/
Contact usSee pricingStart building
Node
​

    About Stytch

    Introduction
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Migrations
      Migration overview
      Migrating users statically
      Migrating users dynamically
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for users
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    Magic Links
    • Email Magic Links

      • Getting started with the API
        Getting started with the SDK
        Replacing your password reset flow
        Building an invite user flow
        Add magic links to an existing auth flow
        Adding PKCE to a Magic Link flow
        Magic Link redirect routing
    • Embeddable Magic Links

      • Getting started with the API
    MFA
      Overview
      Backend integration
      Frontend integration
    Mobile Biometrics
      Overview
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0
    OAuth
    • Identity providers

      • Overview
        Provider setup
      Getting started with the API (Google)
      Add Google One Tap via the SDK
      Email address behavior
      Adding PKCE to an OAuth flow
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers
    • Resources

      • Integrate with AI agents
        Integrate with MCP servers
        Integrate with CLI Apps
    Passcodes
      Getting started with the API
      Getting started with the SDK
    • Toll fraud

      • What is SMS toll fraud?
        How you can prevent toll fraud
      Unsupported countries
    Passkeys & WebAuthn
    • Passkeys

      • Passkeys overview
        Set up Passkeys with the frontend SDK
    • WebAuthn

      • Getting started with the API
        Getting started with the SDK
    Passwords
      Getting started with the API
      Getting started with the SDK
      Password strength policy
    • Email verification

      • Overview
        Email verification before password creation
        Email verification after password creation
    Sessions
      How to use sessions
      Backend integrations
      Frontend integrations
      Custom claims
      Custom claim templates
      Session tokens vs JWTs
      How to use Stytch JWTs
    TOTP
      Getting started with the API
      Getting started with the SDK
    Web3
      Getting started with the API
      Getting started with the SDK

    Authorization

    Implement RBAC with metadata

    3rd Party Integrations

    Planetscale
    Supabase
    Feathery
    Unit

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

Consumer Authentication

/

Guides

/

Authentication

/

Passcodes

/

Toll fraud

/

What is SMS toll fraud?

What is SMS toll fraud aka SMS pumping?

SMS toll fraud, sometimes known as SMS pumping, is a form of fraud where bad actors partner with complicit telecom providers to send large amounts of traffic to unprotected SMS endpoints.

While the fraud mechanism itself is complex, the implications are fairly simple: if you choose to use SMS One-Time Passcodes (OTPs) as an authentication method for your app, you should take precautions to ensure that your SMS endpoints are protected from abuse. While Stytch has some built-in precautions in place to help prevent this, you are ultimately responsible for the SMS or WhatsApp costs that your Stytch Project uses which can in cases of large attacks cost thousands of dollars.

In this guide, we’ll provide additional context on how toll fraud works, explain what protections Stytch has in place, and offer suggestions for how to prevent it for your own app.

How Toll Fraud Works

For toll fraud, the end goal is to generate revenue for the telecom operators that SMS vendors, like Twilio and MessageBird, pay to deliver SMS to end users. In SMS pumping attacks, fraudsters collude with telecom Mobile Network Operators (MNOs) in exchange for a share of the profits that MNOs receive from charging SMS vendors to deliver SMS messages to the MNO’s users.

For fraudsters, the attack playbook for SMS pumping is as follows:

  1. Find apps that expose a way to send SMS messages.
  2. Use bots to send SMS messages to tens of thousands of phone numbers, often spoofing simple characteristics like IP address and User-Agent to avoid detection.
  3. The fraudsters running the bots take a percentage of the inflated revenue received by MNOs who deliver the messages locally for third parties like Twilio.

This is a classic example of the game theory of application security in action: anytime an internet resource (such as SMS endpoints) that provides enough monetization potential is exposed, fraudsters will find a way to exploit it. It’s the same reason compute platforms are commonly abused by crypto miners to receive free computation resources.

Early warning indicators of SMS toll fraud

If you’re experiencing a toll fraud / SMS pumping attack, you may notice one or many of the following factors:

A sudden increase in SMS message quantity or velocity

  • Since the fraud is usually performed with bots, you’ll notice a large number of messages being sent over a short period of time.

Messages sent to consecutive phone numbers or a single geography

  • Often during toll fraud attacks, attackers will use ‘blocks’ of numbers that are consecutive or have similar prefixes, e.g. the first seven digits match. This also means that toll fraud tends to be concentrated in a single geography.
  • These similar numbers are likely all managed by the same mobile network operator, which is a telltale sign of SMS toll fraud.

A low SMS send to authentication ratio

  • Since the intent of the attacker is not to takeover a user’s account or create new accounts, only to send SMS messages, there will be no attempt to authenticate any of the OTP codes that are sent.
  • As a result, if a low percentage of SMS OTP users are actually authenticating, this may be an indicator of toll fraud.
  • This could also indicate true messaging downtime, i.e. messages aren’t making it to end users, check out our guide on how to troubleshoot SMS and WhatsApp messages.

How Stytch helps mitigate toll fraud across our platform

We take several steps to help prevent toll fraud on our platform above and beyond what our messaging providers offer.

Rate limits

  • Since attacks tend to have common patterns like those mentioned above, we have several layers of rate limiting in place to mitigate the size and scope of toll fraud attacks across our platform.
  • Because toll fraud and real user traffic can sometimes look similar, e.g. a big launch to a new geo-locale, we balance their sensitivity to ensure that we won’t ever block real user traffic.

Smart country selection

  • By default, Stytch disables a number of high risk countries. You can find the full list on our unsupported countries reference.
  • For customers who used Stytch SMS OTP before October 2023, we allow SMS to be sent to any supported international country by default. However, we also let you restrict that list to just USA and Canada; just reach out to support@stytch.com and we can help you do so.
  • For customers who did not use SMS prior to October 2023, SMS to phone numbers outside of the US and Canada is disabled by default (if you're interested in sending international SMS, please reach out to support@stytch.com, and we can enable it for you).

Alerting and monitoring

  • Our on-call team has robust alerting and monitoring in place across several factors to ensure that we’re aware of and able to help mitigate manually if attackers have compromised your app.

While these protections are able to lower the impact of a toll fraud attack, they typically will not fully prevent them. We want to ensure that the balance tips in the favor of protecting your uptime and not preventing real users from logging into your app.

We usually see these built-in protections lower the impact of the attack by 75-90%. However, we still strongly recommend taking additional precautions to limit your risk as large attacks may generate thousands of dollars in SMS costs. Note, the SMS send attempts still occur from your app but Stytch will prevent them from being sent and thus you incurring the cost of sending an SMS.

How Toll Fraud Works

Early warning indicators of SMS toll fraud

A sudden increase in SMS message quantity or velocity

Messages sent to consecutive phone numbers or a single geography

A low SMS send to authentication ratio

How Stytch helps mitigate toll fraud across our platform

Rate limits

Smart country selection

Alerting and monitoring