Notifications
Clear all
Topic starter
12/06/2026 9:56 pm
TL;DR: Gig economy platforms are being targeted by bot-driven SMS toll fraud, with attackers using fake signups and premium-rate numbers to trigger irreversible message charges and drain telecom budgets, according to Arkose Labs. The pattern shows that SMS abuse is now a fraud control problem, not just a messaging problem.
NHIMG editorial — based on content published by Arkose Labs: LLMjacking: How Attackers Hijack AI Using Compromised NHIs
By the numbers:
- The global volume of the gig economy is projected to reach $873 billion in 2028, up from $355 billion in 2021.
- Last year, nearly 6% of all SMS messages were sent to artificially generated traffic.
- That figure swells to anywhere between 30% and 60% for top brands.
Questions worth separating out
Q: How should security teams stop SMS toll fraud in high-volume platforms?
A: Security teams should place bot detection and risk scoring before any outbound SMS is triggered.
Q: Why do SMS verification flows attract fraud at scale?
A: SMS verification attracts fraud because it is immediate, widely trusted, and tied to a chargeable delivery channel.
Q: What do teams get wrong about CAPTCHA and bot defence?
A: Teams often assume CAPTCHA alone can separate real users from automation.
Practitioner guidance
- Block outbound SMS until request legitimacy is scored Add pre-send risk checks for new signups, OTP requests, and high-velocity retries so the platform does not pay for suspicious traffic before it can be challenged.
- Separate identity assurance from delivery assurance Do not treat successful SMS dispatch as proof of a valid user.
- Instrument premium-rate number abuse monitoring Flag phone-number patterns, carrier anomalies, and rapid abandon rates so telecom fraud can be detected before monthly spend spikes.
What's in the full article
Arkose Labs' full research covers the operational detail this post intentionally leaves for the source:
- Attack flow examples showing how bots trigger SMS outflow through signup and OTP abuse.
- The vendor's discussion of how premium-rate phone numbers and colluding actors monetise the fraud.
- Product-level mitigation detail for bot detection and user challenge workflows.
- Operational examples of how suspicious traffic is identified before outbound messaging occurs.
👉 Read Arkose Labs' analysis of bot-driven SMS toll fraud in gig platforms →
SMS toll fraud in gig platforms: what IAM teams need to know?
Explore further
13/06/2026 12:22 am
SMS fraud is an identity assurance failure before it is a messaging problem. The article shows that platforms are paying for outbound verification before they know the request came from a real user. That means the control gap sits at the trust boundary, where account creation, phone validation, and OTP issuance are treated as routine instead of adversarial. Practitioners should read this as a signal that SMS has become a monetised abuse path, not just a delivery channel.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
- Only 5.7% of organisations have full visibility into their service accounts, which is why hidden machine identities often become the easiest abuse path.
A question worth separating out:
Q: Who should own SMS fraud risk when it affects identity and spend?
A: Ownership should sit across fraud, IAM, and platform teams because the abuse touches onboarding, verification, and telecom cost. If one team only sees user access while another only sees billing, the attack can scale unnoticed. Joint governance is the only practical way to close the loop.
👉 Read our full editorial: Bot-driven SMS toll fraud is exploiting gig platform growth
