Disposable and virtual phone numbers are everywhere: used for privacy, but also widely abused for fraud, fake accounts, and SMS pumping. To better understand the scale and impact of this ecosystem, we'll examine findings from a comprehensive academic study that reveals the true extent of disposable number abuse.
This article analyzes the groundbreaking research "Your Code is 0000: An Analysis of the Disposable Phone Numbers Ecosystem" and explains what these findings mean for businesses trying to prevent fraud. We'll explore the study's methodology, key discoveries, and most importantly, how you can protect your platform from the risks these numbers create.
About the Study
"Your Code is 0000: An Analysis of the Disposable Phone Numbers Ecosystem" was published in June 2023 by researchers José Miguel Moreno, Srdjan Matic, Narseo Vallina-Rodriguez, and Juan Tapiador. This comprehensive academic research was conducted across multiple institutions and represents the largest longitudinal study of fake phone number abuse to date.
The study is available on arXiv and was published in the field of Cryptography and Security. The research team monitored 17,141 disposable phone numbers across 29 public SMS gateways for nearly a year, collecting and analyzing more than 70 million SMS messages.
This groundbreaking research provides the first comprehensive view of how fake phone numbers are used globally and demonstrates the scale of fraud and privacy violations occurring through these services.
Why Disposable Numbers Create Security Risks
Most online services assume a phone number uniquely identifies a real person. Disposable Phone Numbers (DPNs) break that assumption. They're publicly shared: anyone can receive SMS sent to them, and messages often remain visible for weeks or months.
That means:
- A fraudster can register dozens of accounts with free trials.
- OTPs and 2FA codes can be intercepted publicly.
- Sensitive data (bank notices, healthcare appointments) can leak out.
The authors note that SMS-based authentication has exploded in recent years—usage of 2FA rose from 28% in 2017 to 78% in 2021—making DPN abuse more impactful than when earlier studies were done in 2016/2018.
Research Methodology and Approach
The team wanted to measure three things:
- How widely DPNs are used
- Which services send SMS to them
- How much abuse is happening
To answer that, they built a pipeline with four parts:
- Finding gateways: They combined the Tranco top-site list and Google searches to identify 29 active PSGs. They filtered out dead sites, duplicates, and aggregators.
- Collecting messages: A custom Chromium + Playwright crawler captured messages, even on gateways that required JavaScript or app traffic. They set crawl rates carefully to avoid missing messages.
- Service attribution: They extracted keywords from message text, matched them against branded terms, and built a ruleset for 212 unique services. Accuracy was ~99%.
- Purpose classification: Using clustering (SimHash) and NIST's digital identity lifecycle, they labeled messages as creation, verification, activity, update, or recovery. Automated labeling reached ~91% accuracy.
This was a careful, year-long measurement—far beyond scraping a few inboxes.
Key Findings from 70 Million Messages
1. Scale of the ecosystem
- 70.9 million messages from 17k+ numbers in a year.
- Weekly traffic averaged 1.4 million SMS.
- By comparison, the 2018 study had just 900k messages over 28 months.
This is evidence of explosive growth.
At NumCheckr, we've built upon this research by specializing in real-time monitoring of disposable phone numbers. Our systems track hundreds of thousands of these numbers daily, going far beyond the study's scope. We continuously monitor the web to detect new disposable numbers as they appear and maintain ongoing surveillance of each number to track their lifecycle and usage patterns.
2. OTPs dominate
- 77% of messages contained OTPs (codes).
- ~3% contained single-use login links.
- Only 20% had neither.
This proves that disposable numbers are mostly used to intercept account-related codes.
3. Who's being targeted
Messages came from over 200 services, including:
- Social: Facebook, TikTok, Instagram
- Messaging: WhatsApp, Telegram, Discord
- Transportation: Uber, Bolt
- Finance: PayPal, banks like HSBC and Citibank
- Shopping/streaming: Amazon, Shopee, Disney+ Hotstar
- Government & health: Spain's Cl@ve, India's Aadhaar, UK's NHS
4. DPN lifetimes and exposure
- 12% live <1 day
- 58% live 1 week–1 month
- 29% live >1 month
Longer-lived numbers accounted for 81% of all messages. That means many OTPs and recovery codes remain exposed for months.
5. Global reach
- Numbers spanned 57 countries
- Messages covered 31 languages
- 75% were English, but many mismatched their number's country code
This is a global problem, not tied to one region. The fact that 75% of messages were in English while many numbers had non-English country codes proves these fake phone numbers are primarily used to bypass OTP verification mechanisms rather than for legitimate regional communication.
6. Bursts and automation
Some numbers got 72+ OTPs/day for 100+ days for the same service (Uber, DENT, Disney+ Hotstar, Sony LIV). That's not humans—that's bot farms.
Real-World Abuse Scenarios
The paper highlights real-world abuse scenarios:
- Free trial abuse: BYJU's, an Indian e-learning platform, saw >90% of messages tied to account creation/verification, showing fake phone numbers used to farm free lessons.
- Phone chaining: Fraudsters used fake phone numbers to register numbers on Google Voice, TextNow, and DENT—then resold those "verified" numbers as Phone Verified Accounts (PVAs). Over 6,000 fake phone numbers were used this way.
- Finance: Fintech app Empower sent loan deposit confirmations to DPNs—proof of potential loan fraud. Banks like HSBC and Barclays also appeared.
- Healthcare: NHS and India's CoWIN sent test results, vaccine appointments, even names and dates of birth, visible to anyone.
- Government: Spain's Cl@ve (used for official admin logins) and India's Aadhaar also appeared, exposing sensitive identity processes.
Implications for Online Businesses
The research findings reveal several critical insights for businesses:
- Widespread abuse: Fake phone numbers are systematically used to bypass 2FA, create fake accounts, and intercept verification codes across all industries.
- Rapid growth: The abuse of these numbers has increased dramatically since 2018, with no signs of slowing down.
- Underground economy: Some public SMS gateway operators appear connected to underground markets selling Phone Verified Accounts (PVAs).
- Inadequate defenses: Even major corporations and government agencies fail to effectively block fake phone numbers, leaving their systems vulnerable.
How to Protect Your Platform
The study shows what's happening. Here's how to respond in practice:
1. Check numbers before sending OTPs
Every SMS you send costs money and creates risk. Use a fake number checker or virtual number detector to flag risky numbers.
👉 With NumCheckr, you get confident answers about whether a phone number is disposable or legitimate:
- Definitive disposable detection with high accuracy across global providers
- Real-time checks under 80 ms
- HLR lookups to confirm if a number is active and mobile
- Constantly updated datasets tracking hundreds of thousands of disposable numbers
- Risk scoring that lets you block, step up, or allow based on your policy
- Global coverage (120+ countries)
This makes NumCheckr a powerful burner phone detector / fake number lookup solution.
2. Stop SMS pumping
- Enforce rate limits by user, IP, ASN
- Trigger alerts when OTP requests spike
- Combine with NumCheckr's risk scoring to block bulk disposable use
3. Use adaptive verification
Not all VoIP is bad. When the risk is medium, step up with:
- Email verification
- CAPTCHA or device fingerprinting
- Temporary feature gates for new accounts
4. Build feedback loops
Keep a local cache of known fake phone numbers, learn from your own traffic, and integrate with NumCheckr's datasets for global coverage.
Identifying Fake and Disposable Numbers
Businesses often ask: how can I tell if a phone number is fake? With the right signals, it's possible to identify high-risk numbers. Key indicators include:
- 📱 Virtual carrier registration: Number registered with a VoIP provider requiring no identity verification
- 📵 No service history: Lack of associated apps or messaging services linked to the number
- 🌀 Multiple account usage: Same number tied to numerous accounts across different platforms
- ⏳ Short lifespan patterns: Disposable numbers with unusually brief usage periods
- 🕵️ Fraud database presence: Numbers appearing in known spam or fraud databases
- 🔄 Automated request patterns: OTP requests that appear scripted or bot-driven
- 🌍 Geographic mismatches: Carrier and country metadata that don't align with user details
If multiple indicators are present, treat the number as a high-risk fake phone number. NumCheckr analyzes all these signals in real time, providing a comprehensive risk score that enables automated decision-making for your verification process.
Final Thoughts
The Your Code is 0000 study is the clearest proof yet: fake phone numbers aren't just a nuisance—they're a global fraud infrastructure. OTPs dominate, services across every sector are targeted, and sensitive data is being exposed.
The fix is straightforward: screen numbers before you trust them. That's exactly what NumCheckr was built for.
Want to see how many fake numbers are hitting your platform? Try NumCheckr's bot phone number check API or run a bulk audit—we'll show you the exposure, and how to cut fraud while keeping onboarding smooth.
FAQ
❓ Are fake phone numbers, disposable numbers, and burner phones the same thing?
Yes, the terms fake phone number, disposable number, temporary number, virtual number, and burner phone essentially refer to the same concept - phone numbers that aren't tied to a verified user identity. Whether it's a VoIP number, public SMS gateway, or prepaid burner device, they all pose similar fraud risks and can be detected using NumCheckr's comprehensive verification system.
❓ What is a fake number checker and how does it work?
A fake number checker is a tool that verifies if a phone number is real, fake, disposable, or virtual. NumCheckr's fake number checker analyzes carrier data, number history, and usage patterns to determine authenticity in real-time with over 95% accuracy.
❓ How can I tell if a phone number is fake?
To tell if a phone number is fake, look for these signs: virtual carrier registration, no service history, multiple account usage, short lifespan patterns, and presence in fraud databases. NumCheckr's fake number detector automatically checks all these indicators instantly.
❓ How do I identify a virtual phone number?
To identify a virtual phone number, check if it's tied to VoIP providers like Google Voice, TextNow, or Skype rather than traditional carriers. NumCheckr's virtual number checker instantly reveals the carrier type and flags virtual numbers with detailed risk scores.
❓ Can a fake number tracker help prevent bot attacks?
Yes, a fake number tracker is essential for bot phone number check operations. Bots often use disposable numbers from public SMS gateways. NumCheckr tracks these numbers in real-time and can detect automated signup patterns to block bot-driven fraud.
❓ What makes NumCheckr's fake number lookup different?
NumCheckr's fake number lookup service provides definitive answers about phone number authenticity using the world's largest database of disposable numbers. Unlike basic checkers, we offer real-time updates, risk scoring, and coverage across 120+ countries with sub-80ms response times.
❓ How does a burner phone checker protect my business?
A burner phone checker prevents fraudsters from using temporary phones to create fake accounts, abuse trials, or commit SMS fraud. NumCheckr's burner phone detection stops these attacks before they impact your platform, saving money on SMS costs and reducing fraud losses.