SMS pumping (also called toll fraud or AIT — artificially inflated traffic) is one of the fastest ways a Twilio bill explodes. Attackers abuse an unprotected phone-verification flow to trigger huge volumes of SMS to premium-rate numbers in specific countries, collecting a share of the carrier revenue. You pay for every message.
The cost signature
SMS pumping has a recognizable shape:
- A sudden spike in Verify or SMS volume to a narrow set of destination countries you don't normally serve.
- Low conversion — the codes are never used, because there's no real user.
- Often off-hours, and concentrated on a single endpoint (your signup or verification form).
Because it scales in hours, by the time it shows on a monthly bill the damage is done.
How to catch it
- Watch message and Verify volume by destination country against your baseline — a spike to unusual destinations with low conversion is the tell.
- Add fraud guards: geo-permissions to restrict destinations, rate limiting on verification, and CAPTCHA on signup.
- Most importantly, get a same-day alert on abnormal volume so you can shut it down in hours, not discover it in weeks.
StackSpend's Twilio cost monitoring tracks usage by category and destination and fires an anomaly alert the day verification or SMS volume spikes — turning an SMS-pumping attack into an immediate notification instead of an invoice surprise.
If your Twilio bill already jumped, start with why is my Twilio bill so high.