Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why do SMS OTP flows attract fraud even…
Governance, Ownership & Risk

Why do SMS OTP flows attract fraud even when accounts are not under attack?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Because the delivery event itself creates value. Fraudsters do not need the code or the account, only the application’s willingness to send a message that produces termination fees. If security teams measure only sends, they can miss the real signal, which is low verification success against rising message volume.

Why This Matters for Security Teams

SMS OTP abuse is often treated as a user authentication problem, but the fraud pattern is usually economic. The attacker is not always trying to take over the account; they may simply be exploiting the application’s willingness to send an SMS that generates cost, noise, and downstream alert fatigue. That shifts the control objective from “did the code match?” to “was this request legitimate enough to justify sending a message?”

This matters because message spend, customer friction, and fraud analytics can all drift in different directions. A healthy authentication queue can still hide a profitable abuse loop if every failed or abandoned attempt still triggers an outbound SMS. NHIMG’s Ultimate Guide to NHIs notes that 96% of organisations store secrets outside of secrets managers in vulnerable locations, which is a reminder that abuse often follows whatever system can be cheaply triggered at scale. Industry guidance also points to broader abuse patterns in identity workflows, as seen in the CISA cyber threat advisories.

In practice, many security teams discover SMS OTP fraud only after carrier bills rise, rather than through intentional detection design.

How It Works in Practice

Fraudsters look for flows where a request can force the platform to emit a paid message with minimal preconditions. The weak point is not always login; it can be password reset, account recovery, phone verification, or any step that reveals whether a number is enrolled. If the application sends an OTP before applying rate limits, device reputation, or risk scoring, the cost is already incurred.

Effective controls move the decision point earlier. That means treating the SMS send as a protected action, not a default outcome. A strong workflow typically combines:

  • risk scoring before message dispatch, using IP reputation, velocity, ASN, device fingerprint, and prior abuse signals;
  • hard throttles by phone number, account, device, and source network;
  • step-up checks for suspicious recovery requests, especially when the account is not yet authenticated;
  • out-of-band monitoring that compares send volume to verification completion and successful enrolment;
  • abuse review for repeated sends to the same destination across many accounts.

Because OTP delivery itself creates economic value for attackers, detection should watch for a low success rate paired with rising send counts. NHIMG’s 52 NHI Breaches Analysis shows how identity abuse often persists when systems expose a repeatable action with insufficient governance. For identity-side hardening, NIST control guidance such as NIST SP 800-53 Rev 5 Security and Privacy Controls is useful when mapping rate limiting, auditability, and anomaly detection to formal controls.

These controls tend to break down in high-volume consumer onboarding and recovery environments because legitimate traffic bursts make abuse harder to distinguish from real demand.

Common Variations and Edge Cases

Tighter SMS controls often increase user friction, requiring organisations to balance fraud reduction against conversion and support cost. That tradeoff becomes sharper in markets where SMS remains the default fallback and alternative factors are not widely adopted.

Best practice is evolving, but several patterns are clear. First, not every abusive flow is “login fraud.” A registration flood, number-enumeration attack, or recovery loop can be just as costly. Second, some environments need per-tenant or per-country thresholds because carrier costs, retry behavior, and fraud pressure vary materially by region. Third, if the application uses SMS as a fallback after stronger methods fail, the fallback path should still carry the same risk controls as the primary path.

For teams looking to reduce reliance on a fragile factor, NHI guidance in the Top 10 NHI Issues reinforces a broader principle: anything that can be triggered repeatedly with weak governance becomes an abuse surface. The practical answer is to monitor message economics, not just authentication outcomes, and to treat high-volume OTP dispatch as a fraud-control signal rather than a benign operational metric.

There is no universal standard for SMS OTP fraud thresholds yet, so organisations should tune controls to carrier cost, geography, and known attack volume.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers abuse from weak credential and flow governance in identity systems.
NIST CSF 2.0DE.CM-1Monitoring send-versus-success anomalies supports continuous security detection.
NIST AI RMFMAPRisk mapping helps identify where SMS OTP can be abused economically.
NIST Zero Trust (SP 800-207)PR.AC-4Least-privilege principles apply to gating message-sending actions at request time.
CSA MAESTROAgentic workflow governance is relevant when automated systems can trigger costly actions.

Instrument OTP flows for anomaly detection and alert on volume spikes with poor verification success.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org