Skip to contentSkip to navigationSkip to topbar
Rate this Page:

SMS Pumping Risk


SMS Pumping Risk allows you to get real-time risk assessment on a phone number's involvement in SMS pumping fraud. It uses a proprietary risk assessment model that leverages data across our network including signals from Verify Fraud Guard as well as other signals associated with risky carriers, anomalous SMS traffic patterns, and low conversion rates.

Coverage and Limitations: Worldwide support; no carrier information will be returned for Canadian phone numbers. We do not recommend using this product for US or Canadian numbers as they are generally not susceptible to this type of fraud.

Release Stage and Access: Public Beta. To request access, submit this form(link takes you to an external page).

To make a SMS Pumping Risk request, add sms_pumping_risk to the optional query parameter Fields when making a standard Lookup request.

SMS Pumping Risk Lookup

sms-pumping-risk-lookup page anchor
Node.js
Python
C#
Java
Go
PHP
Ruby
twilio-cli
curl

_10
// Download the helper library from https://www.twilio.com/docs/node/install
_10
// Find your Account SID and Auth Token at twilio.com/console
_10
// and set the environment variables. See http://twil.io/secure
_10
const accountSid = process.env.TWILIO_ACCOUNT_SID;
_10
const authToken = process.env.TWILIO_AUTH_TOKEN;
_10
const client = require('twilio')(accountSid, authToken);
_10
_10
client.lookups.v2.phoneNumbers('+447772000001')
_10
.fetch({fields: 'sms_pumping_risk'})
_10
.then(phone_number => console.log(phone_number.smsPumpingRisk));

Output

_25
{
_25
"calling_country_code": "1",
_25
"country_code": "US",
_25
"phone_number": "+447772000001",
_25
"national_format": "(415) 992-9960",
_25
"valid": true,
_25
"validation_errors": [],
_25
"caller_name": null,
_25
"sim_swap": null,
_25
"call_forwarding": null,
_25
"line_status": null,
_25
"line_type_intelligence": null,
_25
"identity_match": null,
_25
"reassigned_number": null,
_25
"sms_pumping_risk": {
_25
"carrier_risk_category": "moderate",
_25
"number_blocked": false,
_25
"number_blocked_date": null,
_25
"number_blocked_last_3_months": null,
_25
"sms_pumping_risk_score": 61,
_25
"error_code": null
_25
},
_25
"phone_number_quality_score": null,
_25
"url": "https://lookups.twilio.com/v2/PhoneNumbers/+14159929960"
_25
}


Response properties

response-properties page anchor

The following additional properties are returned for a SMS Pumping Risk request.

PropertyDescription
CarrierRiskCategoryThe risk category of a carrier based on its risk score. One of: high, moderate, mild , low.
NumberBlockedA boolean that indicates if the phone number is currently blocked by Verify Fraud Guard for receiving malicious SMS pumping traffic.
NumberBlockedDateThe date that a phone number was most recently blocked by Verify Fraud Guard, or null if it has never been blocked or processed by Fraud Guard.
NumberBlockedLast3MonthsA boolean that indicates if the phone number has been blocked by Verify Fraud Guard in the last three months. Returns null if the number has never been processed by Fraud Guard.
SmsPumpingRiskScoreThe risk score of a phone number being associated with SMS pumping based on patterns in messaging traffic ranging from 0 (no risk) to 100 (risk).
ErrorCodeThe error code, if any, associated with your request.

Suggested implementation logic

suggested-implementation-logic page anchor

How you implement this feature will depend on your own application structure and risk tolerance, however we can provide some general suggestions. When a user enters their phone number to receive an OTP or other message from your system, you can query the SMS Pumping Risk Score feature to determine whether or not you should send that message.

