How you can prevent toll fraud

While Stytch offers built-in protections, we highly recommend that apps that use SMS OTPs take additional steps to protect SMS endpoints.

• SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023 (if you're interested in sending international SMS, please reach out to support@stytch.com, and we can enable it for you).
• If your Stytch Workspace is enabled for international SMS:
  • If your company plans to primarily operate in only a few geographies, consider configuring your UI or phone number validation to limit SMS logins to core geographies.
  • If you’re using our Backend SDKs, create an allowlist in your backend for phone number prefixes. See our T3 example app for a complete example. Below are the relevant code blocks:

// utils/phone-countries.ts
import { Country } from 'react-phone-number-input';

/**
 * This list is used to populate the country dropdown on the phone number input
 * in the login form. Simply remove any countries that you don't want to support. You may
 * want to limit support due to cost, fraud, or because you do not do business in that country.
 **/

export const STYTCH_SUPPORTED_SMS_COUNTRIES: Country[] = [
  'US', // will be selected by default on phone number input
  'CA',
];

// components/PhoneInput.tsx
import { STYTCH_SUPPORTED_SMS_COUNTRIES } from '~/utils/phone-countries';
import PhoneInputWithCountry from 'react-phone-number-input/react-hook-form';
import flags from 'react-phone-number-input/flags';
// ...other imports

export function PhoneInput(props: { control: Control<{ phone: string }, any> }) {
  const { control } = props;

  return (
    <PhoneInputWithCountry
      style={{...}}
      control={control}
      countries={STYTCH_SUPPORTED_SMS_COUNTRIES}
      countryCallingCodeEditable={false}
      defaultCountry={STYTCH_SUPPORTED_SMS_COUNTRIES[0]}
      flags={flags}
      inputComponent={Input}
      international
      name='phone'
      rules={{ required: true }}
      withCountryCallingCode
    />
  );
}

• Reach out to support@stytch.com to disable SMS to international numbers for your Stytch Workspace if you do not need access to international SMS, especially if you're using any of our Frontend SDKs and can't enforce country code restriction.

• Since most toll fraud attacks are automated, using fraud prevention measures to block/challenge bots or headless browsing can meaningfully mitigate your risk.
• Stytch offers a device fingerprinting product that can be used to detect and block or challenge bot traffic and bad actors.
• If you’re using Stytch’s JavaScript SDK, Google reCAPTCHA can be easily implemented using our CAPTCHA guide.

• Consider setting up alerting for some of the common toll fraud indicators described above, such as abnormally low SMS authentication rates, a spike in SMS quantity or velocity, or SMS logins from unusual geographies.

• Another approach to limit your risk is to use SMS only as a secondary authentication factor.
• For example, you can require users to verify their email prior to allowing them to interact with your SMS endpoints.

If you believe your app is actively experiencing toll fraud, in addition to taking action to stop it on your end, please reach out to support@stytch.com so we can help you to mitigate the fraud quickly and effectively.