July 2025 Fraud Update: Pig Butchering, Voice Impersonation, and Email ATOs

July 2025 Fraud Update: Pig Butchering, Voice Impersonation, and Email ATOs

How Twilio helps customers mitigate fraud

As a part of Twilio’s dedication to building a trusted platform for our customers, we employ a multi-faceted approach to combating fraud internally. Several dedicated teams operate around the clock in a "follow the sun" model. These teams, responsible for everything from fraud operations to implementing better mechanisms to knowing our customers and traffic, utilize a number of capabilities for detection and prevention that we support. Fraud prevention is ultimately a customer responsibility, though, so Twilio also offers customer-facing features to help customers mitigate fraud as a part of their overall strategy, such as Verify Fraud Guard and SMS Pumping Protection. In addition, we regularly provide resources on best practices to prevent fraud altogether.

Let’s start by covering some of what Twilio does today to help customers combat fraud and the latest observed trends.

Three Fraud trends to watch for

Through the collaborative efforts of these dedicated teams that keep our ecosystem secure, we have compiled valuable and relevant insights on fraud and abuse. We also provide guidance on how you can detect and mitigate these issues, supported by case studies and success stories from our internal teams and customers. Let’s dive in.

Twilio ISV end-user social engineering

Bad actors will often target ISVs that have lax or incomplete Know Your Customer (KYC) checks implemented for their customers. 

In the first half of 2025, Twilio observed a rise in bad actors targeting ISVs to send out social engineering messages, often appearing conversational in nature (or attempting to look like wrong numbers), attempting to build relationships with unwitting recipients. These messages may not seem dangerous at first glance since they are superficially conversational and do not include any links or an immediate call to action. However, the intent of the messages is malicious, with the goal of eventually extracting monetary benefits from unsuspecting victims. One such example is pig butchering, where a seemingly friendly conversation can convince victims into investing in a cryptocurrency trading scheme on a platform controlled by the scammer. The victim is then prevented from accessing their funds.

These messages can often bypass security filters due to an ISV’s domain reputation. We recommend ISVs have KYC checks in place for their customers to answer the question, “Is this person who they say they are?” to prevent bad actor activity. This is typically accomplished through validating email addresses, business domains, business registries, and/or government issued identification. 

Additionally, setting up a subaccount structure with one user per subaccount helps mitigate bad actor activity and reduces the potential impact to other end users. Robust KYC controls will mitigate the potential for restrictions being placed on their Twilio account and potential fines levied by either U.S. and international carriers.

Voice impersonation

In H1 2025, Twilio also observed a rise in impersonation and vishing schemes. 

Bad actors often utilize compromised accounts or provide unverifiable KYC documentation to gain access and conduct voice impersonation or vishing schemes. Fraudsters will impersonate financial institutions, delivery services, or large brand names on calls to unsuspecting recipients with the goal of obtaining sensitive personal information from the recipient. Fraudsters have increased their use of AI tools by more than double to make the impersonation calls sound more credible, and therefore, more effective. 

We recommend Twilio customers pay close attention to any unexpected changes to geographic permissions, abnormal spikes in voice usage as indicated via Voice Insights, and large call volumes from accounts less than seven days old, as bad actors can cause significant damage in a short amount of time. Impacts can include everything from the loss of customer trust to restrictions that limit voice activity and account creation being placed on parent accounts and subaccounts.

SendGrid ATO trends

ATO (account takeover) is a continuous risk that customers face. API keys that provide access to Twilio SendGrid customer accounts and subusers may become accidentally exposed publicly, leading to unauthorized fraudulent activity on these accounts.

We’ve recently observed that compromised accounts will send large volumes of mail related to crypto or Social Security scams. These topics are strong indicators of bad actors taking over good accounts to deceive customers for fraudulent gain.

SendGrid uses a mixture of human and model intelligence to safeguard its customers. Each month, SendGrid catches 200M+ phishing emails and 400+ ATO attacks. SendGrid has also been able to reduce phishing and ATO instances by over 50% since December 2024.

It is important to note a majority of the ATO attacks occur due to account and API key leaks at the user level. While Twilio works aggressively to prevent this fraud, we can’t solve it alone. Here are some key actions you must take on your end to prevent this abuse:

1. Store your API Keys securely.
2. Regularly rotate your API keys and delete your unused API keys.
3. Establish IPAM if possible, and keep open source software updated including CRM tools that utilize SendGrid API keys.
4. Implement a subuser management strategy.
5. Reach out proactively to SendGrid to understand if they have seen unusual behavior on your account.

Key takeaways and next steps

For this quarterly update, we covered the top trends that Twilio is seeing in fraud and abuse. Here’s a summary of what we covered, and the steps you can take to help prevent your organization from becoming victim to these fraud trends:

1. ISV end-user social engineering: ensure robust KYC checks are in place for your organization to prevent bad actors from using your platform for social engineering.
2. Voice impersonation: monitor for spikes in voice usage and unexpected changes to your geographic permissions to detect potential vishing schemes.
3. ATOs and crypto or social security scams: follow best practices for protecting API keys to prevent ATOs, as crypto and Social Security-specific scams are on the rise.

We will continue to provide these updates on a quarterly basis, and we’ll let you know as we observe new and emerging trends in fraud and abuse. In the meantime you can:

1. Check out our Anti-Fraud Developer’s Guide on how to protect your organization.
2. See our Twilio Trust Center for any questions you may have on Twilio’s own security and compliance programs.
3. Report any kind of fraud and abuse by contacting Twilio customer support or the Twilio Fraud team at fraud@twilio.com.
4. Reach out to our support teams or your technical account manager directly to get connected to our security enablement team for assistance in detecting and preventing fraud and abuse.