Ask HN: Twilio suspended account because someone sent us a fraud text

164 pointsby ChrisDutrowover 3 years ago

I have a very weird problem with Twilio. It seems like they have gotten so big where they have started acting in bad faith.I'm curious to find out what other entrepreneurs think of this situation, where a partner, once trusted, and for which technical foundation has been built upon, now has shown to be acting in bad faith.Every once in a while, some scammer will send a phishing text message to one of our phone numbers. Here is an example: """ Your Facebook account has been placed on hold for verification. To avoid account suspension, Please visit: https://opensopstat.com/ """The message will be relayed to en employees cell phone as is what happens with all txt messages. Now Twilio thinks our account was hacked and someone is sending text phishing text messages from it.The latest time this happened, the account was immediately suspended by an automated system. They did not communicate to us that this happened or why it happened. I had to fill out a support ticket and wait about 3 hours for a response before I even knew what the problem when was. This happened at night, so no one knew there was even a problem until the next morning when business operations resumed and the phones didn't work.Its bad enough that they shut down the phone system for my entire company because of their mistake, but in order to get the system back online, I have to go through their ticketing process that is only through e-mail, where it takes hours or days to receive a response. If I want to speak with someone on the phone, which probably would have gotten the problem resolved more immediately, I have to pay $1,500 per month for their phone tech support. Obviously this is an unreasonable amount to pay. I don't need tech support, I just need someone to call, explain the situation to, and have them click a button.We pay them about $600 a month and have been working with them for over 10 years. I understand their profit margins might be thin? But are they really that thin? And if so, there should be a more reasonable phone option. I don't need to speak with an engineer, I just need to speak with someone who can click a button and unblock the account.Temporarily, I will re-program the system so that it does not forward text message content to my employees phone numbers. Which is fine. But my bigger problem is what do I do now? If they're willing to shut my system down without even giving me a number to call, what else are they going to do to me in the future?The way in which they have been so cavalier with me is a red flag. And if I'm being honest, it does make me angry how they are willing to so readily damage my company in such a profound way AUTOMATICALLY without giving me a way to talk with them. I understand they may have a big phishing problem and will need to use automated software to help, but it is very reckless to not have this counter-balanced with a reasonable way for legitimate customers to even contact them after the suspension.Are there other API-driven VOIP options that I should be considering bearing in mind that it would be expensive to re-write the software to work with another vendor? Or is there some way I should be looking to work things out with them?What do you guys think?

27 comments

fatnoahover 3 years ago

> Temporarily, I will re-program the system so that it does not forward text message content to my employees phone numbers.I might be reading this wrong, but it sounds like you take inbound text messages to one number and then send outbound messages with the same content to employee phone numbers. Is that right? If so, that sounds like you're SENDING the spam messages in addition to receiving them. Regardless, it sounds like customer service needs to be improved, though.

评论 #29827879 未加载

评论 #29827819 未加载

评论 #29828585 未加载

评论 #29828114 未加载

评论 #29831755 未加载

评论 #29828145 未加载

jrockwayover 3 years ago

My thought is that for any business-critical service, you need to have bought the service from person-to-person sales channels. Many boring meetings where they walk you through a slideshow of their service even though you already have it working. Many meetings worth of negotiating a price that's 10x the off-the-shelf price. All instead of, you know, making your product. It's just the cost of doing business -- $5/user/month if you're ok with them shutting you down because of a malfunctioning cron job, $30,000/year + meetings if you want someone's email that has to look into your problem. That's how software is these days, and unfortunately, literally everyone wants a piece. No task is too trivial to justify a 5 figure yearly cost, it seems. (Most recently, a well-known company tried to get that much out of me for hosting a static website!) There doesn't seem to be any market pressure to correct this problem, and I don't really understand why, but someone stands to make a lot of money if they crack the code. In the meantime, there's you and a problem, and giving the vendor your time and money can get the problem resolved. (Yup, you have to reward someone that's wronged you, because you already wrote code against their proprietary API. That's just how it is these days, and you have to accept it if you want to get anything done.)I agree with the other comments that relaying phishing to internal users is probably what they dislike. There, of course, isn't a good solution beyond using some open platform. Your self-hosted IRC server isn't going to cancel your account because someone sent a phishing link, for example. But, nobody will know how to connect to it anyway. Sigh!

评论 #29828348 未加载

评论 #29828253 未加载

gregorymichaelover 3 years ago

Hey Chris, Greg from Twilio here. I'm so sorry for the frustration, lack of communication, and high friction to get this resolved. Want to drop me an email at gb@twilio.com and we'll see if we can get it sorted out?

