Artificially inflated traffic fraud exposes SMS OTP abuse

At a glance

What this is: Artificially inflated traffic fraud is an abuse pattern where bots manipulate OTP and SMS flows to generate illegitimate traffic and revenue.

Why it matters: It matters because IAM, fraud, and platform teams need controls that protect verification pathways, not just account creation or login journeys, across human and machine-driven abuse.

By the numbers:

• Twitter reported losses of over $60 million in the previous year due to bot accounts and larger SMS pumping fraud.
• Arkose Labs says approximately 350 Mobile Network Operators globally had overburdened Twitter with excessive fees tied to AIT practices.

👉 Read Arkose Labs' analysis of artificially inflated traffic fraud and SMS toll abuse

Context

Artificially inflated traffic fraud, or AIT, is an abuse pattern that turns verification systems into a monetisation channel. Instead of stealing credentials directly, attackers exploit forms and phone-number fields to trigger OTP messages at scale, then benefit from the SMS delivery chain and the charges it creates.

For IAM and identity teams, the issue is not just fraud loss. It shows that identity verification flows can be gamed before an account is even established, which means anti-abuse controls, SMS routing visibility, and step-up checks need to sit alongside traditional authentication and enrolment governance.

Key questions

Q: How should security teams reduce OTP abuse in high-volume signup flows?

A: Use layered abuse controls before the message is sent. Rate-limit OTP requests, score device and number reputation, and require stronger checks when the same identity path is exercised repeatedly. The goal is to make fraud expensive and noisy before a paid SMS is triggered, not after the billing event has already happened.

Q: Why do OTP-based verification flows attract traffic pumping fraud?

A: Because each request can create a billable SMS event, and attackers can generate that demand at scale with automation. The weakness is the business logic that converts a simple form submission into a paid identity action. When that trigger is weakly governed, the verification path becomes a monetisation channel.

Q: What do teams get wrong about SMS fraud prevention?

A: They focus on message delivery and user experience while underweighting the trigger conditions that create volume. Fraud prevention has to start with the request, the account state, and the behavioural pattern that precedes dispatch. If those signals are not joined up, cost abuse looks like ordinary usage until the bill arrives.

Q: Who is accountable when OTP abuse drives unexpected messaging costs?

A: Accountability usually spans identity, fraud, and communications ownership, because the event sits at the boundary between authentication, user onboarding, and carrier billing. The clearest model is to assign one team ownership of the trigger, one of anomaly response, and one of provider escalation so the gap is not left to chance.

Technical breakdown

How OTP-trigger abuse turns verification into revenue

AIT fraud uses high-volume form submissions, automated phone-number manipulation, and repeated OTP requests to create legitimate-looking message traffic. The attack does not need to break authentication itself. It only needs to exploit the business logic that sends SMS codes on demand. Because each message can generate fees across multiple intermediaries, the attacker can monetise scale while staying one step removed from the final bill. The real weakness is not the OTP mechanism alone, but the lack of abuse throttling around the trigger that creates it.

Practical implication: rate-limit OTP issuance, bind verification to stronger abuse signals, and monitor request bursts by identity, device, and number reputation.

SMS traffic pumping and toll fraud as an identity-adjacent abuse path

SMS traffic pumping relies on artificially increasing the volume of outbound messages so that revenue is siphoned through the telecom chain. Toll fraud extends that pattern by exploiting toll-free or shared revenue arrangements. In identity programmes, this matters because verification journeys and account recovery flows can become indirect billing targets. The control problem sits between authentication and communications governance: the organisation may own the identity workflow, but the abuse monetisation happens in the messaging layer and its provider relationships.

Practical implication: map OTP and recovery flows to telecom cost controls, abuse detection, and contractual escalation paths with messaging providers.

Why behavioural detection matters when the attack stays below the auth layer

AIT attacks often look like normal user friction at first glance, which is why static rules alone miss them. Effective detection depends on recognising request cadence, number reuse, device patterns, and velocity anomalies across the enrolment path. The article also points to AI-driven anomaly detection and behavioural biometrics as defensive patterns, but the core technical point is simpler: abuse can be distributed across many low-signal actions that only become visible when correlated. That makes telemetry quality a governance issue, not just a tooling issue.

Practical implication: correlate form telemetry, OTP request volume, and behavioural anomalies before messages are dispatched.

Threat narrative

Attacker objective: The attacker aims to generate illegitimate revenue by forcing high-cost SMS traffic through verification and messaging workflows.

1. Entry occurs when attackers target public forms or interfaces that accept phone numbers and initiate OTP delivery.
2. Escalation happens as automation drives repeated OTP requests and inflated message volume across the SMS delivery chain.
3. Impact is financial and operational, with businesses absorbing messaging charges while fraudsters monetise the pumping path.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AIT fraud is an identity abuse problem, not just a telecom billing problem. The article shows that the control failure starts at the verification trigger, where an identity workflow is exposed to automated abuse before any account is established. That makes this a governance issue spanning fraud, IAM, and communications ownership. Practitioners should treat OTP initiation as a privileged action path, not a neutral utility.

Verification journeys need abuse controls that sit before message dispatch. The system is not being broken open in the traditional sense. Instead, attackers exploit the business logic that converts a request into a paid SMS event, which means downstream controls are always late. That pattern aligns with NIST CSF Detect and Protect thinking, but it also exposes a specific identity design flaw: the request itself is trusted too early.

SMS pumping shows how identity assurance can be monetised when the organisation loses sight of the delivery chain. A phone number field may look like a minor interface detail, but at scale it becomes an abuse surface with direct financial impact. Identity-triggered billing exposure: the article illustrates a governance gap where identity verification actions carry external cost consequences that are not visible in standard IAM controls. Practitioners need to govern the trigger, the threshold, and the provider relationship together.

Machine-driven abuse collapses the assumption that verification volume reflects legitimate demand. Once automation can create repeated OTP requests cheaply, the old assumption that traffic spikes indicate real user intent no longer holds. That changes how identity programmes should interpret demand signals, especially in consumer-facing enrolment and recovery flows. The implication is that fraud governance must become part of identity architecture, not a separate afterthought.

This pattern broadens NHI thinking because the abused system is often a service workflow, not a human login. The attacker does not need a stolen credential if the organisation allows unauthenticated or weakly challenged requests to create paid identity events. That is relevant to workload identity and service-to-service design as well, because any automated trigger that causes external cost or downstream trust can be gamed. Practitioners should redesign the initiation layer with the same seriousness they apply to privileged access.

From our research:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
• That same research line shows how fast exposed identity material becomes operationally exploitable, which is why teams should study 52 NHI Breaches Analysis for recurring abuse patterns and control failures.

What this signals

Identity-triggered billing exposure: AIT shows that identity flows can create external cost before any account is trusted, which means fraud controls need to sit inside the enrolment path rather than around the perimeter. For practitioners, that shifts ownership from a narrow authentication team to a broader identity and revenue-protection model.

The practical signal is that OTP volume, carrier cost, and behavioural anomalies should be monitored together, because the attack surface is now the request path itself. Teams that can link identity telemetry to Top 10 NHI Issues style governance patterns will spot abuse earlier.

As message-based verification becomes a monetised abuse channel, service workflows need to be designed with the same scepticism applied to privileged access. The operating assumption should be that any high-frequency identity trigger will be targeted, and controls must make automated abuse uneconomic before delivery occurs.

For practitioners

• Add abuse controls before OTP dispatch Throttle OTP sends by phone-number reputation, device fingerprint, IP velocity, and enrolment-stage risk so a request does not immediately become a paid message.
• Treat verification endpoints as fraud-sensitive controls Review forms, signup flows, and recovery journeys as revenue-exposed identity paths, then apply challenge logic where repeated requests are cheap to generate.
• Correlate messaging cost with identity telemetry Join SMS spend, OTP request volume, and behavioural anomalies in one monitoring view so traffic pumping is visible before charges escalate.
• Pressure-test provider and carrier dependencies Map which intermediaries receive value from OTP delivery and build escalation paths for abnormal volume, disputes, and suspected pumping campaigns.

Key takeaways

• AIT fraud turns OTP and SMS workflows into a direct monetisation channel, which means identity verification and fraud prevention can no longer be governed separately.
• The article's evidence shows that bot-driven abuse can create severe cost exposure, with some organisations absorbing millions in avoidable messaging losses.
• The most effective control point is the request trigger itself, because once the SMS is dispatched the attacker has already converted identity traffic into revenue.

Key terms

• Artificially Inflated Traffic: A fraud pattern where attackers generate large volumes of seemingly legitimate requests to create revenue, cost, or abuse opportunities. In identity flows, the target is often the trigger that sends OTPs or other paid messages, not the authenticated account itself.
• SMS Traffic Pumping: An abuse technique that forces excessive SMS delivery volume so that fees are generated across the messaging chain. The attacker profits indirectly by creating demand, while the affected organisation absorbs cost, disputes, and operational noise.
• Toll Fraud: Unauthorized exploitation of communication services that produces financial loss through manipulated routing or billing relationships. In identity-adjacent abuse, toll fraud often rides on verification or recovery flows that were never designed to resist high-volume automation.
• OTP Trigger Abuse: The repeated misuse of a one-time password request path to force delivery events, generate cost, or overwhelm a service. The weakness is usually the initiation logic, which treats every request as equally trustworthy until defensive controls are added.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: Artificially Inflated Traffic Fraud and the nexus of SMS toll scams. Read the original.