International Revenue Share Fraud (IRSF), also called SMS pumping or toll fraud, is both a cyberattack and a financial scam. Distinct from traditional threats, it requires no malware, credential theft, or successful login to succeed. Instead, it exploits international telecom pricing structures to siphon funds directly from organizations that utilize SMS-based OTP (one-time password). As SMS-based IRSF grows to overtake voice-based attacks as a leading threat vector, so too will the financial losses and recovery costs businesses face.

This post leverages ID.me’s internal threat intelligence and operational incident response data to analyze how these attacks function, how they are identified, and the strategies used to neutralize them.

The IRSF Attack Path

IRSF follows a reliable sequence, each stage building on the last to convert an OTP form into a cash-generating mechanism — no login, no malware, no successful authentication required.

1. Setup. Fraudsters exploit global interconnectivity by accessing International Premium Rate Numbers (IPRNs) or high-cost unallocated ranges. The profit mechanism runs through the inter-carrier value chain – range holders, transit carriers, and aggregators – none of whom necessarily act in bad faith. Each entity may simply be providing standard routing services while the attacker exploits revenue-sharing and termination arbitrage baked into the billing structure. Put simply, the attacker’s profit is structurally integrated into complex inter-carrier rates, not dependent on any single colluding carrier.
2. Account creation at scale. Automated bots register large volumes of fake accounts using both commonly known and advanced tactics.
3. OTP trigger. Each account submits a phone number the attacker controls to any SMS-triggering form – registration, password reset, or MFA enrollment. The platform’s SMS provider dispatches an OTP to that number.
4. Revenue collection. The carrier routes the message to the premium-rate number and charges the sending organization at an elevated rate. A share of that charge flows back to the fraudster through the revenue-sharing arrangements built into inter-carrier settlement. No code is entered, no account is taken over, the profit is the message delivery itself.
5. Reinvestment. Proceeds fund the next campaign. Attacks are frequently automated and self-sustaining: revenue from one wave pays for infrastructure, number registrations, and proxy services for the next.

How Attackers Evade Detection

IRSF is hard to stop because tactics evolve fast. Attackers don’t just rotate phone numbers, they manipulate email addresses, rotate subdomains, and route through VPNs and proxies to mimic legitimate traffic.

The window between account creation and the surge in SMS volume is remarkably narrow. ID.me’s internal data reveals that 70% of IRSF-related activity commences within 20 minutes of account creation, with 25% beginning within the very first minute. This rapid execution is intentional, allowing attackers to extract maximum SMS volume before rate limits or detection mechanisms can intervene.

Email Address Manipulation

Because the attackers’ objective is volume, they exploit well-known email provider productivity tricks to register emails en masse while attempting to control them from a single mailbox. These methods include the Dot Trick, which exploits Gmail’s treatment of periods (e.g., shenanigans@gmail.com and s.h.e.nanigans@gmail.com resolve to the same inbox but may register as distinct accounts, yielding over 1,000 combinations from a single address), and the Plus Trick, where appending arbitrary strings after a plus sign (+) with some mail providers produces countless address variations that are trivial to automate at scale. Platforms that do not normalize these address patterns at account creation treat each variation as a unique identity, giving a single attacker thousands of apparent accounts from one inbox.

Network and Device Signals

Though adversaries frequently shift their infrastructure, they consistently emit identifiable indicators. Any one signal — automation signatures, infrastructure patterns, or behavioral mismatches — looks minor in isolation. Analyzed together, they expose the attack. The core challenge for attackers remains the same: it’s nearly impossible to flawlessly mimic human behavior across every metric when generating synthetic accounts at high volume.

Attack Origin Geography: Identity of the Requesters

Notably, source IP geolocation is distinct from the destination phone number prefix,  attackers routinely direct SMS traffic to premium-rate numbers in countries entirely different from their operational base. While IRSF destination countries attract the attention, the source geography of registration traffic tells a story of its own. ID.me data covering more than 130,000 IRSF-attributed accounts across all of 2025 reveals a heavily concentrated regional pattern: a single region in South Asia accounts for more than a third of all attributed accounts, outpacing the next-largest source region by more than 2:1. That gap is likely even wider than it appears: because attackers often route traffic through residential proxy networks to blend with domestic traffic or otherwise hide the true source origin. Residential proxy access is available at relatively low cost relative to fraud returns, making IP laundering a routine line item rather than a barrier to entry.

SMS Cost Distribution and Potential Exposure

Attackers are indifferent to where they land on the rate spectrum. High-rate premium numbers maximize per-message yield, while low-rate destinations enable expansive, lower-profile operations that are harder to detect through anomaly thresholds alone. Either way, the structural economics favor the attacker: the arbitrage margin is baked into how inter-carrier settlement works, not into any particular destination.

