SMS Pumping is a form of messaging fraud that can lead to unexpected SMS charges and service disruption. This guide explains how these attacks work, who is most at risk, and the steps you can take to protect your ClickSend account.
What is SMS Pumping?
SMS pumping occurs when bad actors exploit vulnerable online forms on your website or app such as sign-up pages, password resets, or OTP (One-Time Password) requests. They use automated bots to trigger a massive volume of SMS messages to premium-rate phone numbers they control. This drains your account balance and leaves you with unexpected and significant charges.
How to protect your ClickSend Account?
ClickSend provides features to help reduce the risk of SMS Pumping and other messaging abuse, but securing your application is a shared responsibility.
If you're sending One-Time Passwords (OTP) or verification codes, we recommend implementing safeguards such as rate limiting, request delays, traffic monitoring, and usage thresholds. You can also restrict outbound messaging to approved destinations using Global Sending to minimise your exposure.
For implementation guidance and security best practices, see our article Preventing OTP risks with ClickSend's API.
Who Is Most at Risk?
SMS Pumping primarily affects developers and businesses that have not implemented appropriate safeguards to detect and prevent fraudulent messaging activity. Applications that allow users to trigger SMS messages without effective rate limiting, verification, monitoring, or abuse detection are particularly vulnerable.
While developers are responsible for building secure messaging workflows, the businesses operating these applications are often the ones that bear the financial impact through unexpected messaging charges and operational disruption. Implementing preventative controls is the most effective way to reduce the risk of SMS Pumping attacks.
Who benefits?
Bad actors often use SMS Pumping / Toll Fraud for financial gain by generating large volumes of fraudulent SMS traffic. In many cases, these messages are sent to high-risk or premium destinations where the attackers may profit from carrier fees or receive a share of the messaging revenue through fraudulent arrangements.
While many SMS Pumping attacks are financially motivated, some are intended primarily to disrupt business operations, abuse messaging infrastructure or cause operational disruption rather than generate direct financial gain.
These attacks can result in unexpected messaging costs for both your business and ClickSend.
