One of the challenges of operating globally is the increased exposure to fraud. There are two types of attacks we commonly see in phone verification or two-factor authentication (2FA) flows.
Both attacks cause inflated traffic to your app with the intent to make money and not to steal information. While the specific ways attackers monetize these types of fraud is different, the strategies you can implement to reduce fraud are similar.
number of OTPs validated by end users
/ number of OTPs sent to end users
). If you notice this rate start to drop, especially in an unexpected country, trigger an alert for manual review.You can also configure a usage trigger on your Twilio account to alert you when your usage goes above a certain threshold.
Analyze IP location, IP owner (ISP/proxy/TOR/cloud provider, etc), and IP against the bad reputation list. Block TOR/Cloud Providers/proxies/bad IPs.
While there are legitimate use cases for VPNs, attackers will likely use one to bypass simple I.P. address blocking and this is a signal that something might be awry. There are a lot of solutions for VPN detection out there to choose from.
Review your Verify Geographic Permissions and disable all countries that you do not plan to send messages to.
You can also build a programmatic allow list or block list based on the country codes of the phone number with our free Lookup formatting API.
If you have data on the number of verifications you'd expect per day in a given country, you can set rate limits on groups of countries, allowing relaxed rate limits in countries where you expect legitimate users, and more restricted rate limits in all other countries.
Email fraud@twilio.com if you are facing messaging abuse. Please include the following details in your message:
_10Account SID: _10Product Type: _10Date/time Range: _10To/Recipient Country: _10Workspace SID: _10Description of Activity:
Here are some more resources for account security that you might enjoy: