SMS Pumping Protection for Programmable Messaging is in Public Beta and available to all Programmable Messaging customers with an additional fee above and beyond monthly limits.
Currently only the SMS channel is supported.
This feature helps prevent SMS related fraud on the Twilio Programmable Messaging product by monitoring your current and historical SMS traffic. When there are unusual fluctuations in SMS traffic patterns in a specific location or system known malicious activity, this feature will automatically block attempts by phone numbers associated with the suspected fraud.
This feature detects SMS pumping fraud. SMS pumping happens when fraudsters take advantage of a phone number input field to receive something via SMS. If the form does not have enough controls, attackers can inflate traffic and exploit your app. This feature does not detect VoIP, burner phones, or anything voice fraud related.
It blocks SMS transmissions to any destination deemed fraudulent, saving you potential charges to your account.
You can find the SMS Pumping Protection settings under Messaging > Settings > General in the Twilio Console. Use the toggle control to choose between
Disabled as shown below.
No, but if you desire more customizable protection, consider Verify Fraud Guard.
Verify Fraud Guard Protection Modes lets you adjust your protection level on Fraud Guard.There are currently 3 Protection modes offered as Basic, Standard, and Max. These modes are designed to protect your business and customers from fraud and help you tailor the level of protection based on your specific needs.
- Basic: offers a foundational level of fraud protection with cautious blocking. It provides a good balance between blocking fraudulent activities and minimizing false positives. We recommend using this if you largely have a domestic presence in North America which comprises low risk countries.
- Standard: is the default protection mode for any new service onboarded on Fraud Guard with moderate blocking. It provides an increased degree of fraud blocking. While the degree of fraud blocking increases, it is important to note that false positives may also slightly increase (<1%). We recommend using this mode if you have high value signups coming in from users all over the globe and would like to strike a balance against maximizing user conversion with minimum friction.
- Max: represents the highest level of protection with aggressive blocking. It is essential to consider that, with the highest level of protection, false positives may occur occasionally (<2%). However, our team is dedicated to continually optimizing the system to maintain a high level of accuracy. We recommend using this if you have a global presence to better fight to protect yourselves in high fraud risk countries.
We understand the importance of balancing security and the customer experience, and our team is committed to refining our algorithms to provide the best possible protection without compromising your customer experience.
Twilio uses a baseline of expected verification data to find outliers in behavior based traffic patterns. We combine behavioral data with known explicit fraud schemes to filter out bad behavior.
Our model is always changing and uses multiple parameters to determine fraud. Examples of things we may temporarily block could include:
- Verifications to a specific region, country or locale we know is engaging in SMS pumping
- Verifications in a country your Account has never sent SMS to previously
- Verifications with parameters and characteristics that would suggest non-human behavior
Like any fraud prevention feature, there's a small chance our models may flag legitimate users as suspicious. We're constantly monitoring our results and adapting the fraud detection model to keep false positives extremely low.
You can mark known phone numbers using the Safe List feature so they are never blocked. This provides an additional safety net against false positives, so the numbers are never erroneously blocked by SMS Pumping Protection or Geo permissions. Add known phone numbers to the Safe List by using the Global Safe List API.
Alternatively, you can use the optional
RiskCheck parameter when creating a Message with the Programmable Messaging API. To prevent a known/legitimate message from getting blocked by SMS Pumping Protection, include the
RiskCheck parameter with value
disable when creating the new Message resource.
You can also take these actions if you suspect false positives:
Once the feature is enabled on your account, no further actions are needed on your part. This feature is automated and will keep you updated with email notifications that include the status of any potential fraud instances and a link to view more in your Twilio logs.
Error Log 30450 will show in the Twilio error logs when an SMS delivery is blocked by SMS Pumping Protection.