Retell AI has implemented a lot of mechanisms to prevent bad actors from using our agents to conduct malicious activities. But there are cases where bad actors on the other side pretending to be a customer and abusing the agents you set up.It’s usually one of the forms of International Revenue Sharing Fraud (IRSF). They usually are incentivized to do so because they get kickbacks from carriers when they direct traffic to them. Common abuse scenarios include:
make excessive outbound calls, usually to non-US numbers, either via your phone call widget or form submission. They usually rotate the destination phone number, and use a real human recording to avoid being detected.
make outbound SMS (even 2FA SMS) messages, usually to non-US numbers.
make large amount of unwanted inbound calls into a number that you made public. This is less common as it’s usually not going to bring them kickbacks.
use robots to spam your chat widget. This is less common as it’s usually not going to bring them kickbacks.
There are two ways that you can use to secure the calling / chatting capabilities that you expose to the public:
have your own user access management system, and keep the Retell api calls to your backend only.
use the Retell widgets to embed the calling / chatting capabilities into your website. It’s highly recommended to enable reCAPTCHA to prevent bots from abusing your endpoints.
When number is made public, it’s possible to have unwanted traffic. You can set up inbound webhook to detect and block unwanted traffic based on the incoming number.