SMS pumping is a fraud attack where fraudsters inflate traffic by exploiting phone number input fields to receive one-time passcodes or other SMS content. This results in fake traffic to your app with the goal of financial gain. Plivo helps protect you from such attacks through various tools and features.
By default, SMS Pumping Protection is enabled for all Plivo accounts. This feature uses automatic fraud detection to identify and block messages flagged as suspicious due to SMS pumping fraud. It analyzes both current and historical SMS traffic to detect unusual patterns. When traffic fluctuations or known malicious behavior are detected, the system automatically blocks messages sent to phone numbers associated with the suspected fraud.
Other Recommendations to Prevent SMS Pumping Attacks
- Use Geo Permissions and Messaging Thresholds
Geo Permissions restrict SMS traffic to specific countries. Setting Messaging Thresholds limits messages sent to a country, blocking excess traffic and preventing fraud. This also helps you avoid unwanted charges for fraudulent messages. - Use Plivo Verify with Fraud Shield
For authentication, use Plivo Verify with Fraud Shield enabled. It protects your traffic by analyzing conversion patterns and detecting fraud attempts. Both are free, with only messaging charges applied. - Detect Bots and Add CAPTCHA
Adding CAPTCHA to your forms can prevent bot-driven attacks. A small friction point like email verification helps block bots without impacting legitimate users. - Implement Exponential Delays Between Retries
Prevent automated retry scripts by adding exponential delays between SMS retry attempts. This slows down fraud attempts and reduces the likelihood of a successful attack. - Set Rate Limits
Rate limits by user, IP, or device can slow down fraudsters, discouraging them from continuing the attack. This strategy adds a layer of protection against large-scale abuses.
With SMS Pumping Protection and by implementing the above measures, you’ll effectively reduce the risk of SMS pumping attacks. For help with configuration or more information, reach out to our support team.