How you can prevent toll fraud

While Stytch offers built-in protections, we highly recommend that apps that use SMS OTPs take additional steps to protect SMS endpoints.

Restrict your UI to specific geos in which you operate

  • If your company plans to primarily operate in only a few geographies, consider configuring your UI or phone number validation to limit SMS logins to core geographies.
  • For example, consider starting with only US/CA (+1), which is free with Stytch’s current pricing, and add international OTPs later as needed. If you’re using our Backend SDKs, create an allowlist in your backend for phone number prefixes. See our T3 example app for a complete example. Below are the relevant code blocks:
// utils/phone-countries.ts
import { Country } from 'react-phone-number-input';

 * This list is used to populate the country dropdown on the phone number input
 * in the login form. Simply remove any countries that you don't want to support. You may
 * want to limit support due to cost, fraud, or because you do not do business in that country.

export const STYTCH_SUPPORTED_SMS_COUNTRIES: Country[] = [
  'US', // will be selected by default on phone number input
// components/PhoneInput.tsx
import { STYTCH_SUPPORTED_SMS_COUNTRIES } from '~/utils/phone-countries';
import PhoneInputWithCountry from 'react-phone-number-input/react-hook-form';
import flags from 'react-phone-number-input/flags';
// ...other imports

export function PhoneInput(props: { control: Control<{ phone: string }, any> }) {
  const { control } = props;

  return (
      rules={{ required: true }}

Implement Device Fingerprinting or reCAPTCHA to prevent bots

  • Since most toll fraud attacks are automated, using fraud prevention measures to block/challenge bots or headless browsing can meaningfully mitigate your risk.
  • Stytch offers a device fingerprinting product that can be used to detect and block or challenge bot traffic and bad actors.
  • If you’re using Stytch’s JavaScript SDK, Google reCAPTCHA can be easily implemented using our CAPTCHA guide.

Monitor and configure alerting for common toll fraud indicators

  • Consider setting up alerting for some of the common toll fraud indicators described above, such as abnormally low SMS authentication rates, a spike in SMS quantity or velocity, or SMS logins from unusual geos.

Use SMS as second factor rather than a primary authentication measure

  • Another approach to limit your risk is to use SMS only as a secondary authentication factor.
  • For example, you can require users to verify their email prior to allowing them to interact with your SMS endpoints.

What to do if you suspect your app is experiencing toll fraud

If you believe your app is actively experiencing toll fraud, in addition to taking action to stop it on your end, please reach out to so we can help you to mitigate the fraud quickly and effectively.