One of the challenges of operating globally is the increased exposure to fraud. There are two types of attacks we commonly see in phone verification or two-factor authentication (2FA) flows.
- SMS pumping
- International Revenue Sharing Fraud (IRSF) also known as “Toll Fraud”
Both attacks cause inflated traffic to your app with the intent to make money and not to steal information. While the specific ways attackers monetize these types of fraud is different, the strategies you can implement to reduce fraud are similar.
Customer participation is essential to successfully defend against fraud. Our Verify product includes comprehensive built-in fraud detection and mitigation mechanisms. However, no provider-side solution can guarantee 100% effectiveness against sophisticated attackers.
What is SMS pumping?
SMS pumping happens when fraudsters take advantage of a phone number input field to receive a one-time passcode, an app download link, or anything else via SMS. If this form does not have enough controls, the attackers can inflate traffic and exploit your app. The fraudsters send SMS to a range of numbers controlled by a specific mobile network operator (MNO) and get a share of the generated revenue.
This happens in one of two scenarios:
- The MNO is complicit in the scheme and has a revenue sharing agreement with the fraudsters
- The MNO is unknowingly exploited by the fraudsters
In the second case, smaller MNOs get paid by larger MNOs for subscribers and traffic, so a fraudster can create a fake company and promise large amounts of traffic. The MNO may not care what the source of the traffic is and ends up supporting the fraud. In either case you're more likely to see this type of fraud occur with smaller operators.
How to determine if you're experiencing an SMS pumping attack
You will likely see a spike of messages sent to a block of adjacent numbers (i.e. +1111111110, +1111111111, +1111111112, +1111111113 etc.) controlled by the same MNO. If you're sending SMS for a one-time passcode (OTP) use case, you will likely not see a completed verification cycle.
What is toll fraud?
Similar to SMS pumping, fraudsters commonly target phone verification or 2FA flows with the goal of generating a high volume of voice calls to premium rate numbers. For a comprehensive overview of how toll fraud works and how fraudsters make money from it, check out our "Everything You Need To Know About Toll Fraud" guide.
Recommended actions for preventing verification fraud
Enable Verify SMS Fraud Guard
Twilio recommends enabling the SMS fraud guard on your account. When enabled, this feature will block the transmission of suspicious and likely fraudulent SMS messages preventing unnecessary charges to your account.
Detect bots and refresh your user experience to prevent them
Libraries like botd or CAPTCHAs can help detect and deter bot traffic. Small changes to your user experience like ensuring that your users confirm their email address before enrolling in 2FA introduce a small amount of friction for legitimate users but can deter automated scripts and bots.
Learn more about best practices for phone verification and 2FA.
Disable unused channels
If you don't plan to allow any calls, you can disable that channel by selecting the Service on the Console, selecting the Voice tab, and disabling the channel.
Set rates limits
Make sure your app will not send more than 1 message per X seconds to the same mobile number range or prefix. Implement rate limits by user, IP, or device identifier. You can use a CDN like Cloudflare or implement modules in your web server like Nginx and Apache for basic rate limiting.
Add Service Rate Limits for your Verification Service.
Rate limits may not prevent fraud but can slow the attackers down enough that they decide it's not worth it to go after your app.
Implement exponential delays between verification retry requests
Similar to rate limits, implementing exponential delays between requests to the same phone number is one way to prevent rapid sending. Learn more about our recommendations for retry logic for SMS 2FA in this blog post.
|Good Example - “Call me instead” option is not visible until 3 time-delayed SMS attempts.||Bad Example - “Call me instead” option is visible at any time and can be repeatedly submitted.|
Implement geographic permissions to restrict destination countries
Review your Verify Geographic Permissions and disable all countries that you do not plan to send messages to.
You can also build a programmatic allow list or block list based on the country codes of the phone number with our free Lookup formatting API.
If you have data on the number of verifications you’d expect per day in a given country, you can set rate limits on groups of countries, allowing relaxed rate limits in countries where you expect legitimate users, and more restricted rate limits in all other countries.
Look up the phone number before sending
Use Carrier Lookup to get the line type of a number then only send SMS to mobile numbers. You can also use this API request to determine the carrier and block carriers that may be (knowingly or not) causing inflated traffic. Learn more about how to build a carrier block list with Lookup in this blog post.
Monitor one-time passcode (OTP) conversion rates and create alerts
Create internal monitors for conversion rate of verifications (i.e
number of OTPs validated by end users /
number of OTPs sent to end users). If you notice this rate start to drop, especially in an unexpected country, trigger an alert for manual review.
You can also configure a usage trigger on your Twilio account to alert you when your usage goes above a certain threshold.
Analyze IP and detect VPNs
Analyze IP location, IP owner (ISP/proxy/TOR/cloud provider, etc), and IP against the bad reputation list. Block TOR/Cloud Providers/proxies/bad IPs.
While there are legitimate use cases for VPNs, attackers will likely use one to bypass simple I.P. address blocking and this is a signal that something might be awry. There are a lot of solutions for VPN detection out there to choose from.
What to do if you suspect fraud on your Twilio account
Email email@example.com if you are facing messaging abuse. Please include the following details in your message:
Account SID: Product Type (e.g. Verify): Date/time Range: To/Recipient Country: Workspace SID (e.g. Verify Service SID): Description of Activity:
Here are some more resources for account security that you might enjoy:
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.