TL;DR: SMS toll fraud turns authentication traffic into a cost-extraction channel, and attackers use automated account creation plus premium-rate numbers to trigger large volumes of SMS messages. Arkose Labs cites global losses of more than $6.7 billion in 2021, showing that identity verification workflows can become a financial liability when bot pressure is not controlled. The real issue is not code delivery, but unmanaged trust in SMS-based verification paths.
At a glance
What this is: This analysis shows how SMS toll fraud abuses authentication workflows to generate premium-rate messaging costs at scale.
Why it matters: It matters because identity teams that still rely on SMS for verification, fraud control, or step-up auth need to treat messaging flows as a governance surface, not just a delivery mechanism.
By the numbers:
- SMS pumping fraud caused global losses worth more than $6.7 billion in 2021.
👉 Read Arkose Labs' analysis of SMS toll fraud and automated verification abuse
Context
SMS toll fraud, also called SMS pumping, is a fraud pattern that turns legitimate authentication messaging into a revenue leak. The attacker does not need to steal accounts first. Instead, they use automation to trigger SMS messages to premium-rate numbers, leaving the business to pay the bill while the fraudster shares the proceeds with a colluding carrier.
For IAM and fraud teams, the core issue is that SMS-based verification was designed for user validation, not adversarial volume testing. Once bots can create accounts at scale and influence who receives the message, the identity control becomes part of the attack path. That makes the problem relevant to MFA design, bot management, and operational resilience across customer identity programmes.
Key questions
Q: How should security teams stop SMS toll fraud without disrupting real users?
A: Focus on risk-based controls before the message is sent. Use behavioural signals from account creation, device reputation, velocity, and number quality to block automated traffic early. Keep the user journey as light as possible for genuine users, but do not rely on CAPTCHA alone, because modern bots can bypass basic challenge-response checks.
Q: Why do SMS-based verification flows create fraud and cost risk?
A: Because each verification message has a direct delivery cost, attackers can turn authentication into a billing attack by forcing large numbers of messages to premium-rate destinations. The risk grows when organisations assume SMS is only a security control. In practice, it is also a financial exposure channel that can be weaponised at scale.
Q: What do teams get wrong about CAPTCHA in SMS fraud prevention?
A: They often treat CAPTCHA as a sufficient bot filter, but advanced automation can adapt to simple challenges and timing checks. That creates a false sense of control. The better approach is layered detection that combines behaviour analysis, rate intelligence, and number screening before verification traffic is initiated.
Q: Who is accountable when SMS fraud drives regulatory penalties or service disruption?
A: Accountability usually sits across IAM, fraud operations, security, and customer onboarding teams because the control failure spans identity design, abuse detection, and telecom cost governance. Financial institutions also need clear ownership for third-party carrier exposure and compliance reporting, since the harm can extend beyond fraud losses into operational and regulatory impact.
Technical breakdown
How SMS toll fraud converts verification into a billing attack
SMS toll fraud works by abusing workflows that send OTPs or verification codes to phone numbers controlled by attackers or their partners. The business thinks it is verifying a user, but the real transaction is a message sent to a premium-rate destination. The attacker benefits from scale, not depth. When the flow is automated, the same trigger can be repeated thousands of times, turning a low-cost verification action into a high-cost communications event. This is why SMS pumping is less about credential theft and more about trust exploitation in message routing.
Practical implication: treat outbound SMS verification as a metered exposure path and monitor for abnormal message initiation patterns.
Why bots defeat conventional CAPTCHA and rate controls
The article describes a common failure mode in fraud defence: legacy CAPTCHA and coarse rate limiting do not reliably separate genuine users from modern bot traffic. Advanced bots can adapt timing, volume, and interaction patterns to look human enough to pass simple controls. Because the attack happens before the message is sent, detection that waits for downstream fraud signals arrives too late. The control problem is therefore upstream classification, not just post-event investigation. Effective defence depends on recognising malicious automation before the OTP leaves the organisation.
Practical implication: move fraud controls to account creation and message initiation, not only to downstream reconciliation.
Why premium-rate carrier collusion changes the threat model
SMS toll fraud is not just a bot problem. It can involve colluding mobile network operators or other intermediaries that share the message revenue. That raises the operational risk because the fraud appears to follow normal telecom routes while silently monetising each verification event. Traditional user-facing controls cannot see that commercial layer. The result is a blended threat that combines automation, telecom abuse, and financial leakage. For practitioners, the important distinction is that the attacker does not need to compromise identity state if they can weaponise the delivery channel itself.
Practical implication: include carrier routing, premium-rate exposure, and fraud economics in your control review.
Threat narrative
Attacker objective: The attacker aims to generate revenue from premium-rate SMS traffic while shifting the cost and operational burden onto the victim organisation.
- Entry occurs when attackers use automated bots to create fake accounts and feed premium-rate phone numbers into SMS verification workflows.
