What SMS pumping (AIT) actually is
SMS pumping — also called artificially inflated traffic (AIT) — is a fraud where attackers use bots to trigger a business's own OTP or verification flow thousands of times, forcing it to pay for messages sent to number ranges the fraudsters control or profit from.
The attack has moved well beyond login OTPs. Fraud teams now report inflated traffic through app-download links, feedback surveys, and promotional-campaign endpoints. Anywhere a public form can make your backend send a paid SMS is a target.
Industry estimates put AIT losses to brands at roughly $1.16 billion in 2023 (Enea, cited via Sinch, 2024). This figure represents total SMS spend lost to fraud, including OTP pumping and all other AIT types, calculated from carrier and brand revenue data.
The signals that expose it
Pumping traffic does not look like human traffic. Four signals catch most of it:
| Signal | Legitimate traffic | Pumping traffic |
|---|---|---|
| Verification / conversion rate | 60-90% of OTPs get entered | Sudden drop to 20% or below |
| Number distribution | Naturally spread across ranges | Consecutive numbers in a narrow block |
| Requests per session | 1-2 sends, occasional resend | 3+ OTP requests in 60 seconds, same token |
| Destination geography | Matches where your users are | Spikes to countries you do not serve |
The controls that stop it
- Rate-limit per phone and per IP — a defensible baseline is max 5 OTPs per number per hour and 10 per day; cap sends per IP and per session token as well.
- Add a bot barrier at the form — CAPTCHA or invisible bot-detection before the send fires stops automated submissions from ever costing you a message.
- Validate numbers before you send — an HLR lookup or number-validation check rejects invalid, unallocated, and high-risk ranges up front, which is where pumping numbers cluster.
- Geo-fence your destinations — disable delivery to countries you do not operate in; most pumping targets routes brands never intended to use.
- Treat every OTP request as untrusted — the emerging 2026 standard is a zero-trust posture: prove a request is human and in-region before spending on it.
SMSRoute pairs naturally with this: built-in HLR lookup for pre-send validation, per-number send caps, and per-country routing so you can hard-limit delivery to the markets you actually serve. SMSRoute's published route pages list direc
A minimal defense you can ship today
- Cap sends before generating a codeCheck a per-number and per-IP counter in Redis before you ever call the send API. If the number is over 5/hour or the IP over a sane threshold, refuse without sending.
- Validate the numberRun an HLR / format check. Reject non-E.164, unallocated, and premium/high-risk ranges.
- Gate the formRequire a CAPTCHA or bot score above a threshold before the endpoint will send.
- Watch the verification rateAlert when the OTP entry rate for any route drops sharply hour-over-hour — that is your early-warning system.
FAQ
What is the difference between SMS pumping and AIT?
How do I know if I am being hit right now?
Does a no-KYC provider make pumping worse?
What is a safe OTP rate limit?
A safe OTP rate limit is typically 3–5 attempts per phone number per hour, with a daily cap of 10–15 attempts. SMSRoute’s adaptive routing and real-time DLR webhooks help you monitor delivery and detect anomalies, while automatic failover ensures legitimate OTPs reach users reliably. Combined with SMSRoute’s fraud-detection tools, these limits prevent abuse without blocking genuine traffic.
Send your first SMS in 5 minutes
No KYC. Pay with BTC, ETH, USDT, XMR, LTC, and SOL. Live routes to 149 countries.
Get an API key →