SMS Pumping Protection for Programmable Messaging

What is SMS Pumping Protection?

This feature helps prevent SMS related fraud on the Twilio Programmable Messaging product by monitoring your current and historical SMS traffic. When there are unusual fluctuations in SMS traffic patterns in a specific location or system known malicious activity, this feature will automatically block attempts by phone numbers associated with the suspected fraud.

What type of fraud does it detect?

This feature detects SMS pumping fraud. SMS pumping happens when fraudsters take advantage of a phone number input field to receive something via SMS. If the form does not have enough controls, attackers can inflate traffic and exploit your app. This feature does not detect VoIP, burner phones, or anything voice fraud related.

How does it protect my account?

It blocks SMS transmissions to any destination deemed fraudulent, saving you potential charges to your account.

How do I enable/disable SMS Pumping Protection?

You can find the SMS Pumping Protection settings under Messaging > Settings > General in the Twilio Console. Use the toggle control to choose between Enabled and Disabled as shown below.

Can I adjust the protection level for SMS Pumping Protection?

No, but if you desire more customizable protection, consider Verify Fraud Guard.

Verify Fraud Guard Protection Modes lets you adjust your protection level on Fraud Guard.There are currently 3 Protection modes offered as Basic, Standard, and Max. These modes are designed to protect your business and customers from fraud and help you tailor the level of protection based on your specific needs.

• Basic: offers a foundational level of fraud protection with cautious blocking. It provides a good balance between blocking fraudulent activities and minimizing false positives. We recommend using this if you largely have a domestic presence in North America which comprises low risk countries.
• Standard: is the default protection mode for any new service onboarded on Fraud Guard with moderate blocking. It provides an increased degree of fraud blocking. While the degree of fraud blocking increases, it is important to note that false positives may also slightly increase (<1%). We recommend using this mode if you have high value signups coming in from users all over the globe and would like to strike a balance against maximizing user conversion with minimum friction.
• Max: represents the highest level of protection with aggressive blocking. It is essential to consider that, with the highest level of protection, false positives may occur occasionally (<2%). However, our team is dedicated to continually optimizing the system to maintain a high level of accuracy. We recommend using this if you have a global presence to better fight to protect yourselves in high fraud risk countries.

We understand the importance of balancing security and the customer experience, and our team is committed to refining our algorithms to provide the best possible protection without compromising your customer experience.

What parameters does Twilio use to detect fraud?

Twilio uses a baseline of expected verification data to find outliers in behavior based traffic patterns. We combine behavioral data with known explicit fraud schemes to filter out bad behavior.

Our model is always changing and uses multiple parameters to determine fraud. Examples of things we may temporarily block could include:

• Verifications to a specific region, country or locale we know is engaging in SMS pumping
• Verifications in a country your Account has never sent SMS to previously
• Verifications with parameters and characteristics that would suggest non-human behavior

How can I prevent false positives and mark known phone numbers as safe?

Like any fraud prevention feature, there's a small chance our models may flag legitimate users as suspicious. We're constantly monitoring our results and adapting the fraud detection model to keep false positives extremely low.

You can mark known phone numbers using the Safe List feature so they are never blocked. This provides an additional safety net against false positives, so the numbers are never erroneously blocked by SMS Pumping Protection or Geo permissions. Add known phone numbers to the Safe List by using the Global Safe List API.

Alternatively, you can use the optional RiskCheck parameter when creating a Message with the Programmable Messaging API. To prevent a known/legitimate message from getting blocked by SMS Pumping Protection, include the RiskCheck parameter with value disable when creating the new Message resource.

You can also take these actions if you suspect false positives:

• Fall back to a different verification method like WhatsApp or Email
• Create a separate subaccount for your legitimate users which has SMS Pumping Protection disabled
• Reach out to your Solutions Architect or contact Twilio Support through the Console or Help Center.

What action(s) do I need to take?

Once the feature is enabled on your account, no further actions are needed on your part. This feature is automated and will keep you updated with email notifications that include the status of any potential fraud instances and a link to view more in your Twilio logs.

How much does this feature cost?

Please contact Sales for pricing information. If you want to lower your costs but remain protected, please migrate to Verify where Fraud Guard is included at no charge.

What is the error message in the logs?

Error Log 30450 will show in the Twilio error logs when an SMS delivery is blocked by SMS Pumping Protection.