I'm curious to find out what other entrepreneurs think of this situation, where a partner, once trusted, and for which technical foundation has been built upon, now has shown to be acting in bad faith.
Every once in a while, some scammer will send a phishing text message to one of our phone numbers. Here is an example: """ Your Facebook account has been placed on hold for verification. To avoid account suspension, Please visit: https://opensopstat.com/ """
The message will be relayed to en employees cell phone as is what happens with all txt messages. Now Twilio thinks our account was hacked and someone is sending text phishing text messages from it.
The latest time this happened, the account was immediately suspended by an automated system. They did not communicate to us that this happened or why it happened. I had to fill out a support ticket and wait about 3 hours for a response before I even knew what the problem when was. This happened at night, so no one knew there was even a problem until the next morning when business operations resumed and the phones didn't work.
Its bad enough that they shut down the phone system for my entire company because of their mistake, but in order to get the system back online, I have to go through their ticketing process that is only through e-mail, where it takes hours or days to receive a response. If I want to speak with someone on the phone, which probably would have gotten the problem resolved more immediately, I have to pay $1,500 per month for their phone tech support. Obviously this is an unreasonable amount to pay. I don't need tech support, I just need someone to call, explain the situation to, and have them click a button.
We pay them about $600 a month and have been working with them for over 10 years. I understand their profit margins might be thin? But are they really that thin? And if so, there should be a more reasonable phone option. I don't need to speak with an engineer, I just need to speak with someone who can click a button and unblock the account.
Temporarily, I will re-program the system so that it does not forward text message content to my employees phone numbers. Which is fine. But my bigger problem is what do I do now? If they're willing to shut my system down without even giving me a number to call, what else are they going to do to me in the future?
The way in which they have been so cavalier with me is a red flag. And if I'm being honest, it does make me angry how they are willing to so readily damage my company in such a profound way AUTOMATICALLY without giving me a way to talk with them. I understand they may have a big phishing problem and will need to use automated software to help, but it is very reckless to not have this counter-balanced with a reasonable way for legitimate customers to even contact them after the suspension.
Are there other API-driven VOIP options that I should be considering bearing in mind that it would be expensive to re-write the software to work with another vendor? Or is there some way I should be looking to work things out with them?
What do you guys think?
I might be reading this wrong, but it sounds like you take inbound text messages to one number and then send outbound messages with the same content to employee phone numbers. Is that right? If so, that sounds like you're SENDING the spam messages in addition to receiving them. Regardless, it sounds like customer service needs to be improved, though.
I agree with the other comments that relaying phishing to internal users is probably what they dislike. There, of course, isn't a good solution beyond using some open platform. Your self-hosted IRC server isn't going to cancel your account because someone sent a phishing link, for example. But, nobody will know how to connect to it anyway. Sigh!
The retail wireless carriers are really driving a lot of this with recent 10DLC A2P changes. In particular, T-Mobile is waving around threats of $10k fines per message for messages they deem to be in violation of their content rules. (Which obviously prohibit fraud and such, but also somewhat-arbitrarily anything relating to marijuana.) The way it's written T-Mobile will fine Twilio, who is supposed to pass it on, but knows they'll struggle to collect that.
Meanwhile, on my personal cell phone AT&T can't even seem to figure out that when they get a message from a Nexmo number that starts with "ATT Free Msg" that they didn't send, maybe they shouldn't deliver it. As a consumer I'm glad someone is trying to squash these scams, but they're breaking more than a few eggs in the process.
I'd echo the advice to get off the SMS channel for notifications if at all possible, unless you're sending enough and spending enough to have named support contacts. The rules are being written for people sending thousands of messages per day. We serve small businesses who send maybe 100 messages per month, and it's been a mess trying to get carriers to recognize that these businesses exist and need a solution that works for them too.
Due to Greg from Twilio seeing this post and providing me a way to reach out, I was able to get the problem resolved.
He spent about an hour on the phone with me today and provided some more information about the issue. A few highlights:
* Twilio has doubled in size since the beginning of the pandemic * Spamming and phishing through text message has gotten a lot more common very recently.
These two things together caused a sort of novel situation with them having to either auto-ban accounts of ban accounts with only a very shallow look and then not having a way for someone to get the account un-banned in a timely manner.
My initial concern with this post was that something had changed within the company culture where they were willing to cull off "smaller" accounts like mine in the $10,000 a year range by treating them very recklessly so that they only needed to work with very large companies which would be more simple and more profitable. This would mean that I would need to change providers or risk them doing other damaging things in the future that I would not be able to predict.
Based on a few things that Greg said in the conversation, I no longer believe this to be the case for a few reasons:
1) They have people like Greg reaching out to people like me at all. 2) In case Greg was not available the next time something like this happened, he provided me the contact information of some other people who were kind of high up in the company and explained that they would be very concerned that something like this was going on where legitimate customer accounts were being suspended.
This changed my interpretation of the situation because Greg's actions communicated to me that this is a temporary problem having to do with Twilio increasing in size very quickly at the same time spam and phishing became a big problem. They had to scramble to fix a problem with their providers before having a chance to refine their systems to make sure the implementation was done fairly and correctly. It does not seem to be a problem with top-level executives deciding that customers like me don't matter.
I also own a company and am very familiar with how things can get out of hand very quickly when demand increases. Shit hits the fan, then things suck for a while until the work is put in to become more organized. This takes time. And it takes trial and error.
I would expect over time for them to correct their systems and properly service smaller mid-range customers like me.
0 - The handler doesn't send out via Pushover any message that contains words we're unlikely to use; Facebook is one, for example. If a message isn't forwarded via push notification, it is emailed to the sysadmin list for one of us to manually look at during daytime hours.
Support with them is significantly better but if I remember correctly pricing is around $1k/mo minimum (which was more than worth it in our case).
Best of luck to you.
What you are describing is tech support.
Also:
> I don't need tech support, I just need someone to call, explain the situation to, and have them click a button.
What do you think tech support is?
All data was lost, number ID's, account ID's all completely different. It took us a LOT of dev hours to update everything, whilst losing some of our customers. Twilio is cheap, fun and dev friendly until they mess up, then you're on your own.
As another small biz, I've had very good experience with Phone.com over the past several years. Prompt and solid tech support the few times I need it (mostly for configuration and 'is there a way to do this peculiar thing?' questions), and mostly just works.
They're trying to offload the problem onto Twilio which then winds up passing that onto their customers.
Of course solving the abuse problem means spending money to cut off the revenue they actually see from the scammers sending texts. They'll never be incentivized to do anything about it unless the government were to make them an offer that they couldn't refuse.
That'll never happen though because the government is bought off by corporate lobbyists, so we will continue to evolve into more and more of a third world scam economy.
If the first Twilio should fix this bug in their system, if the second then they should maybe have some process of setting up employee phone numbers in their system so the shut down process does not happen. At any rate both scenarios should be common enough that they should have a process to handle that.
Unfortunate outcome though. Automated banning is always frustrating.
https://gdpr-info.eu/art-22-gdpr/
> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Quote this and maybe it will get you escalated, but who knows? A lot of companies seem to just ignore GDPR entirely.
Well, maybe next time you get somebody that implements a standard.
With that kind of behavior (not letting you speak to anybody, the blocking is understandable), it's clear you shouldn't keep their services. So, you have now an opportunity to do it right, and make the next move cheaper.