Fraud that exploits SMS delivery or verification flows to generate artificial message volume and cost. In identity programmes, the issue is not only billing abuse but also the overreliance on SMS as a trust channel for login, recovery, or step-up verification.
Expanded Definition
SMS pumping is a fraud pattern that exploits application-triggered text messaging to inflate delivery counts, create direct carrier or aggregator charges, or exhaust messaging quotas. In identity and access management, it becomes especially dangerous when SMS is treated as a primary trust signal for login, recovery, or step-up verification rather than as a high-friction fallback. That distinction matters because the attack can be both financially abusive and assurance degrading.
Definitions vary across vendors on whether SMS pumping includes only revenue-driven abuse, or also low-volume enumeration and OTP abuse that tests the resilience of verification flows. NHI Management Group treats it as a control failure around message-trigger governance, channel trust, and exception handling, not merely a telecom billing event. This maps well to the broader risk posture described in the Ultimate Guide to NHIs, where weak identity controls often coexist with overexposed secrets and brittle recovery paths. For standards context, the NIST Cybersecurity Framework 2.0 reinforces the need to govern protective measures around identity-related service delivery.
The most common misapplication is treating every spike in SMS traffic as ordinary user growth, which occurs when teams monitor volume but do not correlate verification requests, geographic anomalies, and repeated destination patterns.
Examples and Use Cases
Implementing SMS controls rigorously often introduces user experience friction and support overhead, requiring organisations to weigh fraud reduction against recovery speed and reachability.
- A bot repeatedly requests one-time passcodes against a signup or password-reset endpoint, generating outbound message costs and signaling a weak rate-limit policy.
- An attacker targets a free-trial or referral flow that sends confirmation texts, forcing the business to absorb high-volume delivery charges without creating legitimate accounts.
- Fraud actors use disposable numbers to trigger verification loops, then abandon the flow after the platform pays for the messages.
- A help desk relies on SMS for account recovery, but attackers exploit SIM swap exposure and message interception to take over accounts after the initial pump activity.
- An identity team discovers that message spikes align with missed secret rotation and inconsistent service account governance, a pattern consistent with the risk themes in the Ultimate Guide to NHIs and the access governance emphasis in the NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
SMS pumping is more than a cost anomaly because it exposes whether an organisation has coupled identity assurance to a channel that was never designed for strong trust. When SMS is used for verification, recovery, or step-up access, abuse of the message flow can become a path to credential theft, account takeover, and service degradation. The operational impact is often broader than the direct telecom bill: response teams must investigate fraud, platform abuse, and downstream identity risk at the same time.
The NHI problem becomes more visible when brittle recovery design intersects with poor secret hygiene and weak lifecycle controls. NHI Management Group data shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations, and 79% have experienced secrets leaks, with 77% of those incidents causing tangible damage, as described in the Ultimate Guide to NHIs. That same governance gap often leaves verification systems under-protected, under-monitored, and slow to adapt when abuse begins. Practitioners should also interpret this through identity governance and risk management guidance in the NIST Cybersecurity Framework 2.0.
Organisations typically encounter the full significance of SMS pumping only after the messaging bill spikes or account takeover reports surge, at which point the weakness of SMS as a trust channel becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | SMS pumping often follows poor secret and flow governance around NHI-backed verification paths. |
| NIST CSF 2.0 | PR.AC-4 | Access control guidance supports limiting trust in SMS-based recovery and step-up verification. |
| NIST CSF 2.0 | DE.CM-1 | Detection controls help identify abnormal SMS volume, retries, and destination clustering. |
Restrict verification triggers, monitor abuse patterns, and harden secret-backed identity workflows.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
