October 2025 Fraud Update: How ISVs can Prepare for the Holiday Season

October 2025 Fraud Update: How ISVs can Prepare for the Holiday Season

The holidays are almost here, and that means that businesses are gearing up for the year’s biggest online shopping events: Black Friday and Cyber Monday. While these days offer exciting opportunities for growth and customer engagement, they present a prime target for fraudsters looking to exploit increased transaction volumes and digital activity. This raises the question: when every brand is increasing their communication exponentially during a single week, how can you tell good from the bad?

In this quarter’s fraud update, we’ll dive into fraudulent activity your business may come across, such as artificially inflated traffic (AIT) and general webform abuse. We’ll also cover some behind-the-scenes insights from Twilio. Finally, we’ll provide actionable guidance for independent software vendors (ISVs) and other businesses on how to proactively secure their apps built on Twilio and respond quickly if an incident occurs.

Let’s make sure you and your customers have a safe and super successful holiday season. Read on to stay one step ahead of the scammers.

Fraud patterns in peak traffic season

When it comes to the holidays, businesses – especially those in retail and e-commerce – often change their communications behavior. Many businesses also treat it as an opportunity to ramp up marketing efforts: in some cases, sending multiple messages an hour about their latest time-sensitive promotions and discounts. (This is demonstrated by the 2024 holiday week, when Twilio SendGrid processed over 65.5 billion emails!)

Though account takeovers, or ATOs, are a consistent risk (and prevention best practices can be found here), we will dive into the types of activity that your organization may see this time of year that take advantage of this increased traffic and use digital forms as the front door for abuse, rather than ATO.

Increase in AIT activity

Over the past year, Twilio has observed a notable increase in AIT activity, such as SMS pumping fraud. We predict this activity will increase into the holiday season.

In Q4 2024, Twilio observed an average increase of ~27% in fraud block rates for Verify Fraud Guard compared to the rest of that year. AIT occurs when bad actors exploit mobile number input fields in digital forms or APIs to generate large volumes of non-genuine SMS or voice traffic. This traffic is often sent to numbers they control, resulting in inflated usage and unexpected charges for businesses.

As every fraudulent message or call is billable and many messages can be sent over a short period of time, charges from carriers can go through the roof if businesses are not prepared. As a matter of fact, in 2025 so far, Twilio’s pumping fraud protection products were not enabled for ~76% of SMS pumping incidents that involved credit requests. Similar to finding a needle in a haystack, increased legitimate traffic can make it much harder to identify AIT, since it is hidden among increased legitimate engagement.

Oftentimes, the focus is specifically on bad one-time password (OTP) traffic, but Twilio is also observing evidence of all types of inflated traffic, including marketing messages, reset password links, order tracking updates, and app download links… all getting sent to premium-rate numbers.

General webform abuse

Another trend Twilio has observed is an increase in automated bots and malicious actors exploiting website forms for reasons beyond pumping fraud. During the holidays, expect new account creation with fake or stolen information, phishing, and credential stuffing. Because these forms are accessible to the public, attackers do not need access to your account to engage in this kind of fraud. These attacks occur neither at the Twilio account level, nor through the API.

When your webforms are abused, it can lower the quality of your data, waste valuable resources, and damage your business’s reputation. Specific indicators for webform abuse can include, but are not limited to:

• Traffic coming from the same IP: In general,when an account is compromised, malicious mail is sent from IPs not previously associated with the account. On the contrary, in most cases of form abuse, legitimate and malicious mail is often sent from the same IPs.
• From address(es): When a bad actor compromises an account, in general, the emails are being sent from completely different domains (in some cases, impersonating big companies). Usually, the emails being sent from a form come in the following format: noreply@domain.com, info@domain.com, etc. from the same domain.
• Links within the subject line: There isn’t a legitimate reason for a customer to send a link in the subject line. This goes against email best practices and can potentially lead to emails being filtered by recipient domains.

