By NHI Mgmt Group Editorial TeamPublished 2026-06-26Domain: Governance & RiskSource: Prove Identity

TL;DR: SMS pumping is a revenue-sharing fraud that inflates OTP traffic and verification costs on digital marketplaces, with large-scale campaigns causing phantom sends, referral abuse, and trust-signal corruption, according to Prove Identity. The real control shift is away from sending more codes and toward stopping fraudulent requests before any SMS is triggered.


At a glance

What this is: SMS pumping is a fraud pattern that exploits OTP workflows to generate fake verification traffic and extract SMS costs from digital marketplaces.

Why it matters: It matters because marketplace identity teams often treat phone verification as a low-friction trust signal, yet the same workflow can be weaponised for fraud, cost leakage, and downstream account integrity issues.

By the numbers:

👉 Read Prove Identity's analysis of SMS pumping in digital marketplaces


Context

SMS pumping fraud is an identity and fraud-control problem, not just a telecom billing anomaly. It works by exploiting the economics of OTP delivery, where a platform pays for each verification message whether or not a genuine user ever receives or uses it.

For digital marketplaces, SMS OTP often sits inside onboarding, login, referral, and phone-verification flows that were designed for convenience. That makes the verification path both a trust signal and a monetisation target, which is why phone-intelligence controls now matter to IAM and fraud teams together.

The article frames a familiar failure mode in consumer identity: a control that was acceptable when SMS volume was an overhead cost becomes unsafe when the send event itself can be monetised by attackers. That starting position is typical for marketplaces with high-volume, low-friction onboarding.


Key questions

Q: How should security teams stop SMS pumping before OTP messages are sent?

A: They should move risk scoring in front of message dispatch. That means evaluating device reputation, request velocity, phone-number ranges, and carrier-route risk before any OTP is generated. If the platform only reacts after delivery or billing, the attacker has already converted the verification loop into a cost and fraud channel.

Q: Why is SMS OTP no longer enough for marketplace identity verification?

A: SMS OTP is no longer enough because it confuses delivery of a message with proof of trustworthy identity. Fraudsters can automate requests, exploit premium routes, or abuse SIM-based weaknesses without needing to compromise the legitimate user. Teams need layered checks that assess the request, the route, and the behaviour around the verification event.

Q: What breaks when phone verification is used as a trust signal everywhere?

A: What breaks is governance consistency. Once a phone number is treated as proof of legitimacy for onboarding, referrals, dispute resolution, or worker access, attackers can inflate trust with synthetic numbers and repeatedly cash in on the same weak signal. The result is fraud amplification, not just authentication noise.

Q: Who is accountable when SMS pumping drives fraud losses in a marketplace?

A: Accountability sits across IAM, fraud, and platform teams because the failure spans identity assurance, verification economics, and abuse prevention. The control owner must be whoever governs the verification workflow end to end, including when a request is challenged, blocked, or allowed to trigger an SMS.


Technical breakdown

How SMS pumping exploits OTP verification economics

SMS pumping takes advantage of the fact that OTP systems couple an identity signal with a payable event. The platform asks the telecom ecosystem to deliver a message, but it has limited visibility into whether the delivery path is legitimate, whether the number range is risky, or whether the request came from an automated fraud source. Fraudsters use that gap to drive up message volume against premium routes and extract revenue share from the traffic. The result is not account compromise first, but cost inflation and signal corruption at the verification layer.

Practical implication: move decisioning before message dispatch so the platform can block fraudulent verification requests before SMS is sent.

Why SMS OTP fails as a standalone authentication factor

SMS OTP can still confirm that a phone number exists, but it no longer proves much about the user behind it. SIM swapping, number recycling, and carrier-routing opacity all weaken the assurance value of the channel. NIST SP 800-63B has already deprecated SMS as a sole high-assurance factor because the channel is vulnerable to interception, redirection, and social-engineering abuse. For marketplace IAM, that means phone verification should be treated as one signal among many, not as an identity foundation.

Practical implication: treat SMS as a weak assurance signal and layer it with device, carrier, and behavioural checks.

How carrier-level phone intelligence changes the control model

Phone intelligence shifts the control point from post-send reconciliation to pre-send risk evaluation. Instead of waiting for delivery callbacks and invoice analysis, the platform can use carrier data, number-range reputation, and routing intelligence to identify high-risk requests before initiating an OTP. That matters because SMS pumping is often invisible at the application layer and only obvious after cost has accumulated. The control is therefore less about stronger MFA and more about preventing fraudulent traffic from entering the verification loop.

Practical implication: integrate carrier intelligence into registration and login decisioning, especially for high-cost international routes.


Threat narrative

Attacker objective: The attacker’s objective is to generate revenue from fraudulent SMS traffic while simultaneously abusing the verification workflow for incentives and synthetic account creation.

  1. Entry occurs when bots or automated scripts submit fabricated or harvested phone numbers into registration or login flows that trigger OTP sends.
  2. Escalation occurs when attackers concentrate traffic on premium number ranges or grey routes, multiplying verification volume and monetising each send through carrier revenue-sharing.
  3. Impact is realised through inflated SMS spend, referral abuse, synthetic account creation, and corrupted phone-number trust signals across the marketplace.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

SMS pumping is a trust-signal attack before it is a fraud attack. The platform is not merely paying for wasted messages, it is letting a verification control become a revenue target and a source of downstream identity distortion. Once phone ownership is treated as a standing trust signal, referral logic, onboarding gating, and fraud scoring can all be manipulated from the same weak point. Practitioners should treat the verification send itself as part of the attack surface.

