Preventing OTP auth sign in abuse?

I'm using phone numbers with OTP to log users into my app. This requires an SMS to be sent for each login attempt. I'm concerned that a malicious user could abuse the signin() endpoint costing me a lot of money. What's the right way to prevent that from happening?