Notifications
Clear all
Topic starter
12/06/2026 9:56 pm
TL;DR: Bot-driven SMS toll fraud is inflating telecom bills for travel and hospitality companies by abusing SMS verification workflows, with attackers using fake account creation and premium-rate numbers to generate fraudulent charges, according to Arkose Labs. The underlying issue is not just fraud detection, but the weakness of identity verification paths that trust SMS traffic too readily.
NHIMG editorial — based on content published by Arkose Labs: Attackers are using bots to scale up SMS toll fraud in travel and hospitality
Questions worth separating out
Q: How should security teams stop bots from abusing SMS verification flows?
A: Put bot detection, rate limiting, and number intelligence in front of SMS initiation, not after it.
Q: Why does SMS verification create fraud risk in high-volume consumer journeys?
A: SMS verification becomes risky when the business assumes every account creator is legitimate and every delivery is low-cost.
Q: What do teams get wrong about SMS toll fraud detection?
A: They often focus on finding bad accounts after the fraud has already generated charges.
Practitioner guidance
- Move SMS verification behind bot-adaptive controls Require bot detection or challenge logic before any workflow can trigger outbound verification traffic.
- Monitor premium-rate destination patterns Flag repeated verification requests that resolve to unusual carriers, regions, or number ranges.
- Separate customer onboarding from message initiation logic Design the account-creation path so that a verified signup is not automatically allowed to trigger unlimited SMS sends.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- Examples of how premium-rate SMS pumping works across travel and hospitality booking flows
- The article's explanation of how bots and click-farms scale message initiation during peak booking periods
- Vendor-specific details on bot management, challenge flows, and the claimed warranty against automated SMS toll fraud
- The operational framing Arkose Labs uses to position SMS toll fraud as a real-time abuse problem
👉 Read Arkose Labs' analysis of SMS toll fraud in travel and hospitality →
SMS toll fraud in travel bookings: what IAM teams need to act on?
Explore further
13/06/2026 12:22 am
SMS toll fraud is really a billing-path identity abuse problem. The article shows that attackers are not trying to steal customer credentials first. They are abusing the trust placed in SMS verification to convert fake sign-ups into recurring telecom charges. That makes the control failure one of identity path validation, not just fraud scoring. Practitioners should treat SMS initiation as a governed identity event, not a neutral delivery channel.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams still struggle to inventory machine access before abuse spreads.
A question worth separating out:
Q: Who should own the response when SMS fraud drives telecom losses?
A: Ownership should sit across IAM, fraud operations, and telecom or customer communications teams, because the problem crosses identity, billing, and customer delivery. If only one group owns it, response will miss part of the attack path. Shared accountability is the only way to manage a loss pattern that looks like fraud to one team and spend leakage to another.
👉 Read our full editorial: SMS toll fraud is exposing travel and hospitality identity flows