SMS OTP has moved from weak assurance to actively exploitable infrastructure. The channel was designed for broad reach, not for resisting industrialised abuse across bot traffic, grey routes, and premium carrier economics. NIST SP 800-63B’s deprecation of SMS as a sole factor reflects that shift, but many marketplace programmes still behave as though SMS cost and SMS trust can be analysed separately. They cannot.

Number-range reputation is the missing governance layer in consumer identity. A verification flow that sees only the phone number and not the route, carrier, or historical abuse pattern is blind to the actual fraud economy. That blindness is structural, not accidental, because the monetisation opportunity sits in the telecom layer outside the application’s default field of view. Teams should recognise phone intelligence as an identity control, not a fraud add-on.

SMS pumping exposes a marketplace-specific version of identity blast radius. One abused verification flow can create fake users, consume referral incentives, and degrade the reliability of phone-based trust decisions at the same time. The wider lesson is that consumer identity controls cannot be judged only by authentication success rates; they must be judged by what they enable at scale when adversaries turn the channel into a business model.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
  • The 2026 Ultimate Guide to NHIs helps teams map where trust assumptions fail across identity lifecycles and control boundaries.

What this signals

SMS pumping is a signal-quality problem as much as a fraud problem. Once a verification path can be monetised, security teams need to watch cost per verification, destination routing patterns, and incentive abuse as first-class identity metrics. That aligns with broader IAM practice where the control outcome matters more than the nominal success of the check.

Phone intelligence belongs in the identity stack, not only in the fraud stack. Marketplace teams that separate the two usually discover abuse only after invoices or incentive losses arrive. A better operating model is to treat carrier reputation, number-range behaviour, and verification friction as part of the same governance surface.

Teams that want a wider governance baseline should pair this topic with the Top 10 NHI Issues and the Ultimate Guide to NHIs , Why NHI Security Matters Now, because both explain why identity controls fail when signal quality and control ownership are fragmented.


For practitioners

  • Move fraud decisioning before OTP dispatch Block or challenge high-risk verification requests before any SMS is sent, especially where traffic patterns, device fingerprints, or number ranges diverge from normal onboarding behaviour.
  • Score number ranges and carrier routes Use carrier intelligence, destination reputation, and premium-route detection to distinguish legitimate user verification from traffic patterns associated with SMS pumping.
  • Reassess SMS as a primary trust signal Stop using SMS verification as the default proof of user quality for referrals, incentives, and worker onboarding when the same channel can be monetised by attackers.
  • Limit incentive exposure on phone verification Require additional checks before issuing referral credits, sign-up bonuses, or other rewards that can be farmed through automated verification loops.
  • Instrument verification-cost monitoring Track per-route send volume, cost per verified user, and anomaly spikes so finance and security can detect pumping before monthly invoices reveal the damage.

Key takeaways

  • SMS pumping turns an identity verification step into a monetised fraud surface, which is why marketplaces need pre-send controls instead of better post-send reporting.
  • The scale problem is economic as much as technical, because fake verification traffic can drain budget, distort trust signals, and fund referral abuse at the same time.
  • Teams should treat carrier intelligence, route reputation, and verification-cost telemetry as part of the identity control plane, not as optional fraud tooling.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BSMS OTP deprecation is central to this article's authentication critique.
NIST CSF 2.0PR.AC-7The article is about limiting trust decisions based on weak identity assurance.
NIST SP 800-53 Rev 5IA-5Authenticator management is relevant where OTP channels are abused or over-relied upon.
NIST Zero Trust (SP 800-207)The article challenges the assumption that a single verification event establishes trust.

Re-evaluate trust decisions that rely on one-time verification rather than continuous risk assessment.


Key terms

  • SMS Pumping: SMS pumping is a fraud scheme that generates artificial verification traffic to force a platform to send messages that the attacker can monetise indirectly. In identity terms, it turns a verification control into a cost and abuse channel, especially where the platform pays per message and cannot see the downstream route clearly.
  • Phone Intelligence: Phone intelligence is the use of carrier, routing, and number-quality data to assess whether a phone number is likely to represent a legitimate user. In practice, it helps teams decide whether to send, challenge, or block an OTP before the message becomes a fraud event.
  • OTP Workflow: An OTP workflow is the end-to-end process that generates, delivers, and validates a one-time passcode for verification or authentication. For consumer identity programmes, it is not just an authentication feature, but also a fraud surface that can be targeted for cost inflation, automation abuse, and trust manipulation.
  • Trust Signal: A trust signal is any identity indicator a system uses to infer legitimacy, risk, or entitlement. Phone verification is a common example, but when a signal is easy to automate or monetise, it should be treated as one input among several rather than as proof of user trustworthiness.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • The request-level mechanics of SMS pumping across registration, login, and phone-change flows.
  • The carrier and routing patterns that make premium-range abuse financially attractive.
  • The practical role of phone intelligence and passive verification in reducing OTP-triggered fraud.
  • The article's cost examples and marketplace-specific abuse scenarios for teams building a business case.

👉 The full Prove Identity post covers the attack mechanics, fraud economics, and phone-intelligence controls in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org