1. Overview — What This Page Covers
This page describes the fraud threats targeting A2P SMS services, and the tools smsroute provides to detect, prevent, and respond to those threats. It supplements — and should be read alongside — the Terms of Service and the Privacy Policy.
smsroute's fraud protection is included on every plan. There is no paid add-on, no per-verification charge, and no enterprise tier required to access traffic monitoring, destination blocklists, velocity gates, or HLR lookup.
2. Fraud Threats Targeting SMS Services
The following fraud patterns are the most common threats to A2P SMS services. Each is addressed by specific smsroute features in Sections 3 and 4.
SMS Pumping
Attackers request OTPs or verification codes at scale to inflate outbound message volume — profiting from the spread between what they charge and the per-message cost.
Account Takeover
Bad actors use SIM swap attacks, stolen credentials, or phishing to seize control of user accounts, then request OTP resends to drain messaging budget or commit fraud.
Bot Attacks
Automated scripts create fake accounts or flood OTP endpoints with requests — using your service to verify stolen or generated phone numbers at scale.
Promo Abuse
Fraudsters exploit sign-up bonuses, referral codes, and one-time promo offers — creating fake accounts or sharing codes across networks to extract maximum value.
SIM Swap
Criminals trick carriers into transferring a phone number to their SIM, then receive OTP codes sent to that number to authenticate and hijack accounts.
Impersonation
Attackers impersonate trusted brands in SMS — sending phishing messages that appear to originate from your sender ID to harvest credentials or install malware.
3. Included Protection Features
All features in this section are included on every smsroute plan at no additional charge.
3.1 Traffic Pattern Monitoring
smsroute monitors per-account request velocity, destination concentration, and routing anomalies in real time on every API request. Sudden spikes in OTP volume — particularly from a single source IP or directed toward a narrow set of phone number prefixes — are flagged and rate-limited before they generate billable events.
3.2 Destination Blocklists
High-risk destination countries and premium rate ranges known for SMS pumping activity are pre-flagged in the smsroute routing system. Account holders can apply custom blocklists and allowlists via the dashboard or API to control which destinations their OTP traffic reaches. Blocklists are applied at the routing layer before any message is submitted to a carrier.
3.3 Velocity Gates
Per-account, per-IP, and per-endpoint rate limits are configurable on every smsroute account. Configurable windows (for example, a maximum of 5 OTP requests per phone number per hour) prevent burst attacks without blocking legitimate retry attempts. Limits are enforced before the API returns a response — meaning you are not billed for blocked requests.
3.4 Spend and Volume Alerts
Set threshold alerts on the dashboard. When OTP volume or spend exceeds a defined limit within a rolling window, smsroute sends an immediate notification to the account email address — so you can investigate before a spike becomes a bill. Alerts are configurable per endpoint, per country, and per hour or per day.
3.5 HLR Number Validation
Before sending an OTP, validate the destination phone number using HLR (Home Location Register) lookup. HLR returns the current status of the number — active, inactive, ported, or roaming — from the carrier's own record. Invalid or disconnected numbers are identified before OTP delivery, reducing waste on unreachable destinations and flagging high-risk numbers for step-up verification.
3.6 Source IP Reputation
Every SMS API request is scored against a source IP reputation database. IPs associated with botnets, VPN exits, proxy networks, or Tor exit nodes can be blocked or rate-limited based on configurable thresholds. IP reputation scoring is applied automatically and does not require manual configuration.
4. Per-Threat Feature Reference
The following table maps each fraud threat to the specific smsroute features that address it.
| Fraud Threat | smsroute Features | Configure In |
|---|---|---|
| SMS Pumping | Traffic pattern monitoring, destination blocklists, velocity gates, spend alerts | Dashboard / API |
| Account Takeover | Multi-channel OTP fallback (email, TOTP), HLR lookup, SIM swap risk signal | Dashboard / API |
| Bot Attacks | Source IP reputation, velocity gates, HLR number validation | Dashboard / API |
| Promo Abuse | HLR number validity, same-number detection, geographic risk signals | API (webhook logic) |
| SIM Swap | HLR lookup (ported status flag), step-up verification prompt | API (application logic) |
| Impersonation | Sender-ID registration, compliant sender-ID policy enforcement | Dashboard |
5. What Is Not Covered by smsroute Fraud Protection
smsroute acts as a data controller for routing and a processor for message content as described in the Privacy Policy. The following are outside the scope of smsroute's fraud protection features:
- Application-layer authentication logic. smsroute delivers OTP codes reliably; it does not build your authentication flow. You are responsible for implementing account lockout policies, step-up verification after suspicious activity, and brute-force protection in your application layer.
