Worked on a bunch of SMS apps including a big one for samples/notifications and it was insane how the approval process was for the short code and all the support you need around it.

I am always amazed that scammers get around all of that. A weak platform could do that if they were allowed or essentially white listed then play plausible deniability about moderating these.

SMS was built off of the network diagnostic codes/network and so they regulate it heavily. The only way these scams are working is due to piggy backing on something that has the ability to spin up new shortcodes without much oversight.

Yeah not sure because if I tell my PBX to send an unverified from header my calls through twilio fail. I have to verify any number I use.

I've written appointment reminder software that leverages one of Twilio's competitors (Signalwire) for delivery and they seem to do just fine in things like this. In testing use cases, I have to prove ownership of both sending and receiving phone number. They also require all SMS messaging campaigns to be registered as per FCC requirements. I know they filter it too, because when the FCC rule went into effect I hadn't received notification yet, and my first clue was everything suddenly showing up in the logs as being blocked.