Detect disposable numbers in signups

How to detect disposable phone numbers in signups?

Detect disposable numbers before OTP via a real‑time API that monitors public SMS gateways and rental inventories. Behavior signals and local checks can help, but are usually not enough on their own.

The quickest reliable approach is to call a real-time detection API before sending the OTP. Accurate detection needs continuous monitoring of public SMS gateways and rental inventories; format, HLR, or line-type checks alone miss most abuse. Use behavior and basic validation to catch obvious issues, but rely on an API to keep data fresh, reduce maintenance, and minimize false positives.

What is a disposable number?

A disposable number is a temporary or virtual phone number from public SMS gateways or rental providers. It’s used to receive OTPs without tying activity to a real, persistent SIM, enabling fake signups and abuse.

Check behavior and velocity signals (free)

These app‑side checks are free and help you triage risk. They don’t prove a number is disposable, but they can guide step‑up, throttling, or allow/deny decisions.

  • IP vs phone country: Does the user’s IP country match the phone number’s country?
  • OTP abuse patterns: Repeated OTP requests without completion.
  • Time‑to‑verify: Bots often verify unnaturally fast—or never complete verification.
  • Browser/device fingerprint reuse: The same fingerprint submitting many numbers.
  • Disposable email correlation: If the email is disposable, the phone number often is as well.

Use a third‑party API (recommended)

Behavior and velocity checks catch obvious abuse, but reliable detection requires continuous monitoring of public SMS gateways and rental inventories. Specialized providers maintain this intelligence at scale—integrate their API instead of trying to rebuild it.

How a third‑party API like NumCheckr works

Signals we check at NumCheckr

  • VoIP and temporary ranges
  • Public SMS inbox appearances
  • Disposable provider inventories
  • HLR/active routing and type
  • NPA‑NXX and international allocations
  • Recent abuse/velocity markers

NumCheckr implementation guide

Call your phone intelligence endpoint before OTP. Example with a placeholder NumCheckr API:

curl -X POST https://numcheckr.com/api/check-number \
  -H "Authorization: Bearer <YOUR_API_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "phone": "+14155552671"
  }'
{
  "active_line": true,
  "is_disposable": true,
  "public_sms_gateways": ["sms24.me", "receive-sms.cc"],
  "type": "MOBILE",
  "country_code": "us",
  "carrier": "Verizon",
  "e164_format": "+14155552671"
}

Backend example (Laravel/PHP) to call the API server‑side:

use Illuminate\Support\Facades\Http;

$response = Http::withToken(config('services.numcheckr.api_key'))
    ->post(url('/api/check-number'), [
        'phone' => '+14155552671',
    ]);

if ($response->json('is_disposable')) {
    // Block or step-up verification
}

Evaluation checklist (accuracy, limits, cost)

  • Accuracy: Test 200–500 known-good and known-bad numbers; measure precision/recall.
  • Latency: Keep under 150 ms p95 pre‑OTP; cache stable results for 24 h.
  • Rate limits: Ensure burst capacity during signup peaks.
  • Coverage: US/EU plus long‑tail countries where abuse is common.
  • Cost: Estimate cost/verification vs avoided SMS and fraud spend.
  • Fail‑open policy: Define behavior on timeouts (e.g., step‑up).

When to choose API vs behavior signals

Option Pros Cons
Behavior/velocity signals Free, immediate, reduces obvious abuse Heuristics only; easy to evade; can cause friction
Phone intelligence API (recommended) Monitors public gateways/inventories; disposable/VoIP detection; fresh data Paid; requires integration

Try a quick pre‑OTP lookup

Create a free account, get an API key, and add a pre‑OTP check on your signup form. Start with allow + step‑up on uncertain results, then tighten as you measure impact.

Get your API key and run your first lookup →

FAQ

Can I detect disposables without an API?

Behavior and velocity checks reduce risk, but reliable detection needs web monitoring of public SMS gateways and rental inventories—best done via API.

What should I do on uncertain results?

Use step‑up: captcha, email verification, or card hold. Avoid hard blocks unless multiple signals agree.

How fast should the pre‑OTP check be?

Target p95 under 150 ms and cache stable results for 24 hours to minimize latency.

How do I measure accuracy?

Build a labeled set of 200–500 numbers, compare precision/recall by country, and audit per‑decision evidence.

Will I block legitimate users?

Tune thresholds and combine signals. Prefer step‑up over deny to avoid false positives, especially for prepaid users.