What are flash calls and are they a valid verification method?
Flash calls offer a cost-effective and theoretically low-friction method of authenticating mobile numbers, but there is more than one catch. Here we discuss how they work and compare them directly with A2P SMS as a verification method.
What is a flash call?
A flash call is a near-instant dropped call that is automatically placed to a mobile number, usually as part of an authentication process known as flash call verification or missed-call authentication.
Flash call verification is used as a cost-effective authentication solution and is particularly popular in countries where SMS and mobile phone calls are comparatively expensive.
By default, there is no termination fee charge for the call as it is not answered and is simply recorded as a missed call in the phone’s log.
How does flash call verification work?
Flash calls are different to other forms of verification because they allow a number to be verified without the mobile user having to take any action. This comes with its own set of problems, which we will cover later.
Flash call verificati0n is usually used when a mobile user is registering for a service, installing an app, or doing anything that requires them to provide a valid mobile phone number to complete the process.
Unlike most conventional 2FA solutions that usually require the person to manually enter a code that is sent to them by SMS, the process uses some of the digits from the incoming calling number as the passcode.
This is all done programmatically using APIs and is extremely simple:
- A user enters their phone number into an app
- The server places a very short outbound call to that number
- The phone rings briefly (the ‘flash’) before the server ends the call
- The app reads the incoming number from the phone’s call log and matches it against the server’s known numbers
- The user is notified via prompts on their mobile screen that the verification process has been successful, and that no further action is required.
On paper, this does sound like a simple and effective authentication method, but on closer analysis a business may decide that the negatives outweigh the ease and cost effectiveness of the method.
Comparing the pros and cons of flash calls
The upsides
- Speed: Flash calls typically arrive within one to three seconds. When they work, they are the fastest verification method available.
- Cost: Per-verification cost can be 30% to 70% lower than SMS in many markets, since the call is never connected.
- Conversion rates: Because there’s nothing for the user to read or type, drop-off rates during sign-up are lower. Success rates of 90% to 98% are common, compared to 70% to 85% for SMS in some regions.
- No spam filtering: Unlike SMS, which can be caught by carrier spam filters, banking firewalls, or ‘unknown sender’ categories – flash calls are not inhibited in this way.
The downsides
Despite the speed, flash call verification has real problems that make it unsuitable as a primary verification method, especially for businesses that need reliability at scale.
1. Inconsistent delivery
In many countries, voice call setup via SS7 is slower than SMS. Network congestion, roaming status, and carrier infrastructure all affect whether a flash call arrives quickly, or at all. Timeouts are common in regions with poor voice call infrastructure.
2. Roaming and international users
This is one of the most underappreciated issues. Users who are roaming internationally are charged for incoming calls. A verification method that costs your customer money before they’ve even created an account makes a poor first impression. It also disproportionately affects the people most likely to need global verification – business travelers, expats, and international workers.
3. SS7 vulnerabilities
SS7 (Signaling System 7) is the legacy protocol that underpins global telecom networks. It predates modern security by decades. Attackers with SS7 access can:
- Intercept the flash call and redirect it to a device under their control
- Spoof the incoming caller ID, making a fraudulent call appear to come from the legitimate verification server
Flash calls are not immune to the same fundamental telecom security weaknesses that impact the wider ecosystem.
4. User disruption
Some users find flash calls intrusive. They can be confused or suspicious of an unsolicited call from an unknown number, especially when they receive many spam and scam calls. This is no way to build trust with a new customer.
5. Device and network incompatibility
Flash calls don’t work reliably on VoIP numbers, landlines, some dual-SIM configurations, or older devices. The technique is most reliable on Android, where the operating system allows apps to read incoming call data. On iOS, Apple’s restrictions mean users may need to grant permission manually, undermining the low-friction experience that flash calls are meant to deliver.
Flash calls vs. A2P SMS verification
A2P SMS (application-to-person messaging) is the standard method for sending one-time passwords and verification codes.
Unlike flash calls the process requires the user to take an action to complete verification, i.e. enter the code that they have received, but it comes with advantages that make it the preferred option for most businesses.
To choose which option is right for your business you should compare all criteria.
| Criteria | Flash calls | A2P SMS |
|---|---|---|
| Device support | Limited (fails on VoIP, landlines, some dual-SIM, older devices) | Universal on any mobile phone with cellular service |
| International users | May charge users for incoming calls while roaming | No cost to the recipient |
| User experience | Passive (no user action required when it works) but phone does ring | SMS arrives and code must be entered manually. |
| Delivery reliability | Inconsistent (carrier-dependent, timeouts common) | Reliable with proper A2P routing infrastructure |
| Security | Vulnerable to SS7 attacks and caller ID spoofing | Encrypted A2P routes available; OTP with expiry |
| Cost | Low per-verification (but variable) | Predictable per-message pricing |
Reliability
The most important distinction is reliability. A2P SMS, when routed through proper providers, offers consistent global delivery with predictable pricing and universal device coverage. It does not require users to have specific operating system permissions enabled, does not charge users for incoming calls, and works on virtually every mobile phone with a cellular connection.
Conversion rates
Flash calls achieve higher conversion rates in some scenarios because the verification process requires no user action. The trade-off is that when they do fail due to roaming, network congestion, or device incompatibility. The failure is silent, and the user may not even know something went wrong.
Security
There are often claims that SMS is not secure. We know that (unlike most OTT messaging) there is no end-to-end encryption for SMS services (mainly as MNOs are obliged to provide lawful intercept services). However, this same limitation applies to Flash Call as the CLI (which contains the sensitive OTP digits) is not end-to-end encrypted either.