- SIM swap detection at the carrier level. HLR lookup can detect whether a number has been ported recently, but smsroute does not have direct access to carrier SIM swap event logs. SIM swap risk signals should be used as one input among several in your authentication decision.
- Content of messages. smsroute does not pre-screen message content for phishing links or impersonation attempts. Sender-ID registration is required for branded sender IDs (alphanumeric senders above 6 characters); compliance with carrier impersonation policies remains the customer's responsibility.
- End User consent management. Obtaining and documenting valid opt-in consent from message recipients is the customer's sole responsibility. smsroute provides guidance on compliant consent capture in the GDPR Double Opt-in SMS Template, but consent management is outside the scope of fraud protection features.
6. How to Configure Fraud Protection
6.1 Destination Blocklists and Allowlists
Navigate to Settings → Routing → Destinations in the dashboard. Use the destination picker to block or allow specific countries, mobile network operators (MNCs), or numeric ranges. Blocklists take precedence over allowlists. Changes take effect within seconds.
Via API:
GET /v1/routing/blocklist?country=NG
POST /v1/routing/blocklist {"country": "NG", "mnc": "01", "reason": "SMS_PUMPING_RISK"}6.2 Velocity Gates
Navigate to Settings → Rate Limits → OTP Endpoints. Set per-number, per-IP, and per-account limits. The default is 10 OTP requests per phone number per hour. To set a stricter limit for a specific endpoint:
PUT /v1/endpoints/{endpoint_id}/rate_limit
{
"requests_per_hour": 5,
"requests_per_number_per_hour": 3,
"block_duration_seconds": 300
}6.3 Spend Alerts
Navigate to Settings → Alerts → Spend Thresholds. Enter a USD threshold and an email address to notify. Alerts can be scoped to a specific endpoint or apply to the entire account.
6.4 HLR Lookup
Validate a phone number before sending an OTP:
GET /v1/lookup/hlr?number=+2348012345678Response includes: status (active/inactive/port乡), ported (true/false), roaming (true/false), operator_mccmnc, and a risk_score (0–100). Numbers with a risk_score above your configured threshold should require step-up verification.
7. Response Procedures — What Happens When Fraud Is Detected
When smsroute's routing layer detects a potential fraud event, the following response procedures apply:
| Trigger | Automatic Action | Notification | Customer Action |
|---|---|---|---|
| Velocity limit exceeded | Request blocked; HTTP 429 returned | Optional alert if configured | Review endpoint logs; adjust limit if legitimate surge |
| Destination blocklist match | Message not submitted to carrier | Optional alert if configured | Remove from blocklist if destination is legitimate |
| Suspicious traffic spike (AI signal) | Account-level rate limit applied; messages queued for review | Email to account-of-record | Contact support@smsroute.cc to review; request unqueue if legitimate |
| High-risk HLR result | None (advisory only) | None automatic | Implement step-up verification in application layer |
| Source IP blocklist match | Request blocked; HTTP 403 returned | Optional alert if configured | Whitelist IP if required for your infrastructure |
smsroute's fraud response team reviews high-severity signals and may contact account holders directly if a sustained fraud pattern is detected. Account suspension for fraud is handled per Section 10 (Term, Termination, and Survival) of the Terms of Service.
8. Comparison with Other Providers
The following table compares smsroute's fraud protection model with other major SMS providers.
| Feature | smsroute | Typical Provider A | Typical Provider B |
|---|---|---|---|
| Traffic pattern monitoring | Included (all plans) | Paid add-on | Enterprise only |
| Destination blocklists | Included (all plans) | Paid add-on | Included |
| Velocity gates | Included (all plans) | Paid add-on | Included |
| HLR lookup | Included (all plans) | $0.005–$0.01 per lookup | $0.004 per lookup |
| Spend alerts | Included (all plans) | Email only | Email + dashboard |
| Source IP reputation | Included (all plans) | Not offered | Not offered |
| Routing-layer blocking | Yes — blocked before carrier submission | Alert only — you pay first | Alert only — you pay first |
9. Related Resources
- How OTP Delivery Works — Step-by-step walkthrough of how SMS OTPs are routed, authenticated, and delivered, with fraud checkpoints at each stage.
- GDPR Double Opt-in SMS Template — Compliant consent capture and verification flow for EU users, including welcome message and unsubscribe keyword handling.
- SMS for 2FA — Integration guide for using smsroute to deliver two-factor authentication codes, with code samples and checklists.
- smsroute vs Twilio — Detailed comparison of fraud protection features, pricing, and routing quality.