Because Twilio has minimal visibility into what digital forms your business may be utilizing (as opposed to communications traffic patterns), you are responsible for identifying what forms may be impacted and taking the necessary steps to remediate any issues.

How to prepare for Cyber Week

Though it is the customer’s responsibility to address and resolve AIT and overall webform abuse, Twilio is here to help. The following are recommendations we often make to ISVs to get ahead of the curve.

Prevention and detection

We recommend customers take a combined strategy to combat AIT and webform abuse threats. Use the following as a checklist for what Twilio strongly recommends in preparation:

• Before evaluating all other measures, consider implementing lower risk channels for communication with your customers that will suit your business needs, such as WhatsApp or RCS.
• Enable advanced fraud detection tools like Verify Fraud Guard (available on Twilio Verify) and SMS Pumping Protection (available on Programmable Messaging).
• For customers who have an in-house fraud detection system and want additional signals to enhance existing capabilities, use the Twilio Lookup API and SMS Pumping Risk Score to determine a particular phone number’s history. This can also help block invalid or high-risk contact details often used in fraudulent signups.
• Twilio enforces a throughput default rate limitfor US/CA long code numbers and toll-free numbers. If you are using Twilio Verify, ensure you have evaluated the built-in and custom rate limits to limit messages from the same phone numbers.
• Review your geo-permissions (SMS and Verify for SMS and Voice) and ensure you are blocking all routes where you do not expect to send traffic.
• Implement CAPTCHAs (consider invisible reCAPTCHAs), libraries such as BotD, and Honeypot fields on your application signup flows and webforms to stop automated bots from creating fake accounts or abusing your forms.
• Implement additional form behaviors such as input filtering for URLs in subject lines, double opt-in, and IP and user agent rate limiting.
• Enforce multi-factor authentication (MFA) during application account creation and login, requiring users to verify their identity with a code sent to their phone or email using something like Twilio Verify.
• Monitor for abnormal traffic patterns such as sudden geographic or volume spikes and phishing or credential stuffing patterns such as high-frequency login attempts or multiple accounts created from the same IP. Set up real-time alerts for unusual usage and regularly review account activity to catch suspicious trends early.

By combining Twilio’s platform-level protections with vigilant monitoring, businesses can better safeguard themselves against AIT and digital form abuse this holiday season.

Key takeaways and how to respond to fraud

In this edition of the Twilio fraud quarterly update, we covered the following types of fraudulent activity businesses are likely to encounter during the holiday shopping season:

• Artificially inflated traffic (AIT): Increased legitimate communication traffic volume during this time of the year makes it so where pumping fraud may not be detected as quickly, skyrocketing your carrier bills. Therefore, prevention is crucial.
• Webform abuse: Public forms can be easily abused by bots or malicious actors, and similar to AIT, can be hard to detect and can happen without account takeover. This type of abuse can also lead to AIT if you allow phone numbers as input!

Finally, what should you do if you know your business is a victim of fraud? Start by stopping the bleeding: change your passwords, rotate your authentication tokens and keys, enable MFA, and enable Geo blocking for all countries where you do not conduct business. Reach out to Twilio Help Center and Twilio Support. Finally, gather all information you may think is relevant about the fraudulent activity, including message logs, affected phone numbers, and any patterns noticed. Depending on the type of activity, your affected account(s) may be temporarily suspended.

As a part of working with Twilio to analyze and remediate security issues tied to fraudulent events, you may be asked to complete account sanitization by rotating additional API keys and taking other actions to cut off external access. In addition, be prepared to demonstrate that your team performed root cause analysis. Features such as Monitor Events, Account Insights, and Audit Insights reports can help with this. If your account includes Advanced Audit Insights as part of an Editions package, you can add custom filters to get even more detailed and valuable insights about your incident.

Until next year, have a safe, fraud-free holiday season. Cheers from Twilio!