Fraud Shield
Verify Fraud Shield is a built-in security feature that helps protect your Verify applications from SMS pumping attacks. It monitors your SMS verification traffic in real time and blocks suspicious messages before they are sent, reducing your exposure to fraud and unwanted costs.
Enabling Fraud Shield
Fraud Shield is enabled by default for all Verify apps. No setup is required, though you can adjust the protection level or disable it from your app settings. For most use cases, we strongly recommend keeping Fraud Shield enabled to maintain protection against SMS fraud.
Protection Levels
Each Verify app can be configured with a Fraud Shield protection level based on your business needs:
- High – Strongest filtering, best suited for high-risk scenarios. May result in more false positives.
- Medium (default) – Balanced filtering with fewer false positives.
- Low – Minimal filtering, suitable for apps with a higher tolerance for fraud risk.
You can adjust this setting in Plivo Console > Verify > App Settings > Fraud Shield.
Note - A “false positive” refers to a legitimate verification attempt that is incorrectly blocked. While rare, they can occur, especially at higher protection levels.
How it works
Fraud Shield is built on top of Plivo’s proprietary detection model. It analyzes current and historical SMS traffic patterns to identify anomalies in destination countries, carriers, or number sequences that may indicate artificially inflated traffic. These insights are combined with known fraud patterns to block potentially harmful activity before it results in charges or abuse.
If an SMS delivery is blocked by Fraud Shield, you’ll see error code 452 in your error logs.
While we’ve built this system to help mitigate SMS pumping fraud as effectively as possible, please note that no system can offer a 100% guarantee of protection. We’re continuously refining our detection algorithms to provide the best possible coverage.
Preventing False Positives
Like any fraud prevention system, there’s a small chance that legitimate verification attempts may be flagged and blocked. Our team is committed to continually refining our models to reduce the risk of false positives while maintaining strong protection.
Read this article to learn more about how to reduce false positives.
Voice
Plivo can protect your account from fraud by restricting the set of countries your account can call. If, for example, you intend to place calls to numbers in North America only, you can disable call routes to all other continents. Similarly, if you’re running an inbound call center, or your use case doesn’t involve outbound calling to PSTN numbers, you can block outbound routes to all countries as a precautionary measure.
To manage geo permissions, navigate to Voice > Geo Permissions on the Plivo console.
Here you’ll see a list of all countries. You can filter the list by selecting specific geographic regions or countries. Geo permission configurations are applied immediately to all calls initiated via Plivo APIs.
Calling premium rate numbers
Premium rate numbers are a special case of voice calling. These numbers cost callers more than normal numbers. Part of that charge is paid to the service provider, which puts premium rate numbers at high risk of being exploited via traffic pumping, a type of telecom fraud in which bad actors artificially inflate traffic to their premium rate numbers. When done across countries, this type of toll fraud is known as International Revenue Share Fraud (ISRF).
Most businesses never need to call premium rate numbers, so by default Plivo blocks calls to all phone numbers with high-risk prefixes as a way to prevent unwanted charges.
Plivo has identified thousands of premium rate and high-risk prefixes. You can export a list of these prefixes from the Voice > Geo Permissions screen on the High-Risk Permissions tab. Plivo regularly updates this list based on factors such as the rates associated with the premium numbers, call patterns, and third-party trends.
If you have a legitimate need to make calls to premium rate or high-risk numbers, you can request activation of high-risk permissions for your account or a particular subaccount by contacting our support team and providing them with details of your use case.