SMS Pumping Protection for Programmable Messaging is in Public Beta and available to all Programmable Messaging customers with an additional fee above and beyond monthly limits.
Currently only the SMS channel is supported.
SMS Pumping Protection uses automatic fraud detection to block messages flagged as being suspicious for SMS pumping fraud from being sent. It works by analyzing your current and historical SMS traffic for unusual patterns. When there are unexpected fluctuations in your SMS traffic for a specific location, or system-known malicious activity, this feature will automatically block messages to phone numbers associated with the suspected fraud.
Please contact Sales for pricing information. If you’re using Programmable Messaging to send one-time passcode (OTP) verifications, consider migrating to Verify which includes Fraud Guard with customizable protection levels at no extra charge.
You can find the SMS Pumping Protection settings by navigating to the Twilio Console > Messaging > Settings > General page. From there, select Enabled to activate SMS Pumping Protection on your account.
Once the feature is enabled on your account, no further actions are needed on your part. Your protection will begin immediately.
This feature works by detecting SMS pumping fraud. SMS pumping fraud happens when fraudsters take advantage of a phone number input field to receive a one-time passcode, an app download link, or anything else via SMS. The messages are sent to a range of numbers controlled by a specific mobile network operator (MNO) and the fraudsters get a share of the generated revenue.
Twilio uses a baseline of expected message data to find outliers in behavior based traffic patterns. We combine behavioral data with known explicit fraud schemes to filter out bad behavior.
Our model is always changing and uses multiple parameters to determine fraud. Examples of things we may temporarily block could include:
- Messages to a specific region, country or locale we know is engaging in SMS pumping
- Messages in a country your account has never sent SMS to previously
- Messages with parameters and characteristics that would suggest non-human behavior
Like any fraud prevention feature, there's a small chance our models may flag legitimate users as suspicious. We're constantly monitoring our results and adapting the fraud detection model to keep false positives extremely low.
You can mark known phone numbers using the Global Safe List feature so they are never blocked. This provides an additional safety net against false positives, so the numbers are never erroneously blocked by SMS Pumping Protection. Add known phone numbers to the Safe List by using the Global Safe List API.
Alternatively, you can use the optional RiskCheck parameter when creating a Message with the Programmable Messaging API to mark a message as safe. To prevent a known/legitimate message from getting blocked by SMS Pumping Protection, include the RiskCheck parameter with value disable when creating the new Message resource.
You can also take these actions if you suspect false positives:
- Fall back to a different messaging method like WhatsApp or Facebook Messenger
- Create a separate subaccount for your legitimate users which has SMS Pumping Protection disabled
- Reach out to your Solutions Architect or contact Twilio Support through the Console or Help Center
When SMS Pumping Protection detects fraud, you will receive an email notification informing you of the event with a link to view more in your Twilio logs.
Error 30450 will show in the Twilio error logs when an SMS delivery is blocked by SMS Pumping Protection.