Bot-driven SMS toll fraud is exploiting gig platform growth

At a glance

What this is: This is an analysis of how bot-driven SMS toll fraud exploits gig economy platforms by abusing SMS verification and outbound message flows.

Why it matters: It matters because identity, fraud, and access teams need to treat SMS-based onboarding and verification as an abuse surface, not only a user experience channel.

By the numbers:

• The global volume of the gig economy is projected to reach $873 billion in 2028, up from $355 billion in 2021.
• Last year, nearly 6% of all SMS messages were sent to artificially generated traffic.
• That figure swells to anywhere between 30% and 60% for top brands.

👉 Read Arkose Labs' analysis of bot-driven SMS toll fraud in gig platforms

Context

Bot-driven SMS toll fraud turns a routine verification channel into a direct cost sink. In gig economy platforms, SMS is used for MFA, job alerts, support, and reminders, which gives attackers multiple places to inject fake demand and trigger outbound charges.

The identity governance issue is not just that bots exist. It is that SMS workflows often assume the recipient is a legitimate user, so the platform pays the cost before it can prove the session, account, or phone number is real.

Key questions

Q: How should security teams stop SMS toll fraud in high-volume platforms?

A: Security teams should place bot detection and risk scoring before any outbound SMS is triggered. The goal is to prevent fake signups, premium-rate number abuse, and mass OTP requests from ever reaching the billing step. If the platform only reacts after delivery, the financial loss is already locked in.

Q: Why do SMS verification flows attract fraud at scale?

A: SMS verification attracts fraud because it is immediate, widely trusted, and tied to a chargeable delivery channel. Attackers can automate fake account creation, trigger OTP messages, and abandon the flow after the message is sent. That makes SMS both an identity control and a monetisable abuse surface.

Q: What do teams get wrong about CAPTCHA and bot defence?

A: Teams often assume CAPTCHA alone can separate real users from automation. Modern bots can distribute requests, mimic human timing, and route through large pools of infrastructure, so legacy friction is not enough. Effective defence needs behavioural and contextual checks before the SMS request is accepted.

Q: Who should own SMS fraud risk when it affects identity and spend?

A: Ownership should sit across fraud, IAM, and platform teams because the abuse touches onboarding, verification, and telecom cost. If one team only sees user access while another only sees billing, the attack can scale unnoticed. Joint governance is the only practical way to close the loop.

Technical breakdown

How SMS toll fraud works in gig platforms

SMS toll fraud, also called SMS pumping or IRSF, uses automation to create fake accounts or request one-time passcodes through legitimate flows. The attacker supplies premium-rate numbers, causes the platform to send the message, then abandons the flow once verification fires. The abuse works because SMS delivery is irreversible and billing is tied to message initiation, not user legitimacy. In high-volume consumer platforms, that makes outbound SMS an economically exploitable resource rather than just an authentication control.

Practical implication: move SMS behind risk checks that evaluate signup and request legitimacy before any message is sent.

Why CAPTCHAs and legacy friction are not enough

Legacy CAPTCHA-style controls were built for simpler automation and are weak against modern bot farms that rotate infrastructure, mimic human pacing, and distribute requests across many sessions. In this model, the platform is not trying to block every bot after the fact. It needs to distinguish legitimate users from malicious automation before the SMS request is generated. That shifts the control point from post-event detection to pre-send decisioning, which is where fraud costs can still be stopped.

Practical implication: place bot mitigation at the request layer, not only at login or after message delivery.

Why SMS verification is a financial abuse channel

SMS is widely used because it is familiar, immediate, and mobile-native, but those same traits make it attractive for abuse. Attackers can combine fake signups, deceptive job offers, malicious links, and OTP requests to push traffic into paid SMS paths. Because the messages cannot be recalled, the cost lands on the platform even when the recipient is fake. In operational terms, SMS verification becomes a spend control problem tied to identity assurance quality.

Practical implication: treat high-volume SMS activity as a financial risk signal and monitor for abnormal initiation patterns.

Threat narrative

Attacker objective: The attacker seeks to convert automated SMS requests into direct revenue through premium-rate billing and platform expense loss.

1. Entry occurs when bots create fake accounts through online forms or request OTPs through apps and websites tied to SMS systems.
2. Escalation happens when attackers use premium-rate phone numbers and scale the requests across many automated sessions.
3. Impact is irreversible SMS spend, telecom expense inflation, and reputational damage when platform controls fail to stop the abuse early.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Microsoft Midnight Blizzard breach — Midnight Blizzard (APT29) exploited legacy test account without MFA to breach Microsoft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SMS fraud is an identity assurance failure before it is a messaging problem. The article shows that platforms are paying for outbound verification before they know the request came from a real user. That means the control gap sits at the trust boundary, where account creation, phone validation, and OTP issuance are treated as routine instead of adversarial. Practitioners should read this as a signal that SMS has become a monetised abuse path, not just a delivery channel.

SMS-based onboarding creates a cost-bearing trust gap. Gig platforms often assume that any request reaching the SMS step has already passed enough legitimacy checks. Bot-driven toll fraud breaks that assumption because the attacker’s goal is not account access, but cost extraction through message initiation. The implication is that identity teams and fraud teams must jointly govern message-triggering logic, because spend is now part of the identity risk surface.

Bot detection belongs before the platform commits to outbound messaging. Once the SMS is sent, the economic loss cannot be reversed. That makes pre-send risk scoring, device and session analysis, and behavioural filtering more important than downstream remediation. The practitioner conclusion is straightforward: if a control only reacts after the message exists, it is already too late for this abuse pattern.

SMS toll fraud should be treated as a fraud operations issue with IAM dependencies. The article connects mobile identity, MFA, and sign-up flows to direct financial abuse, which means fraud prevention cannot be isolated from identity governance. The strongest programmes will align access, onboarding, and bot mitigation so that verification channels are protected as business assets, not just authentication utilities.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
• Only 5.7% of organisations have full visibility into their service accounts, which is why hidden machine identities often become the easiest abuse path.
• For the broader control model, see NHI Lifecycle Management Guide for lifecycle, revocation, and offboarding practices that reduce standing exposure.

What this signals

SMS abuse is a reminder that identity controls now have direct cost semantics. When attackers can convert verification traffic into paid delivery, the platform’s fraud exposure becomes a governance issue, not just an ops metric. Teams that already manage machine identity and lifecycle risk should extend the same discipline to outbound messaging paths and account creation funnels.

The next step for practitioners is to treat message-triggering workflows like any other privileged action path. If a request can create financial loss before legitimacy is established, it needs pre-authorisation controls, behavioural filtering, and clear ownership across IAM, fraud, and platform operations.

For practitioners

• Block outbound SMS until request legitimacy is scored Add pre-send risk checks for new signups, OTP requests, and high-velocity retries so the platform does not pay for suspicious traffic before it can be challenged.
• Separate identity assurance from delivery assurance Do not treat successful SMS dispatch as proof of a valid user. Measure request origin, device reputation, and session behaviour before the message is generated.
• Instrument premium-rate number abuse monitoring Flag phone-number patterns, carrier anomalies, and rapid abandon rates so telecom fraud can be detected before monthly spend spikes.
• Align fraud and IAM decision points Make onboarding, MFA, and account recovery share the same abuse signals so identity controls can stop bot traffic before it reaches the SMS gateway.

Key takeaways

• Bot-driven SMS toll fraud turns verification flows into a direct financial abuse channel, not just a nuisance traffic problem.
• The scale matters because the gig economy is growing fast, SMS abuse is already material, and irreversible message costs make recovery impossible.
• The practical answer is to stop suspicious requests before outbound SMS is sent and to align fraud and IAM governance around the same decision point.

Key terms

• SMS toll fraud: SMS toll fraud is the abuse of outbound text messaging to generate unauthorized telecom charges or revenue share payouts. Attackers automate signups or OTP requests, route traffic to premium-rate numbers, and abandon the flow once the message is sent.
• Premium-rate number: A premium-rate number is a phone number that charges a higher fee for incoming or outgoing message activity. In toll fraud, attackers use these numbers so each platform-generated SMS converts into direct financial loss for the victim organisation.
• Bot mitigation: Bot mitigation is the use of behavioural, device, and session signals to distinguish automated traffic from legitimate users. In fraud-sensitive workflows, it is a pre-action control that must decide whether a request is allowed to reach a chargeable or privileged step.
• Outbound verification flow: An outbound verification flow is any process where the platform sends a code, alert, or message to prove identity or trigger engagement. These flows become security-sensitive when the message itself has cost, privilege, or reputational impact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: LLMjacking: How Attackers Hijack AI Using Compromised NHIs. Read the original.