1. Check if the phone number is syntactically correct. All mobile numbers in Russia start with +79 and are exactly 11 digits long. Validation can even be added to the web form at the js level. It's not exactly bully-proofing, but it will weed out real errors and typos, making life easier for regular users.
2. Punch the number according to the Rossvyaz base (file DEF-9xx). So you will determine the numbers to which 100% will not be delivered. Unlike syntax checking, don't give the user an invalid number response. Reply to all numbers "One-time code sent, enter it here", but do not send a message to invalid numbers.
3. Add a limit on the number of forms sent per minute from one IP and the number of messages sent to the same number (regardless of IP).
4. Estimate how many forms can be sent per day and put a total limit on all SMS sent per day. This is the only real way to control the budget drain attack. Yes, real users will suffer when the limit is reached, but you should not bring it to it - set up monitoring of the number of sent SMS and alerting when the threshold is reached at 90% of the limit, so that you have time to react to the attack and repel it before the limit is completely exhausted. Or if it's a surge of real users (for example, an unexpectedly successful reaction to an ad), then you will have time to adjust the limit. You can calculate the limit as 2 * the average number of SMS sent over the last X days, so that you do not have to edit it manually as attendance grows naturally. Of course, you can choose the formula and percentage for alerting according to your requirements.
Separately, I want to talk about the so-called direct mobile numbers. They look like city phones (for example, +7495), but in reality they are mobile and can receive text messages. The check in point 1 does not pass such numbers and there is no way to check whether a given city number is a direct mobile number without sending an SMS. There are few direct numbers compared to real mobile or real landline numbers. In addition, each direct number has a mobile counterpart starting with +79, which the user can use to register. Therefore, I propose to simply forget about direct numbers, and in case of complaints about the impossibility of registering with a direct number, talk about the existence of a mobile analogue,
Mandatory email requirement will not strengthen the protection scheme, since it is not a problem to stamp real addresses with a script that automatically clicks on confirmation links in incoming emails.
An alternative option is to rent an incoming room. In this case, you do not send messages to users, but they send you. Usually, a fixed fee per month is charged for an incoming number, regardless of the number of SMS, so you don’t have to worry about the budget in principle. But then you will have users with a disabled SMS service in flight. And there are many, I can say. Thanks to internet messengers.