What Phone Risk Verification Actually Checks, and Why OTP Was Never the Answer

A fraud lead at a digital lender showed us a cluster of accounts that had every right to look clean. Each one passed phone verification. The OTP went out, the code came back, the account opened. Textbook.

Three months later, the same cluster turned up in a mule investigation. Funds moving in, funds moving out, the classic pattern. The accounts had never failed a check. They were not flagged because nothing about them broke a rule. They were flagged because the money laundering team found them, long after onboarding had waved them through.

When his team pulled the phone numbers and ran them against telecom data, the picture changed. A chunk of the numbers were non-fixed VOIP lines. Several had been activated days before the account opened. A few were numbers that, by their history, had belonged to someone else entirely a few months earlier.

Every one of them had passed the OTP. Because passing the OTP only ever meant one thing. Someone could read a code on that number at that moment. It never meant the number belonged to the person filling in the form.

That is the gap phone risk verification exists to close. And most onboarding flows still do not know it is there.

What an OTP actually proves, and what it quietly does not

An SMS OTP is a possession check with a very short memory. You send a code. The user types it back. The system concludes the user controls that number, right now, for the duration of one message.

That is the entire claim. It is a real claim and a useful one. But teams stretch it into something it was never designed to carry. Once the code comes back, the number gets marked verified, and verified gets treated as if it means identity. It does not.

Here is the list of things an OTP does not know about the number it just texted.

It does not know whether the line is a mobile, a landline, or a VOIP number bought in two minutes from a web app. It does not know whether the SIM was swapped to a new device three hours ago. It does not know whether the number was ported between carriers last week. It does not know whether the number is two days old or fifteen years old. It does not know whether this number has ever, in its entire history, been associated with the name on the application. And it does not know whether the previous owner of this recycled number is the person whose accounts it can still unlock.

None of that shows up in a code exchange. A VOIP number that can receive SMS passes exactly like a fifteen-year-old mobile line. The OTP cannot tell them apart, because telling them apart was never its job.

This is the same trap we wrote about with TIN matching and with sanctions alerts. The check runs, returns a clean result, and the team reads "clean" as "safe." Verified and trustworthy are not the same word. Most onboarding stacks treat them as synonyms.

What phone risk verification actually reads

Phone risk verification, sometimes called phone intelligence or number intelligence, does the thing OTP cannot. It treats the number as a record with a history and a reputation, then scores how risky it is and how strongly it binds to a real identity. The signals it reads are concrete.

Line type. Is this a mobile, a landline, or a VOIP line? Non-fixed VOIP numbers are cheap, anonymous, and rotatable, which is exactly why they cluster in fraud. A mobile line with long tenure behaves like an identity anchor. A VOIP line behaves like a tool. The same OTP passes both. Line type is the first thing that separates them.

SIM tenure. How long has this number been active and stable on its carrier? A long, unbroken tenure is a trust signal. It is hard to fake years of consistent history. A number activated days before the application is not disqualifying on its own, but it is a question worth asking before you extend credit against it.

SIM swap events. Has the SIM behind this number been moved to a new device recently? A swap in the last few hours or days is the single loudest warning in phone intelligence, because a fresh swap is how account takeover begins. Any OTP sent to a recently swapped number is suspect by definition. The OTP itself cannot see the swap. Phone intelligence can.

Porting history. Has the number been ported between carriers recently or repeatedly? Porting is a normal consumer action, but recent or frequent porting, combined with other anomalies, is a known precursor to number hijacking.

VOIP and disposable flags. Is this number from a known disposable or virtual provider range? Burner numbers exist to be used once and discarded. They are how fraudsters open accounts at volume, abuse promos, and rotate past blocks. A flow that blocks them at signup removes an entire category of abuse before the OTP is even sent.

Number recycling. Has this number recently been disconnected and reassigned? A recycled number carries the digital ghost of its previous owner. We will come back to why this is a serious problem in India specifically.

Phone-to-name binding. Does the subscriber history of this number match the name and address on the application? This is the signal that turns a phone number from a contact detail into an identity check. A number that has been consistently tied to the applicant's identity across time is strong evidence. A number with no historical link to the claimed person, or a link to a different person, is a flag.

These signals produce a risk score, not a yes or no. That distinction is the whole point. OTP gives you a binary. Phone intelligence gives you a gradient you can act on.

Why SIM swap stopped being a rare event

For years SIM swap was treated as an edge case, the kind of thing that happened to crypto influencers and nobody else. That framing is now dangerously out of date.

In the UK, the fraud prevention service Cifas recorded a jump in unauthorised SIM swap cases from 289 in 2023 to nearly 3,000 in 2024. That is a surge of over 1,000 percent in a single year. In Australia, the breach support service IDCARE reported a 240 percent rise in SIM swap cases in 2024, and noted that roughly 90 percent of them happened with no victim interaction at all. No phishing link clicked, no password handed over. The number was simply moved through carrier social engineering, and the victim found out when their phone went dark.

In the US, the FBI's complaint center tracked nearly 26 million dollars in reported SIM swap losses in 2024, and these are only the reported ones. A single swap that enabled a cryptocurrency theft produced a 33 million dollar arbitration award against T-Mobile. One number. One swap. Eight figures.

The mechanics matter for onboarding teams. A SIM swap moves the victim's number onto a SIM the attacker controls. From that moment, every SMS OTP for that number lands in the attacker's hand. If your system trusts OTP as identity, the attacker now passes your checks as the victim. The regulator noticed. NIST's authentication guidance now restricts SMS OTP for high-assurance use precisely because of this interception risk.

