A recent surge in telecommunications exploitation targets mobile accounts and corporate budgets. Criminal networks currently deploy two primary tactics draining funds: Click2SMS and SMS pumping. While these methods utilize different entry points, they share the objective of routing expensive international messages through premium-rate carriers generating illicit revenue.
The user-focused threat: Click2SMS exploitation
Click2SMS campaigns target individual smartphone users through social engineering. Victims browsing the mobile web encounter redirection to fraudulent human verification pages mimicking standard security checks.
Deceptive CAPTCHAs: Users encounter screens requiring a button press proving they are not bots.
Mechanism of Action: Clicking the button executes a background JavaScript file, often identified as makeTrackerDownload.php. This script communicates with a remote server to retrieve a list of premium-rate international numbers and a pre-composed message.
App Triggering: The script forces the mobile device to open its native SMS application with the recipient list and message already populated. While the interaction begins in the web browser background, the actual transmission usually requires the user to tap the "send" icon, which scammers mask using "continue" or "verify" prompts.
Immediate Impact: Because these messages originate from the device of the user, the charges appear directly on the next mobile statement, often exceeding $30.00 for a single interaction.
The business-focused threat: SMS pumping operations
SMS pumping, also referred to as Artificially Inflated Traffic (AIT), targets automated systems businesses use communicating with customers. This tactic exploits "send code" or "verify phone number" features found on modern websites.
Automated Bot Attacks: Fraudsters use bots filling out sign-up forms using thousands of premium-rate phone numbers.
System Manipulation: The server of the business sends a One-Time Password (OTP) or verification link to each number.
Corporate Loss: The company pays the carrier for every message sent. When performed at scale, these attacks cost a business thousands of dollars in a single hour.
The Profit Loop: Criminals partner with rogue telecommunications providers collecting a portion of the international fees paid by the victimized company.
Exploitation of age-gating mandates
The global push for mandatory age verification provides a fertile environment for both click2SMS as well as SMS Pumping. Criminals currently masquerade as compliance tools tricking users and exploiting corporate verification systems.
Australian Implementation: Australia enacted the Online Safety Amendment (Social Media Minimum Age) Act on December 10, 2025, enforcing a minimum age of 16 for social media access. This legislation led to a rise in platform impersonation scams. Fraudsters send messages or create fake landing pages claiming users must verify or lose access, leading directly to Click2SMS triggers.
Canadian Policy Debates: The Canadian government is considering a minimum age of 16 for social media access. As these discussions continue, Canadian users increasingly face targeting by pre-emptive age-check scams mimicking proposed government standards.
Systemic Vulnerabilities: Age-gating mandates require platforms implementing verification at scale. Attackers target these newly implemented verification endpoints for SMS pumping, knowing high traffic volumes associated with new compliance rules can hide fraudulent activity.
Identifying markers of SMS fraud
Recognizing signs of these operations remains essential for preventing financial loss. Both consumers and organizations must monitor for specific anomalies in digital activity.
Unexpected App Behaviour: A web browser suddenly opening the SMS messaging application without user initiation serves as a primary indicator of a Click2SMS attempt.
High-Cost Billing: Consumers must review mobile bills for international messages sent to regions they have not contacted.
Sign-up Spikes: Businesses must watch for sudden bursts of account creation requests originating from foreign IP addresses or targeting specific international country codes.
Verification Failures: A high volume of sent messages never resulting in a completed sign-up often signals an automated pumping attack.
Protective measures for consumers and enterprises
Mitigating the risk of SMS fraud requires combining vigilance and technical safeguards. Immediate actions securing telecommunications assets include the following:
Consumer Defense: Users must avoid interacting with verification or age-gate screens on unfamiliar websites. If the SMS app opens automatically, close the application immediately without tapping the send icon.
Corporate Defense: Businesses must implement rate-limiting on all SMS-enabled forms. Utilizing non-SMS alternatives for identity verification, such as email or authenticator applications, can eliminate the attack surface entirely.
Carrier Cooperation: Both parties should report fraudulent numbers to service providers facilitating the blocking of premium-rate destinations associated with known criminal affiliate networks.
- Log in to post comments