SMS Geo Permissions

Twilio supports sending SMS messages to many countries globally. While this capability provides you with a wide reach to serve your use cases, it is just as important to use the tools available to you to manage your exposure to risks such as SMS Pumping Fraud.

SMS Geo Permissions are one such tool. Configuring SMS Geo Permissions allows you to control the list of countries to which you can send SMS messages. Given the rise of fraud in the SMS ecosystem, Twilio recommends disabling destination countries your business doesn't use or uses infrequently as a line of defense against fraudulent activity.

By default a newly created account allows messages to be sent to your home country as determined by the phone number you verified during signup. You can follow the steps in the following How to change SMS Geo Permissions section to judiciously enable and disable SMS Geo Permissions by country.

As you decide whether to enable SMS Geo Permissions for additional countries, please make sure to review the What's Next? section at the end of this page for further guidance on ways to mitigate your risk exposure using Twilio products and best practices.

Ensure you are logged into the Twilio Account for which you want to change the permissions.

Navigate to Console > Messaging > Settings > Geo Permissions.

Expand image

Find the country or region for which you want to adjust the SMS Geo Permissions. You can do so by scrolling through the displayed listing arranged by continent or you can use the Filter by Country input control to narrow the search.

Once you have found the country or region whose permissions you want to adjust, use the checkbox control next to its name to enable or disable it.

1. Filter by country control
2. Country checkbox

Expand image

(warning)

Warning

Some countries or regions will have a High Risk marking next to their name. Twilio has assessed them to currently have the highest risk of SMS Traffic Pumping Fraud.

As conditions change, e.g. due to enforcement actions or evolving bad actor behavior, Twilio's continuous monitoring activities may lead to adjustments of its risk assessments and result in changes to which countries or regions are marked as High Risk.

Click on the High Risk marking to see a tooltip with additional information.

Expand image

Press the Save geo permissions button. An appropriate dialog opens to ask for your confirmation to proceed with saving the changes.

Expand image

If your changes include the enabling of SMS Geo Permissions for one or more countries that were marked High Risk for fraudulent activity, a Risk Acknowledgement Confirmation Dialog is shown. The dialog contains the list of affected countries and asks you to acknowledge:

• The resulting assumption of the increased risk and financial exposure
• Your responsibility to take actions to mitigate such risks.

If you decide to proceed, check the I Acknowledge this risk checkbox and then press the Enable Geo Permissions button.

Otherwise, press the Cancel button and return to Step 2 - Adjust your SMS Geo Permission settings.

1. Risk exposure warning
2. List of high risk countries to be enabled
3. Risk acknowledgement checkbox
4. Enable geo permissions button
5. Cancel button

Expand image

Even if your changes do not involve the enablement of high risk countries, a confirmation dialog is shown to remind you that saved geo permissions take immediate effect, including the blocking of SMS sent to disabled countries.

If you decide to proceed, press the Update geo permissions button.

Otherwise, press the Cancel button and return to Step 2 - Adjust your SMS Geo Permission settings.

1. Update geo permissions button
2. Cancel button

Expand image

If a confirmed update to the SMS Geo Permissions is successful, the success alert "Messaging geo permissions updated successfully" appears in the top right corner of the screen.

Expand image

Depending on the complexity of your company or your use case, you may have decided to:

• Add subaccounts under a Twilio account to segment messaging activities for compliance or other business reasons
• Manage multiple Twilio accounts using a Twilio Organization.

If that is the case, it is important to understand the role of permissions inheritance.

By default a subaccount inherits the SMS Geo Permissions settings of its parent account. Inheritance is only possible between a single parent and its owned subaccounts.

To control the SMS Geo Permissions of a subaccount independently of its parent account, a user with Account Owner or Account Administrator role has to disable inheritance for the subaccount.

Then you are able to individually change the SMS Geo Permissions for the subaccount following the process described in How to change SMS Geo Permissions.

If you utilize a Twilio Organization to manage multiple accounts, each account will have its own separate SMS Geo Permissions settings independent of other accounts in the same organization.

No SMS Geo Permissions settings can be inherited from the organization-level.

As a result, you must manage each account's SMS Geo Permissions individually following the steps in How to change SMS Geo Permissions.

You may wish to review which changes were made to SMS Geo Permissions. Event logs for SMS Geo Permission changes can be found in Console or requested programmatically using the Monitor Event REST API resource.

In order to audit SMS Geo Permission changes in Console, you can follow these steps:

1. Ensure you are Logged into Console with the Twilio Account you want to audit.

2. Navigate to the Monitor > Insights > Audit > Audit Event Logs report.

3. Set the Start Date and End Date to narrow the period you want to audit.

4. Find and review entries with Event Type values of

   • sms-geographic-permissions.created
   • sms-geographic-permissions.deleted
   • sms-geographic-permissions.updated

5. Click on an entry's Event SID to see full details of the SMS Geo Permissions Change.

Expand image

The audit event details include:

• Event date and time
• Resource Type and Event Type
• Information about who made the change (Actor SID, Actor and Source IP Address)

For updated SMS Geo Permissions, the Property column of the Changes table will contain the name of the country for which a change was made and its Previous Value and Updated Value.

Expand image

The Monitor Event API resource allows you to Read a list of monitored events for certain resource types and associated event types. Specifically for changes to the SMS Geo Permissions, you can obtain events for the resource type sms-geographic-permissions which is associated with the following three event types:

• sms-geographic-permissions.created
• sms-geographic-permissions.deleted
• sms-geographic-permissions.updated

Use the EventType parameter of the Read action to get a list of filtered SMS Geo Permission change events for any one of these event type values. To only see events within a specific time frame, you can additionally use the StartDate and EndDate parameters.

Now that you know which role SMS Geo Permissions play and how to manage them, check out the following information to further protect yourself from SMS-based fraud:

• Read our guidance on Preventing Fraud and SMS Pumping Protection for Programmable Messaging
• Explore the use of Verify and its Verify Fraud Guard feature
• Follow our Anti-Fraud Developer's Guide for comprehensive guidance