评论 #29828691 未加载

评论 #29829830 未加载

评论 #29832776 未加载

评论 #29829547 未加载

评论 #29828292 未加载

ewoodh2oover 3 years ago

This is really frustrating, and sorry you're on the receiving end of this. I don't work for Twilio, but we spend a lot with them (and some other telecoms) so I see a bit further up the chain than most.The retail wireless carriers are really driving a lot of this with recent 10DLC A2P changes. In particular, T-Mobile is waving around threats of $10k fines per message for messages they deem to be in violation of their content rules. (Which obviously prohibit fraud and such, but also somewhat-arbitrarily anything relating to marijuana.) The way it's written T-Mobile will fine Twilio, who is supposed to pass it on, but knows they'll struggle to collect that.Meanwhile, on my personal cell phone AT&T can't even seem to figure out that when they get a message from a Nexmo number that starts with "ATT Free Msg" that they didn't send, maybe they shouldn't deliver it. As a consumer I'm glad someone is trying to squash these scams, but they're breaking more than a few eggs in the process.I'd echo the advice to get off the SMS channel for notifications if at all possible, unless you're sending enough and spending enough to have named support contacts. The rules are being written for people sending thousands of messages per day. We serve small businesses who send maybe 100 messages per month, and it's been a mess trying to get carriers to recognize that these businesses exist and need a solution that works for them too.

评论 #29830573 未加载

ChrisDutrowover 3 years ago

UPDATE:::::Due to Greg from Twilio seeing this post and providing me a way to reach out, I was able to get the problem resolved.He spent about an hour on the phone with me today and provided some more information about the issue. A few highlights:* Twilio has doubled in size since the beginning of the pandemic * Spamming and phishing through text message has gotten a lot more common very recently.These two things together caused a sort of novel situation with them having to either auto-ban accounts of ban accounts with only a very shallow look and then not having a way for someone to get the account un-banned in a timely manner.My initial concern with this post was that something had changed within the company culture where they were willing to cull off "smaller" accounts like mine in the $10,000 a year range by treating them very recklessly so that they only needed to work with very large companies which would be more simple and more profitable. This would mean that I would need to change providers or risk them doing other damaging things in the future that I would not be able to predict.Based on a few things that Greg said in the conversation, I no longer believe this to be the case for a few reasons:1) They have people like Greg reaching out to people like me at all. 2) In case Greg was not available the next time something like this happened, he provided me the contact information of some other people who were kind of high up in the company and explained that they would be very concerned that something like this was going on where legitimate customer accounts were being suspended.This changed my interpretation of the situation because Greg's actions communicated to me that this is a temporary problem having to do with Twilio increasing in size very quickly at the same time spam and phishing became a big problem. They had to scramble to fix a problem with their providers before having a chance to refine their systems to make sure the implementation was done fairly and correctly. It does not seem to be a problem with top-level executives deciding that customers like me don't matter.I also own a company and am very familiar with how things can get out of hand very quickly when demand increases. Shit hits the fan, then things suck for a while until the work is put in to become more organized. This takes time. And it takes trial and error.I would expect over time for them to correct their systems and properly service smaller mid-range customers like me.

评论 #29837664 未加载

techsupporterover 3 years ago

Where I work, we use Pushover (<a href="https://pushover.net/" rel="nofollow">https://pushover.net/</a>) for this. A message comes in via SMS and then a handler stores it in a database then turns around, does some light filtering[0], and then sends a notification to a Pushover group. It's $5 per user per month for their teams feature, which we happily use.0 - The handler doesn't send out via Pushover any message that contains words we're unlikely to use; Facebook is one, for example. If a message isn't forwarded via push notification, it is emailed to the sysadmin list for one of us to manually look at during daytime hours.

评论 #29829603 未加载

评论 #29829605 未加载

tonightstoastover 3 years ago

Sorry you're going through this. At my last company we were in a similar spot to you - around ~$700/mo spending for Twilio. We had issues where they also were shutting us off and were unresponsive for days at a time. Once we had a rollout with a few dozen new clients in an area where we hadn't sent texts before and after sending a few thousand messages we were shut off at the carrier level. We tried reaching out for a day or two and really didn't get much back in response - to us this was the final straw and we moved to bandwidth.com (which I believe is who google uses for their auth).Support with them is significantly better but if I remember correctly pricing is around $1k/mo minimum (which was more than worth it in our case).Best of luck to you.

themeroneover 3 years ago

> I don't need tech support, I just need someone to call, explain the situation to, and have them click a button.What you are describing is tech support.

评论 #29829119 未加载

paxysover 3 years ago

Why misdirect from the real issue just to rally an internet mob in your favor? The problem clearly isn't that you received a fraud text (as the title suggests), it is that you SENT fraud texts using Twilio. That will obviously get you banned from any mainstream service.Also:> I don't need tech support, I just need someone to call, explain the situation to, and have them click a button.What do you think tech support is?

评论 #29835590 未加载

jeffielover 3 years ago

Hi Chris - CEO of Twilio here. I'm sorry for the issue. Fighting bad actors sucks, but we can do better to communicate with good faith builders like yourself. Mind sending me a note with your account at jeff@twilio.com, and I'll escalate for you.

