Skip to content Skip to navigation Skip to topbar

Twilio Docs

Getting Started

Verification Channels Verification Templates Verification Best Practices Quickstarts

Preventing Fraud

Overview Verify Fraud Guard Verify Geo Permissions

Verify SMS

Overview RCS Upgrade

Verify WhatsApp

Overview Bring Your Sender

Verify Push and Silent Device Approval

Overview Technical Overview Best Practices Android SDK iOS SDK React native package Sample Backend

Verify TOTP

Overview Technical Overview

Verify Silent Network Auth

Overview Technical Overview

Testing Guide

Overview Headspin Testing Guide

Live Test Number Overview Best Practices for Production Implementation Best Practices for Error Handling Using Silent Network Auth with Twilio Regions

Verify Automatic Channel Selection

Verify Insights

Verify Events

Overview Onboarding Guide

Viewing Logs with Twilio Console

API Reference

API v2 Reference

Services Verifications Verification Attempts Verification Attempts Summary Verification Check Templates Safe List Access Token Entity Factor Challenge Push Webhooks Push Notifications Service Rate Limits Service Rate Limit Buckets Rate Limits and Timeouts Verify v2 Error Codes

Verify Supported Languages

Overview Default Languages for Phone Number Country Codes

Verify Countries and Regions Deliverability Customization Options

Tutorials + Integrations

Auth0 + Verify Stripe + Verify RSA SecurID + Verify Twilio Flex + Verify Verify Transactions for PSD2 Protect Your Verify Application with Service Rate Limits App Verification with Twilio SMS

Twilio Helper Libraries

PHP Ruby Python Node.js Java C# / .NET Go

Pricing Talk to Sales About Twilio Verify

Messaging
Voice
Serverless
Flex
Studio
All docs...

SDKs
Help

Log in
Sign up

Rate this page:

12345

On this page

What is SMS pumping?
What is toll fraud?
Recommended actions for preventing fraud

Enable Verify SMS Fraud Guard
Disable unused channels
Implement exponential delays between verification retry requests
Set rate limits
Detect bots and refresh your user experience to prevent them
Look up the phone number before sending
Monitor one-time passcode (OTP) conversion rates and create alerts
Analyze IP and detect VPNs
Implement geographic permissions to restrict destination countries
What to do if you suspect fraud on your Twilio account
What's next?

What is SMS pumping?

What is toll fraud?

Recommended actions for preventing fraud

Enable Verify SMS Fraud Guard

Disable unused channels

Implement exponential delays between verification retry requests

Set rate limits

Detect bots and refresh your user experience to prevent them

Look up the phone number before sending

Monitor one-time passcode (OTP) conversion rates and create alerts

Analyze IP and detect VPNs

Implement geographic permissions to restrict destination countries

What to do if you suspect fraud on your Twilio account

Preventing Fraud in Verify

One of the challenges of operating globally is the increased exposure to fraud. There are two types of attacks we commonly see in phone verification or two-factor authentication (2FA) flows.

SMS pumping
International Revenue Sharing Fraud (IRSF) also known as "Toll Fraud"

Both attacks cause inflated traffic to your app with the intent to make money and not to steal information. While the specific ways attackers monetize these types of fraud is different, the strategies you can implement to reduce fraud are similar.

verification fraud diagram.

number of OTPs validated by end users / number of OTPs sent to end users). If you notice this rate start to drop, especially in an unexpected country, trigger an alert for manual review.

You can also configure a usage trigger on your Twilio account to alert you when your usage goes above a certain threshold.

Analyze IP and detect VPNs

Analyze IP location, IP owner (ISP/proxy/TOR/cloud provider, etc), and IP against the bad reputation list. Block TOR/Cloud Providers/proxies/bad IPs.

While there are legitimate use cases for VPNs, attackers will likely use one to bypass simple I.P. address blocking and this is a signal that something might be awry. There are a lot of solutions for VPN detection out there to choose from.

Implement geographic permissions to restrict destination countries

Review your Verify Geographic Permissions and disable all countries that you do not plan to send messages to.

You can also build a programmatic allow list or block list based on the country codes of the phone number with our free Lookup formatting API.

If you have data on the number of verifications you'd expect per day in a given country, you can set rate limits on groups of countries, allowing relaxed rate limits in countries where you expect legitimate users, and more restricted rate limits in all other countries.

What to do if you suspect fraud on your Twilio account

Email fraud@twilio.com if you are facing messaging abuse. Please include the following details in your message:


_10Account SID: 
_10Product Type: 
_10Date/time Range: 
_10To/Recipient Country: 
_10Workspace SID: 
_10Description of Activity:

What's next?

Here are some more resources for account security that you might enjoy:

Everything You Need to Know About Toll Fraud
Best practices for phone number validation during new user enrollment
Best practices for managing retry logic with SMS 2FA
Developer best practices for user verification
Anti-Fraud Developer Guide
Send an SMS OTP in 5 minutes

Rate this page:

12345

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.

Terms of service

Copyright © 2024 Twilio Inc.