Postscript has taken a product-led approach to protecting the integrity of our merchants' subscriber lists. We’ve added updates to our platform to help keep merchants safe from spamming attacks and their lists devoid of bots and/or fake subscriber numbers.
In addition to requiring double opt-in for our merchants, Postscript has also implemented a Double Opt-In Allow List that sets specific country guardrails for double opt-in messages. If a subscriber outside of the defined list requests to opt in, they won't receive the confirmation opt-in message from your brand (e.g. "Reply Y to subscribe"). By removing that next required step in signing up for text messages, Postscript prevents unwanted spam and fake subscribers.
This article discusses what spamming attacks may look like, how our Double Opt-In Allow List feature defends merchants, and what to do if you need to add additional countries to your allow list.
Identifying Spam Attacks
When a merchant is being spammed by a cyber attacker, they may experience double opt-in messages being sent at unusually high volumes - especially in relation to opt-in messages.
A double opt-in message (sometimes called confirmed opt-in) refers to the first message subscribers receive after opting into your SMS program. This message reads:
Shop Name: Reply Y to subscribe to recurring automated promotional msgs (e.g. cart reminders). Msg & data rates may apply.
An opt-in message refers to the message a subscriber receives after they reply Y to the double opt-in message. This message reads:
You've subscribed to Shop Name. Msg & data rates may apply. Msgs are recurring. Reply STOP to unsubscribe, HELP for help
You can see the send volume for each of these messages in your analytics tab. Without a Double Opt-In Allow List, if an attacker had targeted a merchant, there would have been a large delta between the volume of double opt-in messages and the volume of opt-in messages within a short timeframe (less than 24 hours).
Understanding Postscript's Solution
In addition to requiring double opt-in for merchants, Postscript has also implemented a Double Opt-in Allow List. Subscribers based in countries that are not on the Double Opt-In Allow List cannot receive a double opt-in message from your brand.
By default, Postscript’s Double Opt-In Allow List includes 26 countries from which subscribers can receive a double opt-in message. Those countries are determined by subscriber phone number and include:
Australia, Austria, Belgium, Brazil, Canada, France, Germany, Guersnsey/Jersey, Ireland, Isle of Man, Italy, Japan, Korea, Malta, Mexico, Portugal, Puerto Rico, South Africa, Spain, Sweden, Switzerland, the United Kingdom, the United States, and the Virgin Islands.
Additional Resources
- Have ideas or feedback to send the Postscript team? We'd love to hear it! Learn how to send your feedback and ideas here.
- Curious how Postscript helps you stay compliant when it comes to subscriber opt outs? Learn more in our Subscriber Opt-Out Compliance article.
- Did you know Postscript recognizes "fuzzy opt outs"? In our How Postscript Protects Your Shop with Automatic Subscriber Removals article, we discuss fuzzy opt outs and more.
Get Support
Have questions? Please feel free to reach out to our wonderful Support team at support@postscript.io or via live chat. You can also submit a support request here!
Need ongoing channel strategy guidance? Please fill out this form and we'll connect you to one of our certified partners.