评论 #29830940 未加载

评论 #29832277 未加载

jaywalkover 3 years ago

Not excusing their lack of support, but at the end of the day you sent a spam/phishing message through their service. What exactly are they supposed to do? If they don't immediately shut down accounts that send these messages, they're going to be in hot water with the cellular carriers. It's by far the lesser of two evils to just shut down accounts that send spam.

评论 #29828605 未加载

djyaz1200over 3 years ago

We were paying them around $1500/mo and had a similar issue where they blocked some (in our case) legitimate messaging traffic. We switched most of our traffic to another provider and are pleased. We had been a Twilio customer since 3 days after they launched and I owned a significant amount of their stock. I sold it all when this happened in spring of last year and I'm glad I did... stock has gone down significantly since. I don't see Twilio doing well long term, they provide an API for a network they don't own.

评论 #29832577 未加载

daneel_wover 3 years ago

It's been a year or two since Twilio became so large that the left hand has no idea what the right hand is doing. You have my sympathies. Good luck.

评论 #29827793 未加载

grousewayover 3 years ago

For an alternative, maybe relay the texts to a slack channel (that's easy enough to receive on a phone for your coworkers). Zapier can probably integrate twilio/slack quickly.

评论 #29828158 未加载

评论 #29831673 未加载

评论 #29827894 未加载

pauldd7over 3 years ago

Twilio deleted our account, phone numbers and thousands of audio recordings after we sent them a request to port a single number to a different account. Support admitted it was a mistake on their end but insisted there was nothing they could do except have us open a new account, and they could try and restore any unreleased numbers back.All data was lost, number ID's, account ID's all completely different. It took us a LOT of dev hours to update everything, whilst losing some of our customers. Twilio is cheap, fun and dev friendly until they mess up, then you're on your own.

toss1over 3 years ago

No experience with Twilio, but yours makes me glad that's not the case.As another small biz, I've had very good experience with Phone.com over the past several years. Prompt and solid tech support the few times I need it (mostly for configuration and 'is there a way to do this peculiar thing?' questions), and mostly just works.

lamontcgover 3 years ago

The only real solution for this is going to be the government stepping in and ordered the carriers to fix their fraud and abuse issues.They're trying to offload the problem onto Twilio which then winds up passing that onto their customers.Of course solving the abuse problem means spending money to cut off the revenue they actually see from the scammers sending texts. They'll never be incentivized to do anything about it unless the government were to make them an offer that they couldn't refuse.That'll never happen though because the government is bought off by corporate lobbyists, so we will continue to evolve into more and more of a third world scam economy.

yositoover 3 years ago

Suggestion to Twilio, if you're reading: if you have the ability to detect spam messages, perhaps give your users an API call for filterSpamAndSend instead of just send.

评论 #29829168 未加载

bryanrasmussenover 3 years ago

I am confused by one thing - when you forward to your employee's phone number is that number also owned by your company? Or is it a phone number owned by the employee.If the first Twilio should fix this bug in their system, if the second then they should maybe have some process of setting up employee phone numbers in their system so the shut down process does not happen. At any rate both scenarios should be common enough that they should have a process to handle that.

icedchaiover 3 years ago

I'd look at SignalWire. It's way cheaper than Twilio and they use the same APIs.

ideepakmathurover 3 years ago

For couple of years we moved from Twilio to Pilvo and trust me it works great and it is cost-effective as well.

nawgzover 3 years ago

It's quite strange you forward the texts VIA text; why not ingest it in any other format? Slack, internal database, logs, ...Unfortunate outcome though. Automated banning is always frustrating.

评论 #29829560 未加载

howdydooover 3 years ago

Auto-banning an account is a violation of GDPR Article 22<a href="https://gdpr-info.eu/art-22-gdpr/" rel="nofollow">https://gdpr-info.eu/art-22-gdpr/</a>> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.Quote this and maybe it will get you escalated, but who knows? A lot of companies seem to just ignore GDPR entirely.

评论 #29828290 未加载

评论 #29829478 未加载

评论 #29828254 未加载

BTCOGover 3 years ago

wtf is Twilio?

rubatugaover 3 years ago

Seems like it’s his fault. I’m currently using the twilio API. A simple Python script could be used to filter out any messages that weren’t sent from an employee. He essentially has an unauthenticated open relay, a one way ticket to get put on a spam blacklist in the SMTP world.

评论 #29829897 未加载

评论 #29832646 未加载

marcosdumayover 3 years ago

> I should be considering bearing in mind that it would be expensive to re-write the software to work with another vendorWell, maybe next time you get somebody that implements a standard.With that kind of behavior (not letting you speak to anybody, the blocking is understandable), it's clear you shouldn't keep their services. So, you have now an opportunity to do it right, and make the next move cheaper.

评论 #29828642 未加载

nickphxover 3 years ago

It sounds like you relayed a message that contained abusive content. To twilio it looked like your account was sending abusive content and they acted according to agreements with carriers to prevent abuse. Don't relay abusive content and you won't have this problem.