How Glide stopped a 282,000- session bot attack on a credit union's account opening

AI is making fraud cheaper, faster, and harder to spot. The same tooling that helps a developer move faster helps a fraudster move faster, and account opening is one of the first doors they test. In June 2026, a campaign hit USC Credit Union's online account opening flow and tried to push through more than 282,000 fake applications. USC never broke stride. No fraudulent account got through, no real application slowed down, and it cost the credit union nothing. Glide caught the attack and shut it down end to end.

This is a preview of what is coming for every community financial institution.

The attack: SMS pumping at scale

The technique is called SMS pumping, or OTP toll fraud, and it has nothing to do with stealing member money.

Account opening flows send a one-time passcode by SMS to verify a phone number. Fraudsters run bots that start thousands of applications using numbers they control in high-payout international markets. Each bot does just enough to fire one SMS, then walks away, and the fraudster takes a cut of the termination fee on every message. At hundreds of thousands of messages, it adds up.

The bots hitting USC were scripted clients running through a distributed proxy network, pointing traffic at numbers in the Philippines, Trinidad and Tobago, Jamaica, Morocco, Kazakhstan, Honduras, and a dozen other high-payout markets. One detail gave them away: the originating IP country never matched the phone number country. That is the signature of a botnet, not a room full of real applicants.

The funnel told the story. Normally about 85% of applicants who start verification pass it. During the attack that fell to 0.27% across 282,508 sessions, because almost every session was a bot that never meant to finish. The few that passed were real USC applicants, opening accounts without noticing anything wrong.

What didn't happen

No fraudulent member got through. The campaign never reached document capture, selfie, or KYC. The bots were after SMS fees, not membership, and they got neither.

Real members never felt it. Applicants kept opening accounts in a few minutes from their phones, exactly as before, while the bot flood took nothing offline.

And USC carried none of the weight. No war room, no paused onboarding, no check to write. Glide absorbed the whole incident, from first alert to fix, and the credit union's first full picture of the attack was the report explaining how it had already been stopped.

How Glide caught it and shut it down

Glide's monitoring watches for exactly this: spikes in session volume, collapsing pass rates, abnormal traffic per institution. As the campaign escalated in early June, those triggers fired.

From there it was forensic. We pulled live session data and production logs, traced the traffic to the single onboarding step the bots were abusing, and confirmed the signature: scripted, non-browser clients hammering one endpoint from a global proxy pool, every session dying within seconds of triggering one SMS.

Containment was fast because the defense was already there. Glide protects account opening in layers, with bot detection at the network edge, in front of the application. Once we had the signature, we tuned those edge controls to the campaign. Every request gets fingerprinted before it can reach the backend or trigger a verification call, so automated clients are blocked at the door while real browsers pass through untouched.

New fraudulent sessions stopped within minutes. The edge defense kept blocking thousands of bot requests an hour while the attacker kept trying. The attack was still running. It was no longer working.

Where this is heading

Automated fraud is cheap, fast, and global. A campaign that once took real infrastructure now runs as a script and scales to a quarter million attempts in weeks. SMS pumping is one flavor; synthetic identity fraud, credential stuffing, and AI-generated document fraud are on the same curve.

The old defenses aren't keeping up. Modern bots clear CAPTCHA routinely, through AI solvers or cheap human farms, so a challenge screen no longer separates a real applicant from a script. Stopping today's bots takes detection that reads how a request behaves, not a puzzle the bot already knows how to pass.

Community financial institutions are right in the blast radius. They're opening accounts online, competing on speed, and the same front door that lets a member join in three minutes is the one a botnet probes at 3am. Most don't have a 24/7 fraud operations center, and they shouldn't need one. The ones who handle this well will run on a platform that treats fraud defense as part of the product: watching the traffic, catching the anomaly, and shutting the attack down before anyone calls a meeting.

That's the bet behind how Glide is built. Account opening isn't a form. It's a live system under constant pressure, and defending it is our job, not our customers'.

USC faced one of the largest automated attacks we've seen against a community financial institution. They found out by reading how it had already been stopped. That's the standard.

If you run digital account opening at a credit union or community bank and want to know how your front door holds up against automated fraud, let's talk.