The telecom regulators moved too. The FCC's SIM swap and port-out rules, with core provisions effective May 2024, now require carriers to authenticate before SIM changes and to notify customers immediately. That is the carrier side hardening. But the carrier hardening does not reach your onboarding flow. If you are not reading swap signals at the point of account opening, the protection stops at the carrier's door and never arrives at yours.

The recycled number problem nobody delinks from

Here is the failure mode that hits hardest in India, and that almost no OTP-only flow accounts for.

Mobile numbers get recycled. When a number sits inactive long enough, the operator reclaims it and reassigns it to a new subscriber. In India the inactivity window before recycling is commonly around 90 days, plus a grace period. After that, the number can belong to a complete stranger.

Now follow the chain. The previous owner linked that number to their bank account, their UPI, their Aadhaar, their email recovery, their DigiLocker. They changed numbers and never delinked the old one, which is what almost everyone does. The number gets recycled. A new person, or a fraudster who deliberately hunts recently recycled numbers, now holds the SIM.

That new holder can receive OTPs meant for the previous owner's financial accounts. A password reset, a UPI registration, an account recovery code. The OTP arrives, because the OTP only checks who holds the SIM today. It has no concept of who held it last quarter.

For a fintech or bank, this breaks identity attribution in a quiet, dangerous way. Your system may "trust" a number because it was historically associated with a legitimate customer. But the number has changed hands. The history is real and the current holder is not the person that history belongs to. OTP-only onboarding and re-KYC cannot see the handover. Phone intelligence, by reading recent activation and reassignment events, can at least raise the question.

The defensive move is to treat any number change, port, or recent activation as a high-risk event that demands re-binding through something stronger than another OTP to the new number. A biometric re-confirmation, a document re-check, a small test transaction. Sending a fresh OTP to the new SIM and calling it verified just re-confirms the exact failure you are trying to catch.

The mistake is treating the phone as a contact field

Step back and the root error becomes clear. Most onboarding flows model the phone number as a way to reach the customer. A contact detail. Something you collect so you can text them later.

It is far more than that. The phone number is one of the densest fraud signals available at onboarding, richer than email and often more telling than the device, because it carries telecom history that is genuinely hard to fake. Tenure, line type, swap and port events, reputation across the network. A fraudster can spin up a fresh email in seconds and spoof a device fingerprint with a cloud phone. Building a mobile number with ten years of clean, consistent, identity-bound tenure is a different order of difficulty.

When you treat that signal as a contact field, you throw away the richest thing you collected. You reduce a number with a decade of history to a single yes or no on whether a code came back. That is the equivalent of receiving a detailed credit file and reading only whether the envelope arrived.

The teams that get this right separate two ideas that OTP collapses into one. Possession is whether someone controls the number now. Identity is whether the number belongs to the person they claim to be. OTP answers the first and pretends to answer the second. Phone risk verification answers the second on its own terms.

What to actually do at onboarding

The fix is not to rip out OTP. OTP is a fine possession check and a reasonable out-of-band factor. The fix is to stop asking it to do a job it was never built for, and to put a risk read in front of it.

Score the number before you send the code. Run line type, tenure, swap, port, and reputation checks at the point of signup, before the OTP. If the number is a non-fixed VOIP line, a known disposable range, or freshly swapped, you want to know that before you have already marked it verified.

Make line type a policy decision, not an afterthought. Decide deliberately what you accept as a primary identity number versus a secondary contact. For high-value products like loans, cards, and wallets, require a domestic mobile line with carrier KYC behind it. Permit VOIP as a contact channel if you like, but not as the anchor your identity decision rests on.

Treat change events as high risk. A recent SIM swap, a recent port, a recently activated or recycled number. Each of these should raise the risk score and, above a threshold, trigger step-up verification rather than a simple OTP to the new number. Re-binding identity to a changed number through another OTP is circular.

Separate the contact number from the identity anchor. A customer can have a VOIP number for notifications and a KYC-backed mobile line as their identity phone. Conflating the two is how disposable numbers slip into the trust path.

Look at clusters, not just single numbers. Many new accounts on VOIP numbers from one provider prefix. Many accounts sharing a device or IP but cycling through different numbers. A spike of signups from a known virtual-number range. The individual number might score borderline. The pattern is unambiguous.

This is the layer we focus on across the sign-up and phone verification we run for financial institutions, where the phone risk read sits in front of the OTP rather than behind it, feeding the same fraud stack that catches mule accounts downstream. The point is not to add friction for its own sake. It is that a number scored before you trust it is a number that cannot quietly become a mule account three months later.

The one thing to change

Stop reading "OTP delivered" as "identity confirmed." It never meant that. It meant a code reached a SIM, and a SIM is not a person.

Before you trust a phone number, read what the number is telling you. Its age, its line type, whether it was swapped or ported or recycled, whether it has ever belonged to the person now claiming it. That information exists. It is sitting in telecom data the moment the applicant types the number in. The only question is whether you read it before you wave the account through, or whether you find it three months later in a mule investigation, after the OTP already said everything was fine.

A phone number is not a contact field. It is a fraud signal you are choosing whether or not to read.

If you want to read the number before you trust it, this is the layer Signzy builds: phone risk verification for line type, tenure, and swap signals, email risk verification for the parallel signal most flows ignore, and full identity verification for the step-up when the number alone is not enough.