Analyze - Investigate
Even if you completed a thorough review during the Validate phase, it's important to perform a deeper investigation and build a detailed timeline of the fraud event. This timeline will help you determine root cause and support completion of your final Root Cause Analysis (RCA) report.
Investigating fraud on the Twilio platform typically involves reviewing logs that capture administrative actions and unauthorized voice and messaging activity. As part of this process, look for abnormal or unexpected usage patterns and correlate activity across log sources to reconstruct the sequence of events. Common log sources used to investigate ATO, AIT, and smishing/vishing include Monitor Events, Programmable Messaging and Voice Logs, Error Logs, and Twilio Verify logs (if applicable).
The sections below describe how each log source can support your investigation and highlight specific fields that are most useful when building an event timeline.
Monitor Events provide a chronological log of administrative and resource changes across your entire Twilio account. Specifically, it tracks actions performed against the API using your Twilio Account SID, as well as actions made in the Twilio Console. This includes resource creation, modification, deletion, and user authentication events. Monitor Events is the most critical source for ATO investigation.
Fraud Relevance
ATO: Detects unauthorized API key creation, password changes, phone number configuration changes (like webhook URL updates for data exfiltration), and suspicious login locations.
| Field Name | Description | Investigation Relevance |
|---|---|---|
eventDate | The date and time in GMT when the event was recorded, specified in ISO 8601 format. | Establishes the timeline of the ATO. |
actorSid | The SID of the actor that caused the event, if available. Can be a User SID (US...) or an Account SID (AC...). Null if not available. | Identifies the SID of the Twilio account or user that made the call. See Important Notes on actorSid for more information. |
eventType | The event's type, typically in the form RESOURCE_TYPE.ACTION (e.g., phone-number.created). See Monitor Event Types for a full list. | The specific action performed by the threat actor (e.g., account-api-keys.created is a common post-ATO step). |
resourceSid | The SID of the resource that was affected. | Links the log to the resource that was modified and potentially used for fraud. |
source | The originating system or interface that caused the event. Can be: web for events caused by user action in the Twilio Console, api for events caused by a request to the API, or twilio for events caused by an automated or internal Twilio system. | Can indicate whether an ATO is due to username/password or Auth Token/API key disclosure. |
sourceIpAddress | The IP address of the source, if the source is outside the Twilio cloud. Null for events with a source of twilio. | Crucial for identifying logins or API calls from suspicious/unexpected geographic locations or VPNs. |
eventData | An object with additional data about the event. The contents depend on the event type. For RESOURCE.updated events, this value contains a resource_properties dictionary that describes the previous and updated properties of the resource. | Reveals the actual malicious change, such as a new malicious webhook URL added to a phone number. |
The following is an example Monitor Events log entry depicting a successful API Key creation, typically seen after an ATO:
1{2"accountSid": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",3"actorSid": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",4"actorType": "account",5"description": null,6"eventData": {7"resource_properties": {8"status": {9"updated": "Active",10"previous": null11},12"friendly_name": {13"updated": "new_evil_key_01",14"previous": null15},16"secret": {17"updated": "[REDACTED]",18"previous": null19},20"flags": {21"updated": "REST API, Signing",22"previous": null23}24}25},26"eventDate": "2025-10-13T19:25:35.000Z",27"eventType": "account-api-keys.created",28"resourceSid": "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",29"resourceType": "account-api-keys",30"sid": "AEzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz",31"source": "api",32"sourceIpAddress": "203.0.113.42",33"url": "https://monitor.twilio.com/v1/Events/AEzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz",34"links": {35"actor": "https://api.twilio.com/2010-04-01/Accounts/ACyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",36"resource": null37}38}
To access Monitor Events via the CLI, you must have the Twilio CLI installed and authenticated. To fetch a list of commands for interacting with these logs using the CLI, you can use the following:
twilio api:monitor:v1:events:list --help
--start-date yyyy-MM-dd'T'HH:mm:ss'Z'- Only include events on or after this date (UTC).--end-date yyyy-MM-dd'T'HH:mm:ss'Z'- Only include events on or before this date (UTC).--event-type <event_type>- Filter by a specific event type (e.g., account.updated).--actor-sid <USxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>- Filter by the actor SID (user or API credentials).--resource-sid <SID>- Filter by the resource SID (e.g., a phone number, account, etc.).--source-ip-address <IP>- Filter by the originating IP address.--page-size <number>- Number of results per page (default: 50, max: 1000).
