Prevent Fraud and Invalid Registrations

As global fraud risks increase, some attackers send a large number of SMS or voice verification requests to specific numbers to make money. In addition, many applications offer "benefits" that only new users can enjoy, and attackers use various methods to register false accounts in bulk to gain rewards.

• SMS pumping: Fraudsters send SMS messages to a series of numbers controlled by a specific mobile network operator (MNO) and share the resulting income.
• International Revenue Share Fraud (IRSF): Fraudsters target phone verification and generate a large number of voice calls to premium phone numbers to earn commissions.
• False registration: Attackers use scripts to create false accounts in bulk, obtain new user rewards, and then cash out.
  Their specific methods of profiting may differ, but they all result in you spending extra money without getting real users.

How to Determine if You're Under Attack？

The success rate/message delivery rate of verification rapidly declines or the number of verifications suddenly increases in unexpected countries/regions.

Recommended Measures

Deploy Detection Robots in the Verification Process

Products like Google reCAPTCHA can help detect and block robot traffic. For example, perform a check before each SMS OTP request to prevent automated scripts and bots. This will cause minimal friction for legitimate users.

Verification Frequency Limitations

Limit the frequency of verification requests to help prevent fraud and protect your application, such as:

• Maximum X verification messages requested per number within X seconds
• Maximum X verification messages requested per country/region within X seconds
• You can even design rate limitations based on user, IP, or device identifiers.

Rate limitations cannot completely prevent fraud, but they can slow down attackers to the point where they don't think it's worth attacking your application.

Voice Verification Channel as an Alternative, Only Available on the Third Attempt

Due to the increasing prevalence of International Revenue Share Fraud (IRSF), we recommend not offering the "call me" option at the beginning but only after three SMS attempts.

Implement Geographic Permission Restrictions

You must have a clear business purpose, so verification requests from other countries/regions should be suspect.
Set geographic verification permissions and disable all countries/regions where you don't intend to send messages to prevent malicious attackers from creating unnecessary verification requests and wasting SMS or voice costs.

Check Phone Numbers Before Sending

Check the type of line for the number before sending. At least identify invalid, landline, and mobile numbers and only send SMS to mobile numbers.

Monitor the Verification Success Rate of One-Time Passwords (OTPs) and Create Alerts

We recommend monitoring changes in the verification success rate in real-time. If you find that the verification success rate is rapidly declining or the number of verifications suddenly increases in unexpected countries/regions, you should pay close attention. They may come from some malicious attackers.
We recommend designing some trigger alerts to remind you when abnormal thresholds are reached. YCloud Verify has built-in security alert triggers that you can easily configure on the interface to receive abnormal alerts.