Notifications
Clear all
Topic starter
12/06/2026 9:56 pm
TL;DR: SMS toll fraud is driving hidden losses for social media platforms that rely on SMS verification, with one company saving $3 million per month after blocking malicious bot traffic, according to Arkose Labs. The deeper issue is that verification channels built for trust can be turned into revenue leakage when bot activity scales faster than detection and rate controls.
NHIMG editorial — based on content published by Arkose Labs: SMS Toll Fraud Alert: Empowering Social Media Companies to Recover Millions in Stolen Revenue
Questions worth separating out
Q: How should security teams reduce SMS toll fraud in user verification flows?
A: Start by treating SMS verification as an abuse-prone workflow, not a trusted default.
Q: Why do SMS verification systems attract fraud and billing abuse?
A: Because the attacker does not need to steal credentials to create loss.
Q: What do organisations get wrong about SMS-based 2FA and fraud risk?
A: They often measure SMS verification as an identity feature rather than an economic exposure.
Practitioner guidance
- Instrument SMS request velocity by user and device Track request bursts across account, IP, device fingerprint, geography, and carrier so that abnormal verification volume is blocked before messages are sent.
- Block premium-rate destinations at the verification layer Validate phone numbers before dispatch and deny known premium-rate or unsupported international ranges in the SMS request workflow.
- Move bot detection ahead of OTP issuance Apply behavioural checks and challenge logic at registration and login touchpoints so suspicious sessions are stopped before an SMS is generated.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- A concrete breakdown of the bot patterns that trigger fraudulent SMS traffic in registration and OTP flows.
- Specific countermeasures for premium-rate number screening, verification delays, and geographical restrictions.
- The Snapchat example with the platform-specific mechanics that reduced fake registrations and SMS charges.
- Practical guidance on where to apply bot management so it reduces fraud without breaking legitimate onboarding.
👉 Read Arkose Labs' analysis of SMS toll fraud and verification abuse →
SMS toll fraud and verification abuse: what IAM teams are missing?
Explore further
13/06/2026 12:21 am
SMS verification is not a neutral identity control when attackers can turn it into a billing engine. The article shows that the control path itself becomes the loss path when bots can repeatedly trigger outbound messages. This reframes SMS as an identity-adjacent fraud surface rather than a simple second factor, and practitioners should treat the request path as financially sensitive infrastructure.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own SMS toll fraud response when it happens?
A: Ownership should sit across fraud, IAM, and security operations because the failure spans identity assurance and financial loss. The right response is to contain the traffic source, block risky number ranges, and review whether SMS should remain a default verification method for the affected journey.
👉 Read our full editorial: SMS toll fraud is exposing a hidden IAM cost model