Only one filter property (besides date) can be used at a time.
Example: The 20 most recent events in JSON
twilio api:monitor:v1:events:list -o=json --limit 20
Example: Events within the specific time range of the ATO
twilio api:monitor:v1:events:list --start-date 2025-10-05T19:00:35.000+0000 --end-date 2025-10-13T19:25:35.000+0000
Example: Events for API key creation
twilio api:monitor:v1:events:list --event-type account-api-keys.created
Note: Full logs of Monitor Events can't be accessed directly from the console, as some key fields such as
actorSidmay not be visible.
- Log in to the Twilio Console.
- Navigate to Monitor > Insights > Audit > Audit Events Log.
- If you have advanced insights with custom filters, filter the logs by Date/Time Range and look for sensitive EventType values:
user-session.created(Look for foreign/unexpected SourceIpAddress).account-api-keys.createdoraccount-api-keys.updated.phone_number.updated(Check the Properties for unauthorized TwiML or webhook URL changes).
The logs for programmable messaging record the details of all sent and received SMS/MMS messages processed by your Twilio Messaging Service or phone numbers, which can help with tracking down direct evidence for SMS pumping and smishing.
Fraud Relevance
SMS Pumping: Shows a massive, rapid increase in outbound-api messages to high-cost international destinations.
Smishing: Identifies outbound messages containing malicious URLs or social engineering text.
| Field Name | Description | Fraud Investigation Value |
|---|---|---|
dateSent | The RFC 2822 timestamp (in GMT) of when the message was sent. For an outgoing message, this is when Twilio sent the message. For an incoming message, this is when Twilio sent the HTTP request to your incoming message webhook URL. | Pinpoints the start of a mass-sending event. |
to | The recipient's phone number (in E.164 format) or channel address. | Identifies the targets of the fraudulent campaign, often to premium-rate numbers internationally. |
from | The sender's phone number (in E.164 format), alphanumeric sender ID, Wireless SIM, short code, or channel address. For incoming messages, this is the number or channel address of the sender. For outgoing messages, this is a Twilio phone number, alphanumeric sender ID, short code, or channel address from which the message is sent. | The compromised resource used for sending. |
body | The text content of the message. | Contains the smishing link or scam text. |
direction | The direction of the message. Can be: inbound for incoming messages, outbound-api for messages created by the REST API, outbound-call for messages created during a call, or outbound-reply for messages created in response to an incoming message. | Toll Fraud/ATO: Look for sudden spikes in outbound-api traffic. The threat actor could be hitting a web form or API endpoint on your server (e.g., "Click-to-Call" or "Send 2FA"). |
status | The status of the message. Possible values: accepted, scheduled, canceled, queued, sending, sent, failed, delivered, undelivered, receiving, received, or read (WhatsApp only). | High failure rates (with specific error codes) can indicate bulk-sending that is being blocked by carriers. |
A single conceptual log entry showing an outbound smishing message:
1{2"body": "Twilio ALERT: Your account has been compromised. Log in now at twillio-support.com/reset to avoid suspension.",3"numSegments": "1",4"direction": "outbound-api",5"from": "+19876543210",6"to": "+15551234567",7"dateUpdated": "2025-05-19T22:56:35.000Z",8"price": "-0.00830",9"errorMessage": null,10"uri": "/2010-04-01/Accounts/ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Messages/SM9e64f73150f598b433bb87c015cdd6b2.json",11"accountSid": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",12"numMedia": "0",13"status": "delivered",14"messagingServiceSid": null,15"sid": "SMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",16"dateSent": "2025-05-19T22:56:34.000Z",17"dateCreated": "2025-05-19T22:56:34.000Z",18"errorCode": null,19"priceUnit": "USD",20"apiVersion": "2010-04-01",21"subresourceUris": {22"feedback": "/2010-04-01/Accounts/ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Messages/SMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Feedback.json",23"media": "/2010-04-01/Accounts/ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Messages/SMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Media.json"24}25}
To access Programmable Messaging logs via the CLI, you must have the Twilio CLI installed and authenticated. To fetch a list of commands for interacting with these logs using the CLI, you can use the following:
twilio api:core:messages:list --help
--date-sent-after YYYY-MM-DD --date-sent-before YYYY-MM-DD- Filter by a date range.--from +number / --to +number- Filter by specific senders and/or recipient phone numbers.--limit N- Set the maximum number of records that are returned.--properties sid,status,to,from,errorCode,dateSent- Select the specific fields you would like returned.
