TL;DR: SMS pumping is a revenue-sharing fraud that inflates OTP traffic and verification costs on digital marketplaces, with large-scale campaigns causing phantom sends, referral abuse, and trust-signal corruption, according to Prove Identity. The real control shift is away from sending more codes and toward stopping fraudulent requests before any SMS is triggered.
NHIMG editorial — based on content published by Prove Identity: The Silent Drain: How SMS Pumping Is Bleeding Digital Marketplaces Dry
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams stop SMS pumping before OTP messages are sent?
A: They should move risk scoring in front of message dispatch.
Q: Why is SMS OTP no longer enough for marketplace identity verification?
A: SMS OTP is no longer enough because it confuses delivery of a message with proof of trustworthy identity.
Q: What breaks when phone verification is used as a trust signal everywhere?
A: What breaks is governance consistency.
Practitioner guidance
- Move fraud decisioning before OTP dispatch Block or challenge high-risk verification requests before any SMS is sent, especially where traffic patterns, device fingerprints, or number ranges diverge from normal onboarding behaviour.
- Score number ranges and carrier routes Use carrier intelligence, destination reputation, and premium-route detection to distinguish legitimate user verification from traffic patterns associated with SMS pumping.
- Reassess SMS as a primary trust signal Stop using SMS verification as the default proof of user quality for referrals, incentives, and worker onboarding when the same channel can be monetised by attackers.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- The request-level mechanics of SMS pumping across registration, login, and phone-change flows.
- The carrier and routing patterns that make premium-range abuse financially attractive.
- The practical role of phone intelligence and passive verification in reducing OTP-triggered fraud.
- The article's cost examples and marketplace-specific abuse scenarios for teams building a business case.
👉 Read Prove Identity's analysis of SMS pumping in digital marketplaces →
SMS pumping in marketplaces: what IAM and fraud teams need to know?
Explore further
SMS pumping is a trust-signal attack before it is a fraud attack. The platform is not merely paying for wasted messages, it is letting a verification control become a revenue target and a source of downstream identity distortion. Once phone ownership is treated as a standing trust signal, referral logic, onboarding gating, and fraud scoring can all be manipulated from the same weak point. Practitioners should treat the verification send itself as part of the attack surface.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when SMS pumping drives fraud losses in a marketplace?
A: Accountability sits across IAM, fraud, and platform teams because the failure spans identity assurance, verification economics, and abuse prevention. The control owner must be whoever governs the verification workflow end to end, including when a request is challenged, blocked, or allowed to trigger an SMS.
👉 Read our full editorial: SMS pumping is exposing marketplace OTP costs and trust gaps