Introduction
Disposable number services provide temporary phone numbers that can receive SMS codes, such as one-time passwords. This allows people to complete mobile verification without using their own number, to shield their primary contact information from potential spammers, telemarketers, and data breaches.
Yet disposable numbers also enable cybercriminals to sidestep SMS verification at scale. In addition, this process means that some accounts marked as verified may still be created by bots, be generating fake reviews or users, or used for fraud. So, if your registration system relies on SMS alone, you need to be aware of disposable numbers.
In some cases, disposable numbers are used by minors to bypass age checks and, as regulators are turning up the heat on protecting underage users (as an example, in the UK, the Online Safety Act (1) pushes “strong age checks” on high-risk services), online platforms need controls that work before an OTP is ever sent. Since disposable numbers allow underage users or bad actors to bypass checks by repeatedly registering with new numbers, circumventing age restrictions and exposing platforms to legal and regulatory risks, it makes sense to focus on checking the legitimacy of disposable numbers.
What makes disposable numbers risky?
Disposable numbers exist to receive OTPs temporarily: once received they can then be archived and replaced. They are widely used by fraudsters to create accounts in bulk, automate abuse, and disguise identities across major platforms. Researchers (2) have traced a jump from thousands to millions of messages flowing through these services, with social, messaging, and payment apps among the top targets. Additionally, in the telecom domain, bad actors may use disposable numbers to test grey routing paths (unapproved, lower-cost routes for SMS delivery) to exploit routing vulnerabilities, evade billing systems, or validate spoofed messages under the radar.
In short, if your sign-up relies on SMS alone, you are an easy target.
What our data shows about disposable number abuse
GSMA Industry Services already operates a monitoring platform that tracks International Premium Rate Numbers used to commit telecommunications fraud (see GSMA IRSF Prevention), and we recently also started tracking more than twenty disposable number websites – with more to follow. We have catalogued over 200,000 unique disposable numbers, with new numbers being added as providers refresh their supply.
On a typical day, a single disposable number receives approximately 1,000 OTP messages from around 200 distinct senders. We regularly see OTPs that have been used on platforms intended strictly for adults, including online gambling, lotteries, e-gaming and dating apps, appearing on the public sites that offer disposable numbers to businesses.
This is how disposable numbers break the link between the mobile operator’s subscriber data and the person actually using the number. While an operator may confirm that the number belongs to an adult, the disposable numbers service makes that number accessible to anyone (including minors, bots, or scammers). As a result, age checks or other trust signals based on operator data no longer reflect the real user, creating a serious gap in compliance and consumer protection.
Who is at risk?
Disposable numbers are a favourite tool of fraudsters and scammers because they let them slip past security checks and create fake accounts without leaving a trace.
Messaging, social networking and dating apps
The biggest risks appear in messaging and social networking apps where the phone number itself serves as the user’s identity. Fraudsters use disposable numbers to send spam, impersonate people, or takeover accounts, therefore dating apps are also heavily targeted, since scammers can easily set up fake profiles to run romance scams or phishing attempts.
Financial services and ecommerce
Financial services are another hotspot. Fintech and cryptocurrency apps attract criminals who want to hide their identity, open multiple accounts, or run phishing schemes, as well as users trying to bypass geographic restrictions so they can gain access to content not available in their actual location – undermining platform compliance and leading to contractual violations.
Ecommerce and delivery platforms also face abuse, with scammers using disposable numbers to farm free trials, discounts and promo codes.
Cryptocurrency exchanges and trading platforms
Cryptocurrency exchanges, wallets, and trading platforms often require SMS verification for account creation, withdrawals or two-factor authentication. Some users (especially those seeking to remain anonymous or operate under multiple identities) use disposable numbers to:
- Register multiple accounts on the same platform (e.g., for airdrop farming, referral bonuses, or evading limits)
- Avoid linking their real identity or phone number to wallets or exchanges, particularly when privacy is a concern
- Bypass regional restrictions, especially if certain crypto platforms are not available in their country.
Across the board, the categories hit hardest are social networks, messaging apps and payment services.
GSMA Disposable Number Check
As disposable numbers are not a niche privacy tool anymore but an industrialised infrastructure for fake accounts, scams and abuse of digital services, GSMA Industry Services has launched the GSMA Disposable Number Check service. It screens phone numbers against a continuously updated list of disposable-number sources so you can block abuse before you verify the phone number and send an OTP via SMS.
The GSMA Disposable Number Check provides an API-based service that can be implemented in your sign-up and re-verification processes, before a one-time password is sent. By instantly identifying disposable numbers, businesses can prevent them from being used to create fraudulent accounts, reducing the risk of account takeover, spam and scams.
Disposable Number Check confers the following benefits:
- It protects users from direct harm caused by scammers who create “verified” accounts to scam, harass or impersonate others.
- It stops disposable numbers from being used to bypass age verification on services intended for adults only, ensuring compliance and protecting vulnerable users.
- It helps stop attempts to bypass geographical restrictions in the provision of services, especially fintech and crypto.
- It prevents the repeated abuse of promotions, free trials and discounts, which are common targets for fraudsters seeking to exploit systems at scale.
The service is one small change with a significant impact. If you’re interested in finding out more or want to book a demo, please fill out the form below.