Example: Export the last 500 messages into a portable format for offline analysis
twilio api:core:messages:list --limit 500 -o=json > messages.json
Example: Messages between a specific date range, starting with the beginning of the incident
twilio api:core:messages:list --date-sent-after 2025-10-01 --date-sent-before 2025-10-15
Example: Messages sent after a specific date to any number beginning with a specific high-risk country prefix
twilio api:core:messages:list --to "+7958*" --date-sent-after $(date +%Y-%m-%d)
Note: Though relevant fields for programmable messaging logs can be accessed directly from the Console, some key fields such as
bodymay not be filterable.
- Log in to the Twilio Console.
- Navigate to Monitor > Logs > Messaging.
- Filter by a suspicious Date/Time Range or use the search bar to filter on specific message SIDs.
- Export the logs via CSV for useful high-volume analysis such as calculating number counts by country/prefix or filtering on specific smishing-related keywords in message bodies.
- Navigate to Monitor > Insights > Messages for graphic visualizations of trends over time such as outgoing messages volume, top destination countries, and top 20 involved subaccounts.
The logs for programmable voice calls track all voice calls and are the primary source for investigating general toll fraud and traffic pumping over voice channels. They are a detailed record of all inbound and outbound calls made through your Twilio numbers, including duration, direction, and whether a call was answered, completed, busy, etc.
Fraud Relevance
Voice Toll Fraud: Detects unusual call volume, long call durations to high-cost destinations, or high-frequency calls to premium-rate numbers globally (Traffic Pumping).
Vishing: Identifies outbound calls used in voice-based social engineering attacks.
| Field Name | Description | Fraud Investigation Value |
|---|---|---|
sid | The unique string that Twilio created to identify this Call resource. | Used to inspect the full details of the call, including call legs and TwiML used. |
dateCreated | The date and time in UTC that this resource was created, specified in RFC 2822 format. | Helps establish the pattern of fraudulent calling. |
to | The phone number, SIP address, Client identifier, or SIM SID that received this call. Phone numbers are in E.164 format (e.g., +16175551212). | CRITICAL: Identifying high-cost or unexpected international prefixes is key to finding toll fraud. |
duration | The length of the call in seconds. This value is empty for busy, failed, unanswered, or ongoing calls. | Toll fraud calls often have long durations (e.g., >30 seconds) to maximize revenue share. |
direction | A string describing the direction of the call. Can be: inbound for inbound calls, outbound-api for calls initiated via the REST API, or outbound-dial for calls initiated by a <Dial> verb. | Toll Fraud/ATO: Look for unexpected surges in outbound-api calls. |
status | The status of this call. Can be: queued, ringing, in-progress, canceled, completed, failed, busy, or no-answer. | Helps analyze the success rate of the attempted fraud. |
A single call to a high-cost destination with a longer duration:
1{2"sid": "CAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",3"dateCreated": "2025-10-07T19:00:00Z",4"dateUpdated": "2025-10-07T23:18:05.000Z",5"parentCallSid": null,6"accountSid": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",7"to": "+88213xxxxxxxxxxx",8"toFormatted": "(213) xxx-xxxx",9"from": "+19876543210",10"fromFormatted": "(555) 555-5555",11"phoneNumberSid": "PNxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",12"status": "completed",13"startTime": "2025-02-05T23:17:54.000Z",14"endTime": "2025-02-05T23:19:54.000Z",15"duration": "180",16"price": "-0.55000",17"priceUnit": "USD",18"direction": "outbound-api",19"answeredBy": null,20"apiVersion": "2010-04-01",21"forwardedFrom": "+1213xxxxxxx",22"groupSid": null,23"callerName": null,24"queueTime": "0",25"trunkSid": "",26"uri": "/2010-04-01/Accounts/ACa240dbc3740b513706fb92166de463ad/Calls/CA472ba55b04f872d9c088cd4a7bda6826.json",27"subresourceUris": {}28}
To access Programmable Voice logs via the CLI, you must have the Twilio CLI installed and authenticated. To fetch a list of commands for interacting with these logs using the CLI, you can use the following:
twilio api:core:calls:list --help
--date-sent-after YYYY-MM-DD --date-sent-before YYYY-MM-DD- Filter by a date range.--from +number / --to +number- Filter by specific senders and/or recipient phone numbers.--limit N- Set the maximum number of records that are returned.--properties sid,status,to,from,errorCode,dateSent- Select the specific fields you would like returned.
