The fraudsters setup premium numbers with some other telephony provider, possibly in another country. Then they use those numbers to receive 2FA (two factor auth) passwords (either SMS or read aloud in calls). Because the defrauded party's servers called those premium numbers through Twilio, the defrauded party has to pay Twilio.
AFAIK there's no easy way to always, securely detect premium numbers. The fraudster can setup a forward from a normal number to a premium one anyway. So checking number prefix is useless. One could listen for the "After the beep, this call will be billed at X c/min" recording that premium numbers in honest countries have. The fraudsters manage to find less honest premium number providers that skip these.
The real fraud here seems to be the telephony industry's concept of a premium number. That there isn't an enforced standardized way to tell that a phone number will incur extra fees to contact is a failure of the industry. This shouldn't be a hard problem.
There is such a system, countries are supposed to report all premium number ranges to the ITU. The problem is that some countries/carriers don't actually do that and then still charge the high amount.
If Twilio wanted to stand up for their customers they would refuse to pay for any premium number that's not in an ITU registered premium range. It will cause a few lawsuits with telecom carriers, but then probably ends this problem once and for all.
Twilio claims this isn't possible, but most mobile operators offer an option to disable calling premium numbers. So either the providers are very customer friendly and eat the cost (unlikely, it would open them up for huge amounts of fraud) or the mobile operators figured out how to block it or push the cost back to the upstream provider.
> the fraudsters can set up a forward from a normal number to a premium number
Doesn't this mean that your call from Twillo to the normal number would be charged at your usual rate, and the fraudster would pick up the cost for the forwarding?
I think most consumer telephony companies let you block calling premium numbers, so presumably Twilio could just ask their telephony provider to do so.
Sucks. But then again, anything that puts a nail in the coffin of SMS/Voice call 2fa, probably for the best. I feel bad for the genuine uses of phone tech that are targeted though.
AFAIK there's no easy way to always, securely detect premium numbers. The fraudster can setup a forward from a normal number to a premium one anyway. So checking number prefix is useless. One could listen for the "After the beep, this call will be billed at X c/min" recording that premium numbers in honest countries have. The fraudsters manage to find less honest premium number providers that skip these.
This is a well enough known issue that Twilio has a page about it: https://www.twilio.com/learn/voice-and-video/toll-fraud