Published on July 02, 2026/Last edited on July 02, 2026/11 min read


TL;DR
To address the growing challenge of SMS traffic pumping fraud for brands around the world, the Braze customer engagement platform provides a number of built-in tools and best practices that can be leveraged to reduce risk without impacting overall customer engagement success.
Key takeaways
Imagine this: One morning, you log on and find your SMS bill is 10X higher than it should be. Somehow your brand sent thousands of messages to phone numbers in countries you don't even do business in, and all of it was triggered through your SMS opt-in flow on your website. And when you dig into the issue, you find that no real customers received the messages, but you still had to pay for all of them.
This upsetting situation is known as SMS traffic pumping fraud, and it's becoming an increasingly common threat for brands running SMS programs. Attacks like this can cost companies thousands (or even hundreds of thousands) of dollars in a matter of hours, but with the right protections in place, you can reduce the likelihood of being targeted so that your SMS program can continue to run smoothly, maintaining its role as a high-performing, direct channel for connecting with your real customers.
In this post, we’ll give you the full rundown on what SMS traffic pumping fraud is, how these schemes work, which brands are most at risk, and, most importantly, how you can take steps to protect your SMS program from this increasingly common attack.
SMS traffic pumping fraud, also known as Artificially Inflated Traffic (AIT), is a scheme where bad actors exploit a brand’s public-facing forms, authentication flows, or API endpoints in order to trigger SMS, MMS, or RCS sends. Think “sign up for SMS alerts” pop-ups, one-time password (OTP) flows, or any other mechanism that causes your system to fire off a text message when a phone number is submitted.
Fraudsters submit phone numbers with specific country codes to flood complicit or exploited carriers with traffic. These carriers then give a share of messaging revenue back to the fraudster. That means every message your brand sends puts money in the fraudster’s pocket and leaves you with an inflated SMS bill for sends that never reached real customers.
Here’s how the scheme typically plays out:
The financial exposure can be significant and, in some cases, brands can see SMS bills spike dramatically within hours of a vulnerability being identified.
Brands are most at risk when they have public-facing web or app forms, authentication flows, or API endpoints that trigger SMS, MMS, or RCS sends, and do not have adequate controls in place to prevent fraud. Common targets include:
Put simply: If anyone on the internet can submit a phone number and cause your system to send an SMS message, a fraudster can automate that at a massive scale. The vulnerability isn’t in the SMS channel itself; it’s in the unsecured doorways that lead to it.
There are two common attack vectors to be aware of. The first is double opt-in abuse. When a brand uses a double opt-in flow, it sends a confirmation SMS to each number that's submitted, usually something like "To receive SMS messages from [Brand], reply Y." Fraudsters exploit unprotected web forms or API endpoints to submit large volumes of phone numbers at scale (or sometimes, the same number repeatedly). Because the flow sends a confirmation message to every number submitted, regardless of whether that number is legitimate, every fraudulent submission equals a send, and every send generates revenue for the fraudster via their carrier revenue-sharing arrangement.
The second attack vector is direct API send pumping. In this scenario, fraudsters trigger high volumes of sends through compromised API credentials or action-triggered campaigns, often to the same number or range of numbers within a short time window. This generates a large volume of fraudulent traffic without ever touching your opt-in flow. Both attack types exploit the same fundamental vulnerability: An unsecured path between a phone number input and an outgoing message.
Not all countries carry the same level of fraud risk. Some markets are significantly more attractive to fraudsters based on a few key factors:
To help marketers make informed decisions and weigh risk, Braze maintains a list of high fraud risk countries and flags them directly within the dashboard during country allowlist setup. More on that below!
The Braze platform has a layered set of built-in protections that can help brands defend against traffic pumping attacks.
1. Never worry about sending to embargoed destinations
Braze does not do business with certain countries and regions, and blocks all SMS send attempts to the following destinations entirely: Cuba, Iran, North Korea, Syria, Sudan, and South Sudan. These blocks are in place platform-wide and cannot be overridden, preventing bad actors from directing fraudulent traffic to these embargoed countries.
2. Control which markets can receive your messages
One of the most powerful tools available to brands is the country allowlist, which can be found under "Geographic Permissions" in the Braze dashboard. Configured at the subscription group level, this feature allows brands to control which countries SMS, MMS, and RCS messages can be sent to. Once configured, Braze will only send SMS/MMS/RCS messages to phone numbers with country codes (AKA prefixes) that the marketer has selected, and any attempted send to a number that does not start with one of the selected country codes will be blocked. Braze also logs those aborted sends so brands can proactively monitor attempted sends for unusual patterns. Because the country allowlist works based on country codes (e.g. +1 for the US), it allows brands to reach their customers even if they are traveling.
When marketers add countries to their alllowlist, Braze automatically flags countries designated as "High Fraud Risk" and will prompt brands to confirm their selections before proceeding. (Allowlist configuration is completed during onboarding for new Braze customers, to ensure protection is in place from day one.) Remember, if you only do business in certain regions, there's no reason to include markets where you have no customers; you can always update your country mix later. Limiting your allowlist to countries you actively market to is one of the most effective steps you can take to reduce your exposure to SMS traffic pumping.
3. Spot signs of fraud early
Beyond the country allowlist, Braze maintains a layered internal alerting system with over a dozen monitors that score and flag anomalous send patterns in near real time. These alerts span several categories, such as:
4. Add extra layers of protection
Beyond dedicated SMS traffic pumping protections, Braze offers several other platform features that can help prevent these fraudulent attacks. Here are some additional safeguards and best practices to consider implementing:
Braze also works closely with communications platform as a service (CPaaS) providers Twilio and Infobip to cross-reference traffic patterns and catch anything that may surface at the carrier level. When suspicious activity is identified, Braze can block traffic to the affected destination in near real time.
Behind all of these built-in monitors and alerts is a dedicated team experienced in dealing with SMS traffic pumping fraud. That includes Staff Security Engineers who bring an offensive security background, understand exactly how these attacks are constructed, and most importantly, how to stop them.
While the Braze platform’s built-in protections are a strong foundation, the most important thing brands can do is secure any public-facing form or API endpoint that triggers SMS, MMS, or RCS sends. Industry best practices include:
For a deeper dive, check out our full documentation on understanding and preventing SMS, MMS, and RCS traffic pumping fraud.
SMS traffic pumping is a serious threat to marketers and can cause significant pain if it isn’t handled effectively. At the same time, it’s also a challenge that’s very manageable with the right knowledge and guardrails in place. Here are the key takeaways to keep top of mind:
With the right guardrails, monitoring and alerting, and technology in place, you can send SMS with confidence, reducing the risk of your messages reaching fraudsters instead of your real customers. Connect with Sales or reach out to your Braze account team to learn more about how Braze helps protect your SMS program.