Example: High volume of outbound calls from one of your owned numbers
twilio api:core:calls:list --from "+15551234567" --start-time "2025-11-04" --limit 200
Example: Longer calls and return specific properties
1twilio api:core:calls:list --duration > "3600" \2--properties "sid,to,from,startTime,duration,price"
Example: Calls that cost a minimum price of $1.00
twilio api:core:calls:list --price > "1.00"
- Log in to the Twilio Console.
- Navigate to Monitor > Logs > Calls.
- Filter by Date & Time Range. For toll fraud, include a specific From number to quickly spot unusual activity from a specific number that you own.
- Examine the To numbers for international prefixes that you do not normally interact with.
- Navigate to Insights > Voice > Calls for graphic visualizations of trends over time such as total calls, average call length, and connection rate.
Error logs track error codes and warnings that can signal a malicious action being blocked by Twilio's internal security checks. They record API request errors, TwiML errors, and warnings, including those generated by security features such as Geo Permissions. Errors imply that the request could not be processed, whereas warnings mean we encountered an issue with the request but it could still be processed.
Fraud Relevance
Toll Fraud: A high volume of alerts with specific error codes could indicate a threat actor is attempting to send traffic to high-risk destinations that you have blocked via Geo Permissions.
Smishing/vishing: Messages could be blocked due to carrier or acceptable use violations.
| Field Name | Description | Fraud Investigation Value |
|---|---|---|
dateCreated | The date and time in GMT when the resource was created, specified in ISO 8601 format. | Correlates with the exact moment a malicious action was attempted. |
errorCode | The error code for the condition that generated the alert. See the Error Dictionary for possible causes and solutions. | CRITICAL: Codes like 21215 (SMS Geo Permission blocked) or 13227 (Voice Geo Permission blocked) are direct proof of blocked toll fraud attempts. |
logLevel | The log level. Can be: error, warning, notice, or debug. | Alerts with security-related error codes should be prioritized. |
requestUrl | The URL of the request that generated the alert. If the alert was generated by a request Twilio made to your server, this is the URL on your server that generated the alert. If the alert was generated by a request from your application to the Twilio API, this is the URL of the resource requested. | Helps identify the specific compromised service being used for the attack. |
resourceSid | The SID of the resource for which the alert was generated. This value is empty if the alert was not generated for a particular resource. | Allows you to pivot to the Programmable Logs for full message/call details. |
Fraud attempts often trigger specific error codes (e.g., blocked by Fraud Guard). After exporting, review the errorCode field for patterns. Error codes that may indicate fraudulent activity or message blocking and relevant for fraud investigations can include:
| Error Code | Error Message / Description | Fraud/Abuse Relevance |
|---|---|---|
| 13227, 21215, 32205 | Geo Permission configuration is not permitting call / SIP Trunking: Geo Permission configuration is not permitting call (32205) | A user dialed a destination to which your application is not enabled to support. |
| 30004 | Message blocked | The destination number is blocked from receiving this message (e.g., call blocking, DND, or carrier policy). Can indicate spam, unwanted, or abusive content. |
| 30007 | Message filtered | Message flagged as objectionable by the carrier. Often due to spam, phishing, or content violating carrier and/or Twilio policies. |
| 30002 | Account suspended | Your account was suspended between message send and delivery. May be due to detected fraud/abuse and/or billing overages. |