The primary response property you should queue your integration off of is the SmsPumpingRiskScore. You can use the following as general guidelines for how risky a phone number might be:

  • Low Risk: 0 - 60
  • Mild Risk: 60 - 75
  • Moderate Risk: 75 - 90
  • High Risk: 90 - 100

As the risk scores increase we recommend introducing additional friction, and finally at a certain point we would recommend not sending the message at all. For Risk Scores less than 60 you could generally consider the phone number to be safe enough to send as requested. If the Risk Score is between 60 and 75, you may want to ask the requester to re-submit the request, or add some other form of friction to validate the request prior to sending the message. For Scores greater than 75 we suggest you treat the request as suspicious, and for Risk Scores between 90 and 100 we would not recommend sending the message.

If you would like to also include blocks that are currently being applied on other customer accounts by our Fraud Guard solution on Verify, you can leverage the NumberBlocked parameter and block any messages which return True. Please note that this may result in higher false positive rates in high risk countries.

You can also use any combination of the response parameters to build out a fully customized set of conditions to trigger various workflows in your system based on your own risk tolerance levels.


How is the SMS Pumping Risk Score calculated?

how-is-the-sms-pumping-risk-score-calculated page anchor

We use several risk signals about the phone number that is being requested through the API and feed those signals into our proprietary algorithm. The algorithm also leverages your API call into the product as a signal that a message is being requested, therefore it's important for the algorithm to see all your traffic for a given user-generated OTP request flow for a given country.

We leverage the API call into Lookup as a signal because the product was initially developed so that even customers who do not use Twilio as their CPaaS provider for all their traffic would only need to use one fraud detection product to protect them against SMS Pumping fraud.

It's also important to note that the Pumping Risk Score you're seeing is specific to your Account SID. This means that 1) no other customer's traffic influences your Pumping Risk Scores, and 2) if you plan on calling the API from multiple Account SIDs, the Pumping Risk Scores on one Account SID will be independent of the other(s).

How should I design our POC or test the product?

how-should-i-design-our-poc-or-test-the-product page anchor

The ideal design would be to query the Lookup API in a shadow mode on your production traffic.

Second best to that would be to run all of your traffic for a given country for a specific period of time through the API, in the time it was requested. What does this mean exactly?

This means that the time, or when, a message was requested is important. So if you take 30 days of traffic for a given country and feed that through the API in 3 minutes, the algorithm will assume all that traffic is being requested in 3 minutes. If you do this there is a (significant) risk that the scores will be artificially inflated and not reflect what they would be if you had been using the product on your production traffic.

If you're having an issue running a POC or testing the product effectively, please feel free to reach out to us - we can run backtests on your behalf.

Do I really need to send all my traffic for a country to the API?

do-i-really-need-to-send-all-my-traffic-for-a-country-to-the-api page anchor

Yes. In order for the solution to be effective you should make an API call for SMS Pumping Risk Score prior to every user-generated OTP request for a given country.

Can I cache the scores?

can-i-cache-the-scores page anchor

This is not recommended for this product, as the scores are highly dynamic and can change drastically in seconds, depending on the traffic the API is seeing on your account. Caching scores can negatively impact the efficacy of this product in two ways:

  1. If there was a false positive, you've now cached that false positive. These scores are very dynamic, so it's possible for the score to be high risk one day (eg, if you were experiencing a fraud event) but low risk tomorrow (if that fraudster then stopped).
  2. When you cache scores it means you won't hit the API when you receive another request for that same number. Fraudsters typically recycle phone numbers, but if the fraudster started very slowly ramping up traffic, and the algorithm hadn't caught onto their their traffic pattern yet, you've now potentially given a free pass for thousands of phone numbers to continue to receive messages. This means the algorithm will not see that traffic, therefore it won't know you're receiving additional requests, thereby reducing the precision of the algorithm.

Are there any countries you recommend or not recommend?

are-there-any-countries-you-recommend-or-not-recommend page anchor

Yes!

Recommended: Given that SMS Pumping has become such a large problem, we'd recommend using the Pumping Risk Score in every country outside the US and Canada, including the small Caribbean islands that use a +1 country code.

Not Recommended: There currently isn't much of a need to check SMS Pumping Risk for US and Canada numbers because the incentives for this type of fraud isn't present in these markets. The algorithm was also not designed for US or Canadian traffic, so aside from the problem not being present in those countries, the algorithm won't work as effectively.


Rate this Page: