SMS toll fraud is exposing a hidden IAM cost model

At a glance

What this is: This is an analysis of SMS toll fraud, where attackers use bot-driven verification abuse to force costly SMS traffic and drain platform revenue.

Why it matters: It matters to IAM practitioners because identity verification flows, especially SMS-based ones, can become fraud and cost-exposure points when they are not defended as part of the broader identity lifecycle.

👉 Read Arkose Labs' analysis of SMS toll fraud and verification abuse

Context

SMS toll fraud is a fraud and identity abuse problem, not just a telecom billing issue. Attackers exploit verification flows by creating fake accounts or triggering OTP requests at scale, then routing messages to premium-rate numbers that generate revenue for the attacker or an accomplice.

For IAM teams, the lesson is that authentication channels have economic attack surfaces as well as security ones. When SMS remains a high-volume verification path, the organisation inherits both abuse risk and silent cost leakage unless bot pressure, rate limits, and number validation are part of the control model.

This is a classic case of identity-adjacent fraud where the control failure is upstream of account compromise. The starting position is typical for consumer platforms that still depend heavily on SMS verification.

Key questions

Q: How should security teams reduce SMS toll fraud in user verification flows?

A: Start by treating SMS verification as an abuse-prone workflow, not a trusted default. Put bot detection, rate limiting, premium-rate screening, and geographic controls in front of message issuance. Then measure cost leakage alongside authentication success so fraud, IAM, and security teams can see whether verification traffic is being gamed.

Q: Why do SMS verification systems attract fraud and billing abuse?

A: Because the attacker does not need to steal credentials to create loss. They only need to trigger enough outbound messages to expensive destinations. When identity workflows can be driven by automation at scale, the organisation pays for every successful request, even if no account is ever created.

Q: What do organisations get wrong about SMS-based 2FA and fraud risk?

A: They often measure SMS verification as an identity feature rather than an economic exposure. That misses the fact that bot traffic can exploit the channel to generate direct charges, suppress legitimate onboarding, and hide in normal-looking registration activity until billing reveals the damage.

Q: Who should own SMS toll fraud response when it happens?

A: Ownership should sit across fraud, IAM, and security operations because the failure spans identity assurance and financial loss. The right response is to contain the traffic source, block risky number ranges, and review whether SMS should remain a default verification method for the affected journey.

Technical breakdown

How SMS toll fraud converts verification into revenue leakage

SMS toll fraud works by abusing user verification workflows at scale. Bots submit registrations or OTP requests, often with premium-rate numbers, then abandon the session after triggering outbound messages. Because the business cannot recall sent SMS traffic, every successful request creates immediate cost. The technical issue is not credential theft but forced message generation through automated abuse of a trusted workflow. Premium-rate routing and international numbering make the charge amplification worse, especially when detection only happens after volume spikes.

Practical implication: treat SMS verification as a metered resource and instrument it for abuse, not just authentication success.

Bot-driven registration abuse and verification bypass

Attackers rarely need to defeat the identity system itself. They instead industrialise fake sign-ups, form fills, and OTP retries until the platform’s own workflow produces the expensive action. Human-like automation can mimic normal registration patterns just enough to avoid superficial checks. The result is a verification pipeline that is technically functioning but economically compromised. Once attackers can generate volume faster than defenders can distinguish genuine users from bots, the organisation is paying for the attack as it occurs.

Practical implication: add bot detection and behavioural gating at registration and login touchpoints before the SMS request is issued.

Premium-rate number screening and rate control

The strongest technical controls in this pattern are preventive filters on the request path. Premium-rate number detection blocks the highest-risk destinations, geographical restrictions stop requests to unsupported regions, and rate limiting caps the number of SMS messages per account, IP, device, or time window. Verification delays make retries less useful, reducing the attacker’s ability to rapidly iterate. These controls work because the attack depends on scale and speed, not persistence or stealth inside the account.

Practical implication: enforce destination validation, velocity limits, and retry throttling before SMS is dispatched.

Threat narrative

Attacker objective: The attacker objective is to convert a platform’s verification traffic into direct financial loss while suppressing legitimate user access.