- Escalation happens as the automation adapts timing and frequency to trigger more messages while avoiding simple rate limits and outdated CAPTCHA checks.
- Impact follows when the organisation absorbs a large telecom bill, suffers operational disruption, and faces fraud, regulatory, and reputational consequences.
Breaches seen in the wild
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
- Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SMS toll fraud is a governance failure, not just a fraud event. The attack succeeds because organisations treat outbound SMS as a benign verification utility rather than a monetisable attack surface. That assumption breaks once bots can trigger messages at scale and external carriers can profit from the traffic. The implication is that identity governance must account for message economics, not only authentication success rates.
Legacy SMS-based MFA creates a cost-bearing trust path. SMS was built as a convenience channel for human verification, but the article shows how easily that path can be bent into a billing attack. When verification depends on the organisation paying per message, abuse becomes financially self-funding. Practitioners should recognise that the weakness is structural, not merely operational.
Bot management now belongs in identity assurance, not just fraud operations. The article ties automated account creation directly to SMS abuse, which means the point of failure sits before the verification message is even sent. That makes bot detection part of identity control design, especially for customer onboarding and MFA flows. Teams should treat upstream traffic quality as part of assurance architecture.
Smart containment beats post-incident recovery in SMS pumping. Once the message has traversed the telecom network, the cost is already incurred and recovery is limited. This is why controls that identify malicious initiation early are more effective than clean-up after the bill arrives. Practitioners should align prevention with the point where fraud becomes economically irreversible.
Verification channels need blast-radius thinking. SMS pumping shows how a single identity channel can create outsized financial and regulatory exposure when abused at volume. The named concept here is verification-channel blast radius: the amount of cost, disruption, and compliance risk generated when a message-based trust path is weaponised. Security teams should use that lens when reviewing any flow that charges per transaction.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37%, according to the same research.
- For a broader breach lens, review The 52 NHI breaches Report to compare recurring identity failure patterns with this attack path.
What this signals
The lesson for practitioners is that verification channels behave like governed assets, not neutral plumbing. When SMS is used in onboarding or step-up flows, teams should measure abuse in terms of initiation volume, destination quality, and fraud economics, then connect those signals to IAM and fraud ownership rather than leaving them in separate operational silos.
Verification-channel blast radius: organisations need a way to estimate how much cost and compliance exposure a single abused identity channel can generate before the incident becomes visible. That concept belongs alongside bot controls, carrier oversight, and identity assurance reviews because the business impact is often larger than the technical event itself.
For practitioners
- Instrument SMS initiation for abuse signals Track message volume, number prefixes, session velocity, and repeated verification attempts from the same device or network range. Build alerts around abnormal initiation patterns rather than waiting for chargeback data or user complaints.
- Move bot controls upstream of message delivery Apply bot detection at account creation and before OTP generation so fraudulent traffic is interrupted before the telecom bill starts to accumulate. Use risk-based checks that evaluate behaviour, not just form submission.
- Review reliance on SMS for high-risk verification Map where SMS still carries critical authentication or account recovery flows, then decide whether those journeys need stronger step-up options for high-value transactions and onboarding. Prioritise the paths that create the largest billing exposure.
- Add carrier and premium-rate oversight to fraud reviews Include telecom routing, premium-rate destinations, and third-party carrier relationships in control testing. A technically valid SMS journey can still be economically abusive if the receiving number and commercial terms are not governed.
Key takeaways
- SMS toll fraud turns identity verification into a monetised attack path, which means the control problem sits in both IAM and fraud operations.
- The article's evidence shows that automated abuse can scale fast enough to create material financial losses before traditional detection catches up.
- Teams should treat outbound verification channels as governed exposures and shift controls upstream, where the fraud is still preventable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | SMS verification abuse shows why access controls need abuse-aware enforcement. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Continuous verification fails if SMS becomes a cost-bearing attack channel. |
| NIST SP 800-63 | The article centers on authentication delivery choices and their security tradeoffs. |
Reassess SMS as an authenticator for high-risk journeys and prefer stronger phishing-resistant options where possible.
Key terms
- SMS Toll Fraud: A fraud pattern where attackers trigger large volumes of verification SMS messages to premium-rate destinations so the victim pays the telecom charges. The abuse often starts with automated account creation or fake registrations and can create both financial loss and regulatory exposure before detection catches up.
- Premium-Rate Destination: A phone number or routing path that generates revenue for the receiver or carrier when messages are sent to it. In fraud scenarios, attackers exploit these destinations to convert normal verification traffic into a billing attack that looks legitimate from the sender's side.
- Verification-Channel Blast Radius: The amount of cost, operational disruption, and compliance exposure that a single abused verification path can create. The term helps teams judge whether an authentication channel is safe enough for high-volume use, especially when each message has a direct financial cost.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Arkose Labs: SMS toll fraud and automated verification abuse. Read the original.
Published by the NHIMG editorial team on 2026-05-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