With further analysis we can see that Flash Call has additional weaknesses when compared to A2P SMS. Flash Call delivers the OTP as part of the CLI metadata whereas OTP is delivered as part of the message text for A2P SMS. Thus, the OTP has better protection from unauthorized discovery in jurisdictions where SMS message content is protected by data privacy regulations.
Should an MNO wish to monetize Flash Call delivery, then there is an equal threat of them being delivered via grey routes (e.g., international interconnect, SIM box devices, etc.). Such grey routes can only be eliminated by an effective voice filtering solution, and with the creation of “white routes” via dedicated connections between MNOs and legitimate Flash Call providers.
| Fraud type | Impact | A2P SMS | Flash call |
|---|---|---|---|
| SIM swap | Fraudsters can sign-in to an app on the swapped SIM and hijack the victims social media / OTT account. | Vulnerable | Vulnerable |
| Intercept | Fraudsters can use an SS7 vulnerability that allow SMS and voice termination calls to be redirected to their system. | Vulnerable | Vulnerable |
| Call forwarding attack |
Fraudsters can conduct an illegal call forwarding attack on a victim’s MSISDN, so all calls are forwarded to a phone controlled by the attacker. |
Protected | Vulnerable |
| Grey route |
Grey route threats emerge once an OTP delivery method is monetized by the MNO |
Vulnerable | Vulnerable |
| CLI spoofing | Fraudsters conducting CLI spoofing attacks may offer flash call services and use spoofed CLIs. | Protected | Vulnerable |
| SIM box | Fraudsters operating SIM box or SIM farm as grey routes for SMS and voice, may also offer Flash Call services | Vulnerable | Vulnerable |
Customer experience
It is true that with flash calls the customer doesn’t need to copy/paste the received OTP. However, you could also argue that people might get confused and perhaps a bit suspicious when they see the missed call entry in the call log.
This can be mitigated by informing them about the impending missed call, but that immediately starts adding friction to the process. Also, customer consent is required during app installation to access the call log. This means the method only effectively works with android apps that offer telephony services.
The A2P SMS method can also support the same seamless verification step when the customer provides permission for the app to access their SMS inbox. This allows the app to auto-find the OTP in the A2P SMS message.
Why A2P SMS remains the better choice for reliable verification
For businesses that need to verify users as part of a registration, login, or transaction flow, reliability is the metric that matters most. A verification method that works 95% of the time but fails silently 5% of the time creates support tickets, abandoned registrations, and frustrated customers.
A2P SMS provides:
- Predictable delivery through established carrier agreements and routing infrastructure
- Transparent failure modes: If a message doesn’t arrive, the system knows, and a resend or alternative channel can be triggered
- Universal device support: It is supported on all phones types, network configuration doesn’t matter, and roaming status doesn’t block delivery
- No cost to the user: Whether at home or abroad, the recipient never pays for a verification message
This doesn’t mean that flash calls have no place. They can serve as a useful secondary or fallback method in markets where SMS delivery is particularly challenging, or as a re-verification mechanism for users who are already successfully authenticated. But for the core use case of reliably verifying a user’s phone number during sign-up or a sensitive transaction, A2P SMS is the best choice.
The impact of flash calls on Mobile Network Operators (MNOs)
We have looked at flash calls from the perspective of businesses considering using them, and from a user experience standpoint, but we haven’t considered the impact on MNOs.
Basically, although flash calls use their infrastructure flash calls don’t generate any revenue for MNOs – and this is a problem.
When a verification server places a call that rings for one to two seconds and disconnects, no billing event is triggered. The call was never answered, so there’s no call duration to charge. The signaling traffic still uses network resources i.e. SS7 routing, number lookup, interconnect handoff but generates no income. Meanwhile, that same traffic is displacing A2P SMS, which is a significant and established revenue stream for MNOs.
Flash call verification traffic is growing particularly fast in markets like India, Southeast Asia, Latin America and Africa – but MNOs in all global markets are being impacted to some extent.
What can MNOs do about flash calls?
To be able to monetize this traffic, MNOs need to get two things in place:
- They must be able to reliably identify flash calls made via their infrastructure.
- They need to be able to process voice call set-up traffic in real-time to allow them to control flash calls – either treated (via blocking or disruption) as revenue leakage of the A2P SMS traffic or to monetize flash calls with an exclusive or small set of partners.
To be able to treat flash calls in real-time, the first step is to introduce voice firewalls. Not only do these detect flash call traffic but they are also a key tool in preventing fraudulent activity like robocalling and grey routing of A2P SMS traffic.
This is where Infobip can help. We have both the technology and compliance expertise to prevent fraud and identify billable calls, without mistakenly blocking legitimate traffic.
While most SMS Firewalls only protect text messages, in order to offer verification over multiple channels, MNOs need to plan and deploy an ‘omnichannel’ firewall supporting SMS, Voice, Signaling and other MNO native channels such as MMS and RCS.
FAQs
Find the right authentication solution for your business
Related content:
Artificially inflated traffic (AIT): What is it and how to fight it.
Fraud not only costs telcos and businesses financially, but also brings down their trustworthiness, security, and affects reputation.
The rising threat of SIM swap and how to protect your business.
Learn about the dangers of SIM swapping fraud, and what can be done to prevent it from causing serious financial loss.
Best CAPTCHA alternatives for smarter fraud prevention.
CAPTCHA alone can’t keep up with modern bots. Explore CAPTCHA alternatives that go beyond visual puzzles to block fraud in real time. See how Infobip Signals detects fake OTP traffic, stops AIT, and protects your platform, without adding friction for real users.
