Notifications
Clear all
Topic starter
12/06/2026 9:53 pm
TL;DR: Artificially inflated traffic fraud exploits online forms and OTP flows to generate illegitimate SMS volume, with attackers profiting from traffic pumping and toll-fraud mechanics, according to Arkose Labs. The pattern shows that verification channels can become revenue targets when abuse controls are weak, even when the underlying identity system is not the primary asset.
NHIMG editorial — based on content published by Arkose Labs: Artificially Inflated Traffic Fraud and the nexus of SMS toll scams
By the numbers:
- Twitter reported losses of over $60 million in the previous year due to bot accounts and larger SMS pumping fraud.
- Arkose Labs says approximately 350 Mobile Network Operators globally had overburdened Twitter with excessive fees tied to AIT practices.
Questions worth separating out
Q: How should security teams reduce OTP abuse in high-volume signup flows?
A: Use layered abuse controls before the message is sent.
Q: Why do OTP-based verification flows attract traffic pumping fraud?
A: Because each request can create a billable SMS event, and attackers can generate that demand at scale with automation.
Q: What do teams get wrong about SMS fraud prevention?
A: They focus on message delivery and user experience while underweighting the trigger conditions that create volume.
Practitioner guidance
- Add abuse controls before OTP dispatch Throttle OTP sends by phone-number reputation, device fingerprint, IP velocity, and enrolment-stage risk so a request does not immediately become a paid message.
- Treat verification endpoints as fraud-sensitive controls Review forms, signup flows, and recovery journeys as revenue-exposed identity paths, then apply challenge logic where repeated requests are cheap to generate.
- Correlate messaging cost with identity telemetry Join SMS spend, OTP request volume, and behavioural anomalies in one monitoring view so traffic pumping is visible before charges escalate.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- How AIT and SMS pumping work across the message delivery chain, including where revenue is intercepted.
- Examples of abuse patterns involving OTP-triggered traffic spikes in consumer-facing flows.
- The vendor's own detection approach using behavioural biometrics, anomaly detection, and adaptive challenge logic.
- The business-impact framing for billing, reputation, and operational disruption that follows repeated SMS abuse.
👉 Read Arkose Labs' analysis of artificially inflated traffic fraud and SMS toll abuse →
SMS OTP abuse and traffic pumping: what IAM teams need to know?
Explore further
13/06/2026 12:16 am
AIT fraud is an identity abuse problem, not just a telecom billing problem. The article shows that the control failure starts at the verification trigger, where an identity workflow is exposed to automated abuse before any account is established. That makes this a governance issue spanning fraud, IAM, and communications ownership. Practitioners should treat OTP initiation as a privileged action path, not a neutral utility.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
A question worth separating out:
Q: Who is accountable when OTP abuse drives unexpected messaging costs?
A: Accountability usually spans identity, fraud, and communications ownership, because the event sits at the boundary between authentication, user onboarding, and carrier billing. The clearest model is to assign one team ownership of the trigger, one of anomaly response, and one of provider escalation so the gap is not left to chance.
👉 Read our full editorial: Artificially inflated traffic fraud exposes SMS OTP abuse
