The challenge
The client is a mid-market fashion retailer with a European customer base. Customers log in with their phone number and receive a one-time code by SMS — no password, OTP is the authentication. Normal SMS volume ran around 50,000 messages per month. Predictable cost.
At 3am on a Tuesday, the login flow stopped working. Their SMS gateway had suspended the account for unusual traffic. The attack had been running four hours.
SMS pumping: bots had been hitting the /send-otp endpoint continuously since shortly after midnight. Each request triggered a real SMS. The attackers paid nothing. The retailer paid per message. In four hours the attack generated roughly 240,000 fraudulent SMS dispatches — more than four times the normal monthly volume.
Every request was valid — correct endpoint, correct payload, real phone numbers that just didn’t belong to real customers trying to log in. Nothing to reject on structure alone. The attack came from hundreds of residential proxies, so IP-based rate limiting would have caught none of it.
The team restored service by mid-morning after working with the gateway to reinstate the account. The incident cost €18,000 in excess charges. The more pressing problem: nothing had been done to stop it happening again.
The approach
We were brought in with a 72-hour window. The SMS provider had issued a usage warning and threatened account suspension if the traffic pattern continued.
Endpoint exposure
We mapped how the OTP endpoint was actually accessible: which paths triggered SMS dispatch, what validation existed on the phone number field, whether any session context was required. The endpoint needed no prior session authentication. Any HTTP client could fire an SMS with a valid phone number and a CSRF token grabbed from a public page.
Bot Manager Premier
We deployed Akamai Bot Manager Premier on the endpoint in observation mode to build a behavioural baseline. The difference between real and attack traffic was obvious within hours. Legitimate users reach the OTP step after navigating the login page and entering their phone number — there’s a session, a page sequence, human timing. The attack traffic arrived cold: direct endpoint calls with no prior session at all.
Bot Manager Premier’s device fingerprinting and behavioural scoring classified and blocked the attack traffic completely. We moved to active mitigation 36 hours in. Suspicious sessions got a silent challenge; only requests that failed it received an error. Real users coming through a genuine login session passed without friction.
Phone number validation
We also added server-side rejection of phone number prefixes from the highest-abuse country codes. On its own this would be too blunt — it would block real customers in those regions. Behind Bot Manager it added a secondary filter without touching the behavioural detection logic.
The results
Within 48 hours of Bot Manager Premier going active, fraudulent SMS triggers stopped entirely. The SMS provider’s abuse flag cleared the same week.
The first incident had cost €18,000. With Bot Manager in place, no repeat incident occurred. The engagement paid for itself against the cost of a single attack.
Login completion recovered too. During the attack, real users were hitting OTP delivery delays from the volume spike and login completion fell 9%. That recovered once the fraudulent load was gone.
Real customers weren’t affected. The login funnel showed no increase in OTP failures or authentication drop-off after deployment.
What made it work
SMS pumping is unusual because the site stays up. Availability looks fine, error rates are normal, the login flow keeps running. The damage is financial and invisible until the gateway suspends your account or a billing cycle closes. Most teams aren’t watching SMS dispatch volume — they’re watching server metrics and error rates.
We could move from observation to active quickly because the attack traffic was behaviourally distinct. Cold requests with no session context are easy to classify. When legitimate bot-like traffic is present (mobile apps, partner integrations), the tuning window is longer. Here, the pattern was clean enough to move fast.
The country-code filtering was kept as a defence-in-depth measure rather than the primary control. Bot Manager Premier handles the volume completely; the prefix filtering adds a secondary layer without touching the behavioural detection logic.