your brand tens of thousands of dollars in fraudulent SMS changes. It’s important to understand the measures you can take to protect yourself and find a reliable customer engagement platform that has built-in safeguards to mitigate this type of fraud.

What you can do to protect your brand

There are several measures you can take to help mitigate the risk of these types of scams:

1. Improve security for online phone number capture forms

If you are building a phone number capture on your website or in your app, we recommend setting rules to validate phone number length and format and ensuring forms are fully complete before collecting phone numbers. Additionally, consider using tools such as CAPTCHA to ensure the form is submitted by a human and not an automated process. A CAPTCHA requirement on SMS sign-up forms can help reduce the number of fraudulent sign-ups.2. Monitor your daily SMS sending volumes for spikes and abnormalities

Unusual spikes in sending of messages might indicate traffic pumping. We recommend setting up Campaign Limits and Alerts to cap and notify if an abnormally high number of SMS messages are sent. Another metric to keep an eye on in addition to sends is daily SMS opt-ins. An unusually high number of opt-ins in a short time frame, outside of intentional strategies to drive opt-ins, might indicate traffic pumping. Of course, monitoring will not prevent fraud, but it can help you catch an attack early to minimize the impact and cost.

3. Choose a customer engagement platform that has built-in safeguards to mitigate your risk Braze SMS sign-up form templates provide out-of-the box security measures, such as validating the phone number length and format. You can also set up these forms to only collect phone numbers with country codes that align to your target customer base. For example, if you only do business in the US and UK, you can customize the form to only collect numbers with a +1 and +44 country code.Additionally, Braze offers a configurable SMS Geographic Permission Allowlist feature, which allows brands to specify which countries they plan to send to and prevents SMS messages from sending to countries where they don’t do business. Braze also maintains a list for both US-embargoed countries, as well as for countries known to be high risk for traffic pumping, which can be referenced in our documentation. US-embargoed countries are automatically disabled on the allowlist feature and high-risk countries are flagged for awareness before enabling them.

Equip Your Brand to Protect Against SMS Pumping Fraud

While protecting against SMS traffic pumping fraud—and any time of fraud—can feel daunting, the right knowledge, practices, and technology partner can help brands better meet the challenge. If you have additional questions, please check out the FAQ in our documentation or reach out to your Customer Success Manager.