| 30444 | Toll Free verification rejection - Disallowed: Fraud | Toll-free number verification was rejected due to suspected fraud. Messaging traffic is blocked until verified. |
| 30442 | Toll-Free phone number verification rejection - Disallowed: Spam | Message blocked because it was identified as spam. |
| 30450 | Message delivery blocked | SMS Pumping Protection identified potentially fraudulent messages being sent and has blocked them. |
| 32201 | SIP: Source IP address not in ACL | INVITE requests are being sent from an IP address not on that ACL for your SIP trunk. |
| 32202 | SIP: Bad user credentials | There is a Credentials List on your trunk and a call is rejected due to a wrong username and/or password as a part of the INVITE Authentication Digest. |
| 32203 | SIP: Call blocked by Twilio | Outbound call blocked by Twilio. Potential causes can include fraud or regulatory reasons. |
| 14107, 20429, 63018 | SMS send rate limit exceeded / Too many requests / Rate limit exceeded for Channel | Multiple identical messages to the recipient detected. Can indicate SMS pumping or bot activity. |
| 30006 | Landline or unreachable carrier | Sending to this network/country is blocked, often due to fraud risk. |
| 30003 | Unreachable destination handset | Sometimes used by carriers to filter numbers after spam complaints. |
| 30005 | Unknown destination handset | May indicate the number is deactivated after abuse. |
| 30008 | Unknown error | If seen in high volume, it may indicate systemic blocking or filtering. |
| 60410 | Verification delivery attempt blocked | Fraud Guard has identified potential fraudulent messages being sent. |
An alert indicating a blocked outbound SMS attempt to a country blocked by Geo Permissions:
1{2"accountSid": "NOxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",3"alert_text": "Geo Permission configuration is not permitting SMS to +880xxxxxxxxxxx.",4"apiVersion": null,5"dateCreated": "2025-10-07T17:30:00Z",6"errorCode": "21215",7"logLevel": "warning",8"moreInfo": "https://www.twilio.com/docs/errors/21215",9"requestMethod": null,10"requestUrl": "https://api.twilio.com/2010-04-01/Accounts/AC.../Messages.json",11"resourceSid": "SMyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",12"sid": "NOxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",13"url": "https://monitor.twilio.com/v1/Alerts/NO5f318364d31f4981c38b85386c4768fb",14"serviceSid": null15}
To access Error logs via the CLI, you must have the Twilio CLI installed and authenticated. To fetch a list of commands for interacting with these logs using the CLI, you can use the following:
twilio api:monitor:v1:alerts:list --help
--start-date YYYY-MM-DD --end-date YYYY-MM-DD- Filter by a date range.--log-level error- Return only errors and filter out warnings.
Example: Alerts with error code 21215, indicating blocking geo permissions
twilio api:monitor:v1:alerts:list --log-level error --properties="sid, errorCode, alertText, dateCreated" | grep "21215"
Example: The latest 100 alerts that contain the text "Usage trigger" and in JSON format (useful if you have already set up usage triggers for things like account spend)
twilio api:monitor:v1:alerts:list -o=json --limit 100 | grep "Usage trigger"
Example: Print out a list of just error codes and dates so it is easier to see spikes in error codes over time
twilio api:monitor:v1:alerts:list --start-date "2025-12-13" --properties="errorCode,dateCreated"
- Log in to the Twilio Console.
- Navigate to Monitor > Logs > Errors > Error logs.
- Filter by Error Code and search for known fraud-related codes such as those found under Error Codes.
- A high count of these errors over a short period may indicate fraudulent activity.
If your application uses Twilio Verify for user authentication via OTP, these logs can be used to track attempts to bypass your 2FA/login flow, often through SMS Pumping or OTP interception.
