Skip to main content
This guide goes deep on the operational side of protecting your Telnyx Verify integration — server-side rate limiting architectures, geo-fencing, anomaly detection, cost controls, and incident response. For foundational security concepts, see the Security Best Practices guide.

Architecture overview

A robust fraud prevention system layers multiple defenses:
Each layer catches different attack patterns. No single defense is sufficient on its own.

Server-side rate limiting with Redis

Production rate limiting requires a distributed store. These examples use Redis for shared state across multiple application instances.

Sliding window rate limiter

Geo-fencing

Restrict verifications to countries where your service operates. This is the single most effective defense against SMS pumping.

Configure on Verify profile

Application-level geo-validation

Add server-side validation before calling the API as a defense-in-depth measure:

High-risk country codes

These country codes are frequently targeted for SMS pumping and toll fraud. Block or add extra scrutiny:
Note: These are statistical patterns, not blanket rules. If you serve users in these countries, implement stronger rate limiting rather than blocking.

Anomaly detection

Build automated detection for suspicious patterns beyond simple rate limits.

Conversion rate monitoring

A healthy verification flow has a 60-80% conversion rate (codes sent vs. codes verified). A rate below 20% may indicate an attack.

Sequential number detection

SMS pumping often uses sequential phone numbers. Detect and block this pattern:

Cost controls

Set spend alerts

Monitor your Telnyx account spending and set alerts at the account level through the Telnyx Portal billing settings.

Implement circuit breakers

Automatically disable verifications when anomalies are detected:

Incident response

When you detect a fraud attack in progress:
1

Immediately: Enable circuit breaker

Stop all verification sends to limit financial damage.
2

Investigate: Check patterns

Look at the destination countries, IP addresses, and phone number patterns in your logs.
3

Block: Update allowlists

Remove affected countries from your Verify profile’s whitelisted_destinations.
4

Recover: Tighten limits

Reduce rate limits, add CAPTCHA if not present, and re-enable verifications gradually.
5

Contact Telnyx Support

Report the incident to Telnyx Support for investigation and potential charge reversal.

Configuration reference

Summary of all Verify profile settings relevant to fraud prevention:

Next steps

Security Best Practices

Foundational security concepts for Verify

Verify Quickstart

Get started with Telnyx Verify

Webhooks

Real-time verification delivery status

Custom Templates

Brand your verification messages