Documentation
API ReferenceChangelogFAQDashboard

Prevent SMS pumping fraud

SMS pumping is a type of digital exploit in which attackers send numerous One-Time Password (OTP) requests or verification links, forcing the targeted platform to pay for SMS authentication that does not come from real user requests.

To commit SMS pumping, fraudsters actively use bots and automated scripts that generate a massive amount of requests effortlessly. Regardless of whether these messages are being used to complete an OTP or follow a sent link, each message charges the platform a fee. Thus, attackers generate revenue for a partner telecom company and share this income afterward.

How to recognize SMS pumping fraud

The main sign of an SMS pumping attack is receiving a high volume of requests for SMS authentication per applicant, specifically more than three SMS requests per profile.

There are two main types of SMS messages used in these attacks:

  • OTP requests triggered during the Phone verification step
  • Verification links sent from the WebSDK that direct users to continue the process on a mobile phone

Modify your verification scenarios to prevent SMS pumping fraud

If you notice signs of SMS pumping fraud, you need to identify which type of SMS is being used in the attacks and take appropriate action.

📘

Note

By default, Sumsub creates an additional layer of security by reducing the number of allowed SMS to 5 per telephone number. However, to strengthen your verification flows further, you can take the extra measures described in the steps below.

Step 1: Identify SMS type

Determine which type of SMS is being used to send the requests. Based on this information, you can choose the best option to secure your verification flows: configuring Phone verification levels, disabling the option to continue on mobile, or implementing both.

To identify SMS pumping, no action is required on your part. Your customer success manager will contact you to inform you of any occurred or potential threats.

Step 2: Configure Phone verification levels

To prevent SMS pumping fraud within verification levels that use Phone verification, you can add extra verification steps (such as Liveness or Identity document) that must be completed before the Phone verification step.

Set up the Phone verification levels:

  1. In the Dashboard, open the Individual levels page and find a required level in the list.
  2. Go to the level settings, scroll down to Verification steps.
  3. Click Add new step and select the suitable step type from the list.
  4. Configure the step and place it before the Phone verification step by using drag-and-drop.
  5. Save the changes.
  6. Repeat these steps for each verification level that can be possibly affected.
📘

Note

See the dedicated article for more detailed instructions on verification levels configuration.

Step 3: Disable continuing on mobile

You can turn off the option to send a verification link for continuing the process on a phone for any verification level. This prevents fraudsters from using this method to send SMS.

Create a WebSDK customization:

  1. In the Dashboard, go to IntegrationsCustomizations.
  2. Click Create customization and select Create WebSDK customization.
  3. In the General tab, scroll down to Additional tweaks and select the Disable continuing on mobile checkbox.
  4. Apply the created customization to a verification level:
    1. Go to the Individual levels page and find the required level in the list.
    2. Navigate to the level settings.
    3. In the General section, locate the Customization settings.
    4. From the WebSDK drop-down list, select the customization you created earlier.
    5. Save the changes.