Fraud Relevance
SMS Pumping: Records every verification attempt/OTP, including the channel used, status, and any intervention by Twilio's security tools. A surge in pending or max_attempts_reached status logs, often accompanied by blocks listed in the Blocked Verifications tab by Verify Fraud Guard. This indicates a threat actor is trying to brute-force or pump your verification flow.
| Field Name | Description | Fraud Investigation Value |
|---|---|---|
sid | The SID that uniquely identifies the verification attempt resource. | Links to the transaction that failed or was blocked. |
to | Destination of a verification. It is phone number in E.164 format. | Helps identify if the threat actor is targeting high-cost prefixes or known fraudulent numbers. |
conversionStatus | A string specifying the conversion status of the verification. A conversion happens when the user is able to provide the correct code. Possible values: converted, unconverted. | Many unconverted attempts is a strong sign of a brute-force or pumping attack. |
channel | A string specifying the communication channel used for the verification attempt. Possible values: sms, call, email, whatsapp, rbm. | Shows which communication channel the threat actor is abusing. |
Multiple logs showing a fraud pattern that contains sequential To numbers, a high-risk destination country, and a high frequency of signups:
1[2{3"sid": "VLaa001111111111111111111111111111",4"accountSid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",5"serviceSid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",6"dateCreated": "2025-11-06T19:50:01Z",7"dateUpdated": "2025-11-06T19:50:01Z",8"conversionStatus": "unconverted",9"channel": "sms",10"price": { "currency": "USD", "value": "1.25" },11"channelData": { "to": "+79581118001", "country": "RU" },12"url": "https://verify.twilio.com/v2/Attempts/VLaa001111111111111111111111111111"13},14{15"sid": "VLaa002222222222222222222222222222",16"accountSid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",17"serviceSid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",18"dateCreated": "2025-11-06T19:50:02Z",19"dateUpdated": "2025-11-06T19:50:02Z",20"conversionStatus": "unconverted",21"channel": "sms",22"price": { "currency": "USD", "value": "1.25" },23"channelData": { "to": "+79581118002", "country": "RU" },24"url": "https://verify.twilio.com/v2/Attempts/VLaa002222222222222222222222222222"25},26{27"sid": "VLaa003333333333333333333333333333",28"accountSid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",29"serviceSid": "VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",30"dateCreated": "2025-11-06T19:50:03Z",31"dateUpdated": "2025-11-06T19:50:03Z",32"conversionStatus": "unconverted",33"channel": "sms",34"price": { "currency": "USD", "value": "1.25" },35"channelData": { "to": "+79581118003", "country": "RU" },36"url": "https://verify.twilio.com/v2/Attempts/VLaa003333333333333333333333333333"37}38]
To access Verify logs via the CLI, you must have the Twilio CLI installed and authenticated. To fetch a list of commands for interacting with these logs using the CLI, you can use the following:
twilio api:verify:v2:attempts:list --help
--status- Filter verify attempts by those that have been fully converted or unconverted (token has been verified or not).--country- Return verification attempts sent to specific countries.
Example: Every verification attempt that has not been completed after a specific date
twilio api:verify:v2:attempts:list --status unconverted --date-created-after $(date +%Y-%m-%d)
Example: Export all verification attempts from a specific Verify service and after a specific date into a JSON file
twilio api:verify:v2:attempts:list --verify-service-sid VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --date-created-after $(date +%Y-%m-%d) -o=json > messages.json
Example: Count all verification attempts starting today and group them by country (you will need jq installed)
twilio api:verify:v2:attempts:list --date-created-after $(date +%Y-%m-%d) -o json | jq '.[] | .channelData.country' | sort | uniq -c | sort -nr
- Log in to the Twilio Console.
- Navigate to Monitor > Logs > Verify.
- Under the Verifications tab, you can view and sort verification attempts by useful values such as by Country and by Status.
- Click the Blocked Verifications tab to see what has been blocked by Twilio features such as Fraud Guard or Geo Permissions.
- Alternatively, if you are using Fraud Guard, navigate to Monitor > Insights > Verify > Fraud to view attempts to send SMS that were detected and blocked by Verify's Fraud Guard, Geo-permissions, etc.