This guide shows you how to use SMS Geo Permissions to reduce your exposure to SMS-based fraud and related unexpected financial risks.
Twilio supports sending SMS messages to many countries globally. While this capability provides you with a wide reach to serve your use cases, it is just as important to use the tools available to you to manage your exposure to risks such as SMS Pumping Fraud.
SMS Geo Permissions are one such tool. Configuring SMS Geo Permissions allows you to control the list of countries to which you can send SMS messages. Given the rise of fraud in the SMS ecosystem, Twilio recommends disabling destination countries your business doesn't use or uses infrequently as a line of defense against fraudulent activity.
By default a newly created account allows messages to be sent to your home country as determined by the phone number you verified during signup. You can follow the steps in the following How to change SMS Geo Permissions section to judiciously enable and disable SMS Geo Permissions by country.
Each country has its own regulatory framework governing the use of SMS messages. Regulatory provisions may differ by sender type and use case. They may include additional registration requirements and define prohibited use cases.
You are responsible for compliance with the applicable country-specific regulations. Please review the SMS Guidelines for a country before you consider enabling its SMS Geo Permissions.
As you decide whether to enable SMS Geo Permissions for additional countries, please make sure to review the What's Next? section at the end of this page for further guidance on ways to mitigate your risk exposure using Twilio products and best practices.
SMS Geo-Permissions can not be changed programmatically via the API for security reasons.
Only users with Account Owner and Account Admin profiles can modify SMS Geo Permissions.
SMS Geographic Permissions generally work based on the country code of the destination phone number. However, exceptions exist for political and historical alignments and some may not map strictly to a country's political or cultural boundaries.
Find the country or region for which you want to adjust the SMS Geo Permissions. You can do so by scrolling through the displayed listing arranged by continent or you can use the Filter by Country input control to narrow the search.
Once you have found the country or region whose permissions you want to adjust, use the checkbox control next to its name to enable or disable it.
Some countries or regions will have a High Risk marking next to their name. Twilio has assessed them to currently have the highest risk of SMS Traffic Pumping Fraud.
As conditions change, e.g. due to enforcement actions or evolving bad actor behavior, Twilio's continuous monitoring activities may lead to adjustments of its risk assessments and result in changes to which countries or regions are marked as High Risk.
Click on the High Risk marking to see a tooltip with additional information.
Press the Save geo permissions button. An appropriate dialog opens to ask for your confirmation to proceed with saving the changes.
Saved changes to SMS Geo Permissions take effect immediately.
As a result, as soon as you save the changes that disable the SMS Geo Permissions for a destination region, SMS to this destination will no longer be sent.
When trying to send an SMS to a recipient (to
) whose region has disabled SMS Geo Permissions, you will receive an Error 21408.
If your changes include the enabling of SMS Geo Permissions for one or more countries that were marked High Risk for fraudulent activity, a Risk Acknowledgement Confirmation Dialog is shown. The dialog contains the list of affected countries and asks you to acknowledge:
If you decide to proceed, check the I Acknowledge this risk checkbox and then press the Enable Geo Permissions button.
Otherwise, press the Cancel button and return to Step 2 - Adjust your SMS Geo Permission settings.
Even if your changes do not involve the enablement of high risk countries, a confirmation dialog is shown to remind you that saved geo permissions take immediate effect, including the blocking of SMS sent to disabled countries.
If you decide to proceed, press the Update geo permissions button.
Otherwise, press the Cancel button and return to Step 2 - Adjust your SMS Geo Permission settings.
If a confirmed update to the SMS Geo Permissions is successful, the success alert "Messaging geo permissions updated successfully" appears in the top right corner of the screen.
Depending on the complexity of your company or your use case, you may have decided to:
If that is the case, it is important to understand the role of permissions inheritance.
By default a subaccount inherits the SMS Geo Permissions settings of its parent account. Inheritance is only possible between a single parent and its owned subaccounts.
To control the SMS Geo Permissions of a subaccount independently of its parent account, a user with Account Owner or Account Administrator role has to disable inheritance for the subaccount.
Then you are able to individually change the SMS Geo Permissions for the subaccount following the process described in How to change SMS Geo Permissions.
If you utilize a Twilio Organization to manage multiple accounts, each account will have its own separate SMS Geo Permissions settings independent of other accounts in the same organization.
No SMS Geo Permissions settings can be inherited from the organization-level.
As a result, you must manage each account's SMS Geo Permissions individually following the steps in How to change SMS Geo Permissions.
You may wish to review which changes were made to SMS Geo Permissions. Event logs for SMS Geo Permission changes can be found in Console or requested programmatically using the Monitor Event REST API resource.
In order to audit SMS Geo Permission changes in Console, you can follow these steps:
Find and review entries with Event Type values of
sms-geographic-permissions.created
sms-geographic-permissions.deleted
sms-geographic-permissions.updated
The audit event details include:
For updated SMS Geo Permissions, the Property column of the Changes table will contain the name of the country for which a change was made and its Previous Value and Updated Value.
The Monitor Event API resource allows you to Read a list of monitored events for certain resource types and associated event types. Specifically for changes to the SMS Geo Permissions, you can obtain events for the resource type sms-geographic-permissions
which is associated with the following three event types:
sms-geographic-permissions.created
sms-geographic-permissions.deleted
sms-geographic-permissions.updated
Use the EventType parameter of the Read action to get a list of filtered SMS Geo Permission change events for any one of these event type values. To only see events within a specific time frame, you can additionally use the StartDate
and EndDate
parameters.
Now that you know which role SMS Geo Permissions play and how to manage them, check out the following information to further protect yourself from SMS-based fraud: