SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Inbound Call Scam

 

Inbound Call Scam

Issue

Inbound call scams are a prevalent form of fraud where fraudsters use various tactics to deceive individuals into divulging personal information or making financial transactions. Fraudsters often run these scams by sending messages (such as SMS or emails) to potential victims, claiming there’s an urgent issue—like a suspicious withdrawal or account activity. The message instructs the victim to call a specific phone number if they did not initiate the action. In these cases, the fraudster may use a Twilio number as the callback number.  

These scams can be difficult to detect because the message and the callback number are separate and can be used to conduct fraud in several ways:

  • The victims may be directed to call a Twilio number, where the end user (fraudster) has access, in order to conduct fraud. It’s important to be aware of these tactics in order to stop abuse on your account and Twilio’s platform.   
  • Additionally, by controlling the initial outreach (the SMS or email) Fraudsters may rely on replies to the original sending method to conduct fraud without having access to the number provided in the outreach message.  

Product

Twilio Voice (Inbound), Trunking (Originating)

Cause

A fraudster can gain access to a Twilio number in several ways, typically by exploiting weaknesses in the onboarding, authentication, or compliance processes. Here’s how this can happen:

1. Weak or Incomplete KYC (Know Your Customer) Checks

•  If an ISV does not thoroughly verify the identity of its customers (for example, by not validating email addresses, business domains, or government-issued IDs), a fraudster can sign up using fake or stolen information.

 •  Sophisticated fraudsters may intentionally circumvent KYC checkpoints, and in some cases, Twilio direct signups are created with the specific intent to facilitate such fraudulent activity.

•  Once onboarded, the fraudster can obtain access to Twilio numbers through the ISV’s platform.

2. Account Takeover or Credential Theft

•  If a fraudster gains access to a customer’s account (e.g., via phishing, credential stuffing, or malware), they can control the numbers associated with that account.

3. Social Engineering or Fake Documentation

•  Fraudsters may submit fake compliance documents or use social engineering to trick the ISV’s support or compliance teams into approving access to Twilio numbers.

4. Abuse of Automated Flows

•  If the ISV’s platform allows users to provision numbers or send messages without sufficient rate limiting, verification, or monitoring, a fraudster can automate abuse.

Resolution

If you find an Inbound call scam fraud has occurred or if you would like to prevent such an incident, you should consider the following:

1. Weak or Incomplete KYC (Know Your Customer) Checks

•  Implement Multi-Factor KYC: Require multiple forms of identity verification, such as government-issued ID, business registration documents, and domain-based email validation.

•  Automate and Cross-Check Data: Use third-party KYC/AML (Anti-Money Laundering) services to validate customer information and flag inconsistencies.

•  Ongoing Monitoring: Periodically re-verify customer information and monitor for changes in business status or suspicious activity.

2. Account Takeover or Credential Theft

•  Enforce Strong Authentication: Require multi-factor authentication (MFA) for all user logins, especially for administrative actions.

•  Monitor for Suspicious Logins: Use anomaly detection to flag logins from unusual locations, devices, or IP addresses.

•  Educate Users: Provide security awareness training and clear guidance on phishing and password hygiene.

Note:  If you ever suspect unauthorized access, immediately review your account activity and update your credentials.  For more detailed instructions on securing your account, please refer to our Help Center article on Account Security.

3. Social Engineering or Fake Documentation

•  Manual Review for High-Risk Cases: Flag and manually review compliance documents that appear altered, inconsistent, or come from high-risk geographies.

•  Train Support/Compliance Teams: Regularly train staff to recognize social engineering tactics and verify requests through multiple channels.

•  Use Digital Verification Tools: Leverage document verification APIs and liveness checks to confirm authenticity of submitted documents.

4. Abuse of Automated Flows

•  Implement Rate Limiting: Set strict limits on how many numbers can be provisioned or messages sent per account per time period.

•  Add Step-Up Verification: Require additional verification (such as phone or email confirmation) before allowing bulk actions or high-value operations.

•  Monitor and Alert: Continuously monitor for unusual provisioning or messaging patterns and trigger alerts or automatic blocks for suspicious activity.

Additional Information 

If your account is secure, your call routing is as expected, and there are no unauthorized users or configuration changes, you can be confident that only your team is able to answer calls to your Twilio number. In this case, the fraudster would not be able to intercept or answer inbound calls—they would only be able to direct people to your number, not actually receive the calls themselves.

While you cannot always prevent someone from sharing your public phone number, you can take steps to reduce the risk and impact:

 •  Monitor for Unusual Call Patterns: Watch for spikes in inbound calls or calls with similar patterns (e.g., many callers asking about the same suspicious message).

 •  Educate Your Team: Make sure your staff is aware of the scam and knows how to respond if someone calls in referencing the fraudulent message.

 •  Set Up Call Flows or IVRs: Use Twilio’s programmable voice features to play a warning message to callers, such as: “If you received a suspicious message about your account, please be aware this is a scam. Do not provide any personal information.”

 •  Report the Scam: Work with your legal or compliance team to report the scam to relevant authorities or anti-fraud organizations.

 •  Communicate with Your Customers: Proactively notify your customers through your official channels (website, email, SMS) about the scam, and advise them on how to recognize legitimate communications from your business.

You do have control over how your number is used once a call reaches your systems. By implementing safeguards and clear messaging, you can help protect both your business and your customers from falling victim to these scams.

Additional Articles:

Why Am I Getting Angry Calls from People Who Say They Received a Call from my Twilio Phone Number?

I am Receiving Unwanted Calls or SMS messages on my Twilio number. What can I do?

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk