How Toll Fraud Works
The end goal of toll fraud is to generate revenue for the telecom operators that SMS vendors, like Twilio and MessageBird, pay to deliver SMS to end users. In SMS pumping attacks, fraudsters collude with telecom Mobile Network Operators (MNOs) in exchange for a share of the profits that MNOs receive from charging SMS vendors to deliver SMS messages to the MNO’s users. For fraudsters, the attack playbook for SMS pumping is as follows:- Find apps that expose a way to send SMS messages.
- Use bots to send SMS messages to tens of thousands of phone numbers, often spoofing simple characteristics like IP address and User-Agent to avoid detection.
- The fraudsters running the bots take a percentage of the inflated revenue received by MNOs who deliver the messages locally for third parties like Twilio.
Early warning indicators of SMS toll fraud
If you’re experiencing a toll fraud / SMS pumping attack, you may notice one or many of the following factors:A sudden increase in SMS message quantity or velocity
Since the fraud is usually performed with bots, you’ll notice a large number of messages being sent over a short period of time.Messages sent to consecutive phone numbers or a single geography
Often during toll fraud attacks, attackers will use ‘blocks’ of numbers that are consecutive or have similar prefixes, e.g. the first seven digits match. This also means that toll fraud tends to be concentrated in a single geography. These similar numbers are likely all managed by the same mobile network operator, which is a telltale sign of SMS toll fraud.A low SMS send to authentication ratio
Since the intent of the attacker is not to takeover a user’s account or create new accounts, only to send SMS messages, there will be no attempt to authenticate any of the OTP codes that are sent. As a result, if a low percentage of SMS OTP users are actually authenticating, this may be an indicator of toll fraud. This could also indicate true messaging downtime, i.e. messages aren’t making it to end users, check out our guide on how to troubleshoot SMS and WhatsApp messages.How Stytch helps mitigate toll fraud across our platform
We take several steps to help prevent toll fraud on our platform above and beyond what our messaging providers offer.Rate limits
Since attacks tend to have common patterns like those mentioned above, we have several layers of rate limiting in place to mitigate the size and scope of toll fraud attacks across our platform. Because toll fraud and real user traffic can sometimes look similar, e.g. a big launch to a new geo-locale, we balance their sensitivity to ensure that we won’t ever block real user traffic.Custom country code allowlists
By default, new projects can only send SMS and WhatsApp OTPs to phone numbers in the US and Canada. To customize the countries to which your app can send SMS or WhatsApp OTPs, you can configure allowed country codes through the Dashboard or using Programmatic Workspace Actions.Alerting and monitoring
Our on-call team has robust alerting and monitoring in place across several factors to ensure that we’re aware of and able to help mitigate manually if attackers have compromised your app.While these protections are able to lower the impact of a toll fraud attack, they typically will not fully prevent them. We want to ensure that the balance tips in the favor of protecting your uptime and not preventing real users from logging into your app. We usually see these built-in protections lower the impact of the attack by 75-90%. However, we still strongly recommend taking additional precautions to limit your risk as large attacks may generate thousands of dollars in SMS costs. Note, the SMS send attempts still occur from your app but Stytch will prevent them from being sent and thus you incurring the cost of sending an SMS.