Fighting fraud in the age of smartphones: improving mobile authentication without friction

We interviewed Paul Nicholson, Director, Business Growth at TMT ID, about the most common types of mobile frauds in 2025 and how can mobile authentication security be improved without adding unnecessary friction for legit customers. 

What kinds of mobile fraud surged in 2025, and what worries you about current mobile authentication?

Fraud became more human and more industrial at the same time. On the human side, we saw a surge in social engineering, people being persuaded, pressured, or tricked into giving up access. On the industrial side, we saw automation at scale, with emulator farms leveraging thousands of phones to create fake accounts, exploit promos, and launder proceeds.

The two pain points that really stood out were SIM swaps and call forwarding. If a scammer can convince a carrier representative to move your number to a new SIM or quietly flip on call forwarding, they don’t need to ‘hack’ your device. Instead, they intercept the one-time codes and step through your defences in a clean, fast, and legitimate matter because the right codes were used.

We also saw more sophisticated synthetic identities. Since they are stitched together from real data and not obviously fake, they can pass surface-level checks. Combine that with recycled numbers, where a brand-new customer inherits a phone number with a history, and you get onboarding that is tricky to manage without false declines.

Another pain point is the industry’s long-standing reliance on SMS OTPs –  they are familiar, easy to roll out, and work in almost all cases. However, they are also easy to phish, can be intercepted, and delivery is not guaranteed in every market or network condition. The other concern is the ‘one and done’ mindset, where a strong check is only done at signup. Risk doesn’t freeze after day one – a SIM swap can happen an hour later, and a device can change tomorrow. If we are not looking continuously, we miss fast-moving threats.

Finally, when teams look at just one slice of data – be it the device, the IP, or phone record, we miss the context that separates a genuine customer with a quirk from a coordinated attack.

What works better than SMS OTPs, and how do you keep it secure without hurting the user experience?

You should keep the experience effortless for good customers and save the friction for the moments that genuinely look risky. You can do that by shifting as much as possible into silent checks in the background, with carrier-level signals being a great example. Without the user experiencing any friction, you can see whether the SIM changed recently, whether call forwarding is on, whether the line is active, and whether the number’s tenure looks stable. These represent high-value signals that don’t slow anyone down.

On the device side, we now benefit from better tools. Modern phones can prove continuity, using device-bound keys and OS-level attestation. Passkeys also represent a real step forward for login and high-value action, as they are considered fast, resistant to phishing, and having the ability to eliminate a large category of user error. However. you can still support app push or an authenticator for fallback, with SMS kept as the last line rather than the first.

In practice, if the risk posture looks normal, allow a customer to authenticate with a passkey or a silent device check. If something looks off, you can escalate sensibly –  push, authenticator, and SMS where it is necessary. The nuance is in orchestration, deciding in real time how much friction to apply based on the full picture across carrier, device, behaviour, and context. Consider building trust progressively as opposed to putting every user through every check on day one. As customers do more with you, raise limits, change sensitive settings, or transact larger amounts, based on your set of rules.

You should also consider the local aspect of the problem, as number portability, roaming patterns, and SMS delivery vary by market. A policy that is perfect in one country might be noisy in another. Tuning by region also pays off –  fewer false positives, fewer unnecessary step-ups, and the same or better fraud outcomes.

How can carrier data plug into existing onboarding to improve authentication?

Carrier data is a high-confidence sense check that plugs straight into what you already have. It answers practical questions that matter at the exact moment you are deciding  to trust someone. Did the SIM change in the last few hours or days? Is call forwarding turned on? How long has this number been active, and on what kind of plan? Is the line reachable right now? Does the number belong to the device the user is holding? And does the network location line up with the device location and what the customer told you?

None of this data is a magic bullet on its own. But combined with your device intelligence and behavioural patterns, they can provide clear picture of a customers’ intentions. A long-tenured number with no recent SIM activity and no forwarding is a strong signal of stability. A brand-new number with a fresh SIM change might be perfectly legitimate, but that’s exactly where you want to add a light step-up, confirm a detail, or throttle sensitive actions until you have more history.

Operationally, this lands in your risk engine and your journey logic. You normalise signals across carriers, fuse them with device and behavioural data, and make decisions in real time. You also keep learning, feed confirmed fraud and confirmed good outcomes back into the system, so your thresholds improve. And you stay privacy-first. Collect only what you need, use it for clear purposes, and respect consent and data-use rules by country. That’s not just a compliance box to tick, it’s part of maintaining customer trust.

Finally, what is the role of real-time risk in onboarding, and how can mobile data help judge new users?

Real-time risk represents the difference between making customers wait and saying yes immediately. Most of these checks complete in less than a second and, if everything looks normal, the customer never feels them. If something’s off, you catch it before the first transaction, which is where the cost of mistakes is highest.

The patterns that consistently signal a legitimate user are stability and consistency. An older number with no recent SIM changes and no call forwarding is a positive. When the address, device locale, carrier country, and IP align, you feel confident. The strongest proof of possession is a device-bound key, ideally confirmed by the carrier that the number truly belongs to that device. That combination, device continuity plus network truth, makes it very hard for attackers to impersonate a customer without tipping their hand.

In my opinion, onboarding is the first chapter in a longer trust story. On day one, you confirm the essentials –  the device, the phone number, and the basic consistency of signals. Over the first month, you should keep scoring meaningful events, including logins, changes, transactions. If the pattern stays clean, you can consider reducing friction. If signals deteriorate or see a sudden device change, forwarding toggled on, behaviour that looks out of profile, reinstate friction temporarily and ask the user for extra proof. That way, you won’t punish good customers, and you reserve the tough checks for the small percentage of sessions where they’re warranted.

When companies do this well, a few things happen. First, signup conversion improves because more people go straight through without an OTP prompt. Second, support tickets about  never receiving a code drop because you’re not depending on SMS for routine flows. Third, account takeovers tied to SIM swaps and call forwarding decline noticeably, because the window for attackers to operate quietly gets much smaller. Finally, the experience feels consistent. Customers don’t get bounced around or asked for codes at random; when you do ask for something, it’s clearly tied to a higher-risk moment.

The future of mobile authentication is about context and timing. Use high-trust signals from the carrier and the device. Make decisions in real time. Build trust progressively and keep the experience simple for most of your customers. This is how you raise your defences without raising your abandonment rate.

 

About the author

 

Paul Nicholson focuses on making security feel simple. Working across verticals in the UK, Ireland, and EMEA, he centres on what matters to customers – fewer interruptions, clearer choices, and trust earned over time. His perspective blends commercial reality with a healthy scepticism of quick fixes, favouring quiet checks over loud friction and outcomes over buzzwords.

 

About TMT ID

TMT ID helps organisations know who they’re dealing with, in real time. Its mobile number intelligence turns carrier and device signals into simple answers that reduce fraud and remove friction. With one API, teams can verify identity, authenticate users, and keep journeys moving without relying on codes. It’s a pragmatic approach to digital trust: fast, global, and built for the way people use their phones today.