1. Entry begins when bots create fake accounts or submit repeated OTP requests through registration and login forms tied to SMS verification.
2. Escalation occurs when the attacker uses premium-rate or international numbers at high volume, turning each verification event into a cost-bearing outbound message.
3. Impact lands as inflated telecom charges, blocked legitimate sign-ups, and revenue leakage that only becomes visible after billing reconciliation.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SMS verification is not a neutral identity control when attackers can turn it into a billing engine. The article shows that the control path itself becomes the loss path when bots can repeatedly trigger outbound messages. This reframes SMS as an identity-adjacent fraud surface rather than a simple second factor, and practitioners should treat the request path as financially sensitive infrastructure.

Bot suppression is the governance boundary, not a downstream optimisation. The platform did not lose money because authentication failed in the traditional sense. It lost money because automated traffic was allowed to reach the message dispatch stage at scale, which means the real governance problem is abuse containment before verification is invoked.

Premium-rate number exposure creates a hidden identity cost model that most IAM programmes do not measure. Traditional IAM metrics track access success, failure, and enrolment, but they rarely track the unit economics of verification abuse. That leaves security and fraud teams operating with blind spots, and the practitioner conclusion is to measure the cost of identity events, not only their security outcomes.

SMS toll fraud illustrates the overlap between fraud operations and IAM governance. The same verification flow can be legitimate onboarding, bot abuse, or account enumeration depending on behaviour and destination patterns. That makes fraud controls part of identity assurance, and teams that separate them too cleanly will miss the attack until the invoice arrives.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• For teams building stronger identity controls, Top 10 NHI Issues frames the governance patterns that let machine and workflow identities become abuse paths.

What this signals

Verification abuse will keep shifting from a pure fraud problem to an identity governance problem. As platforms automate more onboarding and recovery flows, the security team needs controls that inspect behaviour before a message is sent, not only after accounts are created. That means tighter joining-point controls, better destination screening, and clearer ownership between IAM and fraud teams.

The operational signal to watch is simple: if SMS costs rise faster than legitimate sign-ups, verification is being gamed. Platforms should pair that metric with blocked request volume, retry suppression, and challenge pass rates so the control plane reflects abuse pressure rather than only user success.

Identity programmes that ignore economics will miss this class of abuse. Even when authentication works, the organisation can still lose money, brand trust, and conversion volume through the same workflow. That is why identity assurance now needs cost telemetry, not just access telemetry.

For practitioners

• Instrument SMS request velocity by user and device Track request bursts across account, IP, device fingerprint, geography, and carrier so that abnormal verification volume is blocked before messages are sent.
• Block premium-rate destinations at the verification layer Validate phone numbers before dispatch and deny known premium-rate or unsupported international ranges in the SMS request workflow.
• Move bot detection ahead of OTP issuance Apply behavioural checks and challenge logic at registration and login touchpoints so suspicious sessions are stopped before an SMS is generated.
• Set hard caps and retry delays on verification traffic Limit message volume per time window and introduce back-off between retries to reduce the economic viability of automated abuse.
• Measure identity fraud as a cost metric Report SMS fraud charges, blocked verification attempts, and false-registration rates together so fraud, security, and IAM teams share one operating picture.

Key takeaways

• SMS toll fraud turns identity verification into a direct financial attack surface, especially where bots can trigger messages at scale.
• The reported $3 million monthly savings show that blocking malicious verification traffic can have immediate economic impact, not just security value.
• Teams should put bot detection, destination screening, rate limits, and retry controls in front of SMS issuance to reduce abuse.

Key terms

• SMS Toll Fraud: SMS toll fraud is the abuse of verification or messaging workflows to force outbound texts to premium-rate or otherwise costly numbers. The goal is not account takeover, but financial gain through message volume that the business pays for while attackers or accomplices capture the revenue.
• Premium-Rate Number: A premium-rate number is a telephone destination that charges above normal rates for connected calls or messages. In fraud scenarios, attackers use these destinations to inflate a victim organisation's telecom costs by routing verification traffic to numbers that generate higher fees.
• Bot Management: Bot management is the set of controls used to distinguish automated traffic from human users and restrict abuse before it scales. In identity workflows, it protects registration, login, and verification paths from high-volume automation that can create cost, fraud, or account integrity problems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: SMS Toll Fraud Alert: Empowering Social Media Companies to Recover Millions in Stolen Revenue. Read the original.