ID.me models organizational per-attack exposure by running carrier rate data (high, moderate, and low per-SMS cost) against scenarios leveraging 100, 500, and 1,000 staged accounts. Even with rate limiting in place, one account that triggers up to 10 messages per 15-minute window, left unmitigated across an 8-hour period can generate up to 320 messages. Multiplied across a coordinated campaign, total message volume and the financial liability attached to it scales far beyond what the raw account count suggests.

Using this model, even at $0.0025 per message, a single campaign against 1,000 staged accounts generates $800 in direct losses. That figure may seem modest in isolation, but IRSF operations are rarely isolated events. The same campaign running once a week over the course of a year quietly accumulates just over $40,000 in losses from low-rate traffic alone. At moderate rates, that same weekly cadence could scale to roughly $2.5 million annually. At high rates, it could reach over $8 million. Scale that to 10,000 accounts and the annual figures climb to approximately $400,000, $25 million, and $80 million respectively. Attackers don’t need to hit the maximum tier to make IRSF worthwhile, and they don’t need to run long campaigns to make the economics work in their favor.

The broader industry has learned this the hard way. In December 2022, Elon Musk publicly disclosed that Twitter was losing $60 million per year to SMS pumping, with 390 telcos implicated in routing fraudulent two-factor authentication traffic through bot accounts. The scale of that exposure, at a single platform, reflects what happens when detection and remediation lag behind a persistently low-cost, high-volume attack model.

The ID.me Defense Stack

Because ID.me sits inline across account registration and password reset flows, every OTP trigger passes through ID.me’s verification layer before an SMS is dispatched. That architecture has a direct financial consequence: ID.me bears the cost of all SMS traffic, fraudulent or otherwise. Customers using ID.me’s digital identity wallet typically avoid direct exposure from IRSF-related messaging costs, because ID.me has absorbed it.

That means ID.me has a direct financial stake in solving IRSF, not just detecting it. Every fraudulent message that reaches a carrier is a cost ID.me absorbs. Every attack blocked before dispatch is a cost avoided. This aligns incentives in a way that sets the ID.me model apart from platforms that pass SMS costs downstream. Our customers stay largely insulated from financial liability, and we’re motivated to keep it that way.

Stop Them at Registration

The highest-leverage intervention point is before the OTP is ever sent. Effective registration-layer defense combines real-time phone number and carrier-level filtering with risk scoring, geo-restrictions on high-risk country codes, and a regularly maintained carrier block list that keeps pace with emerging campaigns.

Email normalization is equally important and frequently overlooked. Collapsing dot-trick and plus-trick variants to their canonical form prevents a single inbox from anchoring thousands of synthetic accounts. Domain intelligence should layer several signals simultaneously: disposable domain detection, domain age, domain popularity ranking, and breach history.

No single control is sufficient. The defense works because the signals are stacked.

Velocity Controls and Real-Time Behavioral Detection

When registration-layer controls are bypassed, the window to limit damage is short. The gap between account creation and peak SMS volume can be minutes. Structural rate limits on SMS volume, phone number changes, and failed authentication attempts buy time, but they aren’t enough on their own. Pair them with a real-time behavioral detection framework that flags abnormal patterns as they emerge and shuts down suspicious accounts before losses accumulate.

Speed of response is the variable that matters most at this stage. Batch or periodic review processes are not designed for this threat.

Reducing Reliance on SMS

The most effective defense is reducing the attack surface itself. By replacing SMS with phishing-resistant authenticators, such as Passkeys and FIDO2/U2F hardware security keys, organizations can simultaneously mitigate IRSF exposure and broader account security risks.

ID.me is actively promoting the transition from passwords to passkeys through a strategy that combines rapid product innovation, proactive user education, and industry thought leadership. Every step toward binding authentication to a cryptographic credential, rather than a vulnerable phone number, significantly strengthens the overall security posture.

What Fraud and Security Teams Should Know

Registration and SMS pumping are often automated in parallel, which means the detection window is narrower than most teams plan for. Real-time detection is not optional.

Attackers do not consistently target high-rate premium numbers. Lower-rate, high-volume operations are the more common pattern precisely because they stay beneath detection thresholds longer. Anomaly rules calibrated only for high-value traffic will miss the majority of campaigns.

A coordinated campaign is rarely hitting one platform. A single threat actor may be running the same operation against dozens of companies simultaneously. Vendor and peer threat-sharing surfaces campaigns faster than any individual signal set can.

WAFs are not a sufficient standalone control. Modern bots bypass CAPTCHA at scale. Normalizing email variants removes one of the primary tools attackers use to manufacture synthetic identity volume. And if you are seeing large volumes of outbound SMS to non-US destinations with no corresponding authentication success, the attack is already in progress.

IRSF is a race condition. The attacker wins by generating revenue faster than defenses can close the vector. Every layer described here exists to make that race not worth running.