Abuse scenarios

Retell AI has implemented a lot of mechanisms to prevent bad actors from using our agents to conduct malicious activities. But there are cases where bad actors on the other side pretending to be a customer and abusing the agents you set up. It’s usually one of the forms of International Revenue Sharing Fraud (IRSF). They usually are incentivized to do so because they get kickbacks from carriers when they direct traffic to them. Common abuse scenarios include:
  • make excessive outbound calls, usually to non-US numbers, either via your phone call widget or form submission. They usually rotate the destination phone number, and use a real human recording to avoid being detected.
  • make outbound SMS (even 2FA SMS) messages, usually to non-US numbers.
  • make large amount of unwanted inbound calls into a number that you made public. This is less common as it’s usually not going to bring them kickbacks.
  • use robots to spam your chat widget. This is less common as it’s usually not going to bring them kickbacks.

Abuse prevention

Here are a couple high level rule of thumb to prevent abuse, we will dive into more details below:
  1. Never expose your API key to the public, always use public key in frontend.
  2. If your API key is exposed, always rotate and revoke the key.
  3. Always use a reCAPTCHA if possible to prevent bots from abusing your endpoints.
  4. Only allow functionalities or regions that you need.
  5. Implement rate limiting (number based, IP based, etc.) for your endpoints if necessary.
  6. Have user identification mechanism (KYC measures) in place if necessary.
  7. Have prompt in your agent that can potentially detect unrelated calls and hang up fast.

Protecting outbound calling / chatting capabilities

There are two ways that you can use to secure the calling / chatting capabilities that you expose to the public:
  • have your own user access management system, and keep the Retell api calls to your backend only.
  • use the Retell widgets to embed the calling / chatting capabilities into your website. It’s highly recommended to enable reCAPTCHA to prevent bots from abusing your endpoints.

Protecting inbound calling

When number is made public, it’s possible to have unwanted traffic. You can set up inbound webhook to detect and block unwanted traffic based on the incoming number.