Notifications
Clear all
Topic starter
12/06/2026 9:55 pm
TL;DR: SMS toll fraud turns authentication traffic into a cost-extraction channel, and attackers use automated account creation plus premium-rate numbers to trigger large volumes of SMS messages. Arkose Labs cites global losses of more than $6.7 billion in 2021, showing that identity verification workflows can become a financial liability when bot pressure is not controlled. The real issue is not code delivery, but unmanaged trust in SMS-based verification paths.
NHIMG editorial — based on content published by Arkose Labs: SMS toll fraud and automated verification abuse
By the numbers:
- SMS pumping fraud caused global losses worth more than $6.7 billion in 2021.
Questions worth separating out
Q: How should security teams stop SMS toll fraud without disrupting real users?
A: Focus on risk-based controls before the message is sent.
Q: Why do SMS-based verification flows create fraud and cost risk?
A: Because each verification message has a direct delivery cost, attackers can turn authentication into a billing attack by forcing large numbers of messages to premium-rate destinations.
Q: What do teams get wrong about CAPTCHA in SMS fraud prevention?
A: They often treat CAPTCHA as a sufficient bot filter, but advanced automation can adapt to simple challenges and timing checks.
Practitioner guidance
- Instrument SMS initiation for abuse signals Track message volume, number prefixes, session velocity, and repeated verification attempts from the same device or network range.
- Move bot controls upstream of message delivery Apply bot detection at account creation and before OTP generation so fraudulent traffic is interrupted before the telecom bill starts to accumulate.
- Review reliance on SMS for high-risk verification Map where SMS still carries critical authentication or account recovery flows, then decide whether those journeys need stronger step-up options for high-value transactions and onboarding.
What's in the full article
Arkose Labs' full research covers the operational detail this post intentionally leaves for the source:
- Examples of the bot-driven SMS pumping patterns the vendor observed in the field
- The adaptive challenge and risk scoring approach behind the anti-fraud workflow
- Warranty, SOC support, and detection signal details for teams evaluating implementation options
- The vendor's discussion of how premium-rate abuse changes response expectations for financial institutions
👉 Read Arkose Labs' analysis of SMS toll fraud and automated verification abuse →
SMS toll fraud and MFA abuse: what IAM teams need to act on?
Explore further
13/06/2026 12:20 am
SMS toll fraud is a governance failure, not just a fraud event. The attack succeeds because organisations treat outbound SMS as a benign verification utility rather than a monetisable attack surface. That assumption breaks once bots can trigger messages at scale and external carriers can profit from the traffic. The implication is that identity governance must account for message economics, not only authentication success rates.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37%, according to the same research.
A question worth separating out:
Q: Who is accountable when SMS fraud drives regulatory penalties or service disruption?
A: Accountability usually sits across IAM, fraud operations, security, and customer onboarding teams because the control failure spans identity design, abuse detection, and telecom cost governance. Financial institutions also need clear ownership for third-party carrier exposure and compliance reporting, since the harm can extend beyond fraud losses into operational and regulatory impact.
👉 Read our full editorial: SMS toll fraud exposes the governance gap in MFA delivery
