Subscribe to the Non-Human & AI Identity Journal

How should security teams reduce SMS pumping without hurting signup conversion?

Start by moving channel selection into runtime rules so SMS is only used when risk and coverage justify it. Use passkeys for returning users, route higher-risk destinations to non-SMS channels, and keep SMS as a fallback for first-time verification and recovery. That reduces exposure while preserving completion rates for legitimate users.

Why This Matters for Security Teams

sms pumping is not just a fraud cost problem. It is a control design problem that shows up when verification is tied too rigidly to one expensive channel. Security teams often default to SMS because it is familiar and easy to complete, but that can turn signups into a subsidy for attackers while still failing to improve assurance. NIST SP 800-53 Rev 5 Security and Privacy Controls frames this as an access and verification governance issue, not only a messaging issue.

The practical risk is that high-volume abuse can hide inside apparently healthy conversion metrics. If SMS remains the universal path, attackers can exploit rate limits, regional pricing differences, or automated signup flows to drive cost without needing to defeat strong authentication. The better question is when SMS is actually the right channel, not whether it should exist at all. Current guidance suggests the answer should be context-aware and risk-based, especially for new accounts, high-risk geographies, and recovery flows. For broader NHI and secrets exposure patterns, the Ultimate Guide to NHIs is useful background on why static controls tend to fail at scale. In practice, many security teams discover SMS pumping only after cost spikes and abuse reports, rather than through intentional control testing.

How It Works in Practice

The most effective pattern is to make channel choice a runtime decision. Instead of hard-coding SMS into every signup, evaluate risk signals at the moment of verification and route users to the lowest-friction channel that still meets assurance requirements. That means SMS can remain available, but only as one option in a broader decision tree.

For returning users, passkeys and device-bound authentication can remove the need for repeated SMS verification. For first-time signups, SMS may still be acceptable if the risk score is low and the destination is not known for pumping abuse. For higher-risk destinations, suspicious IP ranges, or unusual signup velocity, route to non-SMS channels such as email, push, or authenticator-based verification. This aligns with the broader move from static rules to policy decisions evaluated in context, which is also reflected in NIST SP 800-53 Rev 5 Security and Privacy Controls.

  • Use step-up rules only when the risk score exceeds a threshold.
  • Throttle by destination, carrier, ASN, device reputation, and signup velocity.
  • Shorten SMS reliance for recovery, then migrate users to stronger channels.
  • Track completion rates separately from abuse rates so fraud does not hide in conversion reporting.

For teams building broader identity governance, the Ultimate Guide to NHIs reinforces a useful lesson: controls that are too static eventually become attack surface. These controls tend to break down when a product operates globally with uneven telco costs and no real-time fraud scoring because attackers can concentrate volume where SMS is cheapest to abuse.

Common Variations and Edge Cases

Tighter channel controls often increase friction, requiring organisations to balance abuse reduction against legitimate user completion. That tradeoff is especially visible in markets where SMS is still the most reliable option for first-time verification or where passkey adoption remains low.

Best practice is evolving on how aggressively to suppress SMS. There is no universal standard for this yet, but current guidance suggests avoiding blanket bans. Some organisations will need SMS as a fallback for accessibility, account recovery, or low-connectivity environments. Others can reduce exposure faster by shifting returning users to passkeys and limiting SMS to exceptional cases. The key is to preserve a clear recovery path while preventing SMS from becoming the default for high-risk traffic.

For operational reporting, separate fraud mitigation metrics from growth metrics. A signup funnel can look healthy while still being heavily abused if the control only measures completion. Security teams should also watch for false positives that block legitimate users in mobile-first regions. The Ultimate Guide to NHIs highlights how long-lived, overexposed identity paths become persistent risk, and the same logic applies to overused verification channels. In practice, the hardest cases are consumer services with global traffic, because a single verification policy rarely fits all telco markets or fraud patterns.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Access verification should adapt to context and risk, not one fixed channel.
NIST AI RMF Runtime channel selection is a governance and measurement problem for adaptive systems.
OWASP Non-Human Identity Top 10 NHI-03 Overexposed verification paths mirror the risks of long-lived, reusable identity material.
OWASP Agentic AI Top 10 A2 Dynamic authorization principles apply to runtime decisions about whether SMS is appropriate.
CSA MAESTRO GOV-2 Adaptive channel governance helps prevent abuse while preserving legitimate completion.

Define risk thresholds, monitor outcomes, and adjust verification policy based on observed abuse.