Академический Документы
Профессиональный Документы
Культура Документы
According to the Federal Trade Commission, telecom fraud accounted for 42% of fraud complaints in 2016, up
from 34% in 2012. These numbers continue to grow, as new technology has led to an onslaught of new telecom
fraud tactics. The latest schemes are difficult to track and investigate because of their frequency, their layers of
anonymity, and their global nature.
This guide will help you learn about the different types of telecom fraud and industry best practices for detection
and prevention.
1. Schemes to Defraud Telecom Service Providers – These schemes are the most complicated, and exploit
telecom service providers using stimulated traffic, SIP trunking, regulatory loopholes, and more.
2. Schemes to Defraud Subscribers – This is simply any scheme that involves gaining access to someone
else’s account to make free phone calls.
3. Schemes Conducted Over the Telephone – Also known as “Phone Fraud,” this category covers all types of
general fraud that are perpetrated over the telephone
The industry best practice for detecting and preventing this type of telecom fraud is to monitor Call Detail Records
(CDRs) in real time for suspicious traffic or call patterns. To truly shut down fraud, any fraud prevention system
should be combined with call routing technology. NexOSS and SDReporter from TransNexus are currently the only
solutions that combine fraud detection with routing. This means that when suspicious traffic is identified, the
TransNexus programs will automatically change the outgoing calling plans to re-route dangerous traffic, stopping
the fraudulent activity before it gets started.
Those familiar with three-way calling will recognize the inspiration for call transfer fraud.
Call Transfer Fraud Scenario
1. Hacker phone service hacks unsuspecting PBX to make a call to make international calls
2. PBX sends SIP INVITE to soft switch
3. Softswitch routes call to international carrier
4. Hacker instructs PBX to blind transfer call to Hacker Phone Service
5. PBX sends SIP REFER to soft switch to blind transfer call to Hacker Phone Service
6. Softswitch sends SIP INVITE to Hacker Phone Service
7. Hacker’s Subscriber speaks to international destination through soft switch.
Most soft switches have no way of tracking a call once it is transferred out of the network, so fraudsters can
generate a significant amount of traffic and revenue for themselves before being caught.
1. Source Network sends a call to a wholesale provider with an incorrect low cost LRN in the SIP INVITE
2. Provider charges the Source Network for a call to the incorrect LRN
3. The provider completes the call
4. The correct LRN for the call is more expensive than expected. The provider loses money, and the Source
Network gets below cost termination.
1. Fraudster phone service hacks an enterprise PBX to make calls to high cost destinations
2. PBX sends SIP INVITE to service provider’s soft switch
3. Service provider routes call to high cost destination
4. Fraudster instructs PBX to transfer call to another high cost destination
5. The fraudster hangs up. The call between the two high cost destinations remains in place.
6. Fraudster shares in the revenue from the fraudulent calls.
7. Fraudster repeats steps 2-6 to set up hundreds or thousands of simultaneous calls
Once the calls are transferred, they stay up until the carrier shuts it down. TransNexus customers report calls
staying up for over 24 hours. On many platforms transferred calls don’t count against concurrent calls, and most
switches won’t cut a call record until the call is over. If the criminal is clever, he will transfer dozens or hundreds of
calls concurrently. They are pinned in the network, and can go unnoticed until it is too late.
1. Fraudster accesses the web interface of a PBX or IVR of a voice mail system, compromises a user’s login
and password, and sets the user’s account to forward calls to a high cost destination.
2. Fraudster calls the compromised number over either the PSTN or VoIP.
3. Compromised PBX forwards the call to the service provider’s softswitch.
4. The service provider switch forwards the call to the high cost destination. The service provider must pay
to complete the fraudulent calls, but rarely receives payment from the enterprise with the compromised
PBX.
5. The fraudster shares in the revenue from the fraudulent calls.
IRSF is characterized by large amounts of calls, often with long duration, to a single destination. While it is not
difficult to detect IRSF by examining Call Detail Records (CDRs), by the time you collect the CDRs, the damage has
been done.
“IRSF is the most common form of fraud we see,” said Ryan Delgrosso, CTO of Phone Power. “The international
carrier that delivers the last mile is obligated for paying the final destination telco. They charge the carrier that
sent them the call, and the cost flows downhill until you get to the access point that was compromised. Further
complicating matters, these schemes always cross international boundaries making pursuing it from a criminal
perspective almost impossible. Access or retail service providers usually end up eating the costs.”
Traffic Pumping
Have a revenue share agreement between the terminating carrier that stimulates demand
Have a 3 to 1 increase in interstate terminating to originating traffic or 100% traffic growth in a month
year over year.
In this case, authorities can step in and force the terminating carrier to re-file their access tariff with the public
utilities commission within 45 days. Because of the extra traffic, the terminating carrier would no longer be eligible
for the high access fee, and will likely be dropped from the revenue sharing agreement. However, many traffic
pumpers routinely evade regulation.
Criminals can easily use this straightforward technique for International Revenue Sharing Fraud (IRSF). Once they
have the password to an account, it is a simple matter in many Voice Mail systems to exploit the “Call Back”
feature – that feature that allows a user to immediately return a missed call. The criminal calls the phone number,
leaving their IRSF number as the “call back” number. Then, they login to the account, find their missed call, and
return it, signaling the Voice Mail to initiate a call to their IRSF number. Once the call is connected, a criminal can
attempt to leave it up as long as possible, often hours or days.
There is also an SMS variant of Wangiri fraud that has been reported recently. In this variation, subscribers receive
an SMS message like “Please call me back, this is urgent!” as a way to entice them to return a call.
1. The Fraudster sets up calls to voice subscribers, but hangs up after one ring. This means that the fraudster
isn’t charged for making the calls.
2. Curious subscribers see a missed call on their phones, and return the call, not realizing that the number is
actually a high cost destination.
3. If subscribers are on a flat rate plan, the service provider will be left paying high termination costs with no
corresponding increase in revenue
4. The Fraudster shares in the revenue from the fraudulent calls.
1. Service provider has the choice to route a subscriber’s call to a more expensive Wholesale Provider (A) or a
lower cost “Gray Market” Provider (B)
A2. Service Provider routes call to Wholesale Provider
A3. Wholesale Provider pays a toll to the international Legacy Telephone Company (PTT)
B2. Service Provider routes call to a lower cost fraudulent wholesale provider
B3. The fraudulent wholesale provider routes the call through a SIM Box
B4. The international call routed through the SIM Box to a cell tower looks like local subscriber traffic, so the
fraudulent service provider pays a significantly reduced toll.
The key calling signature for this type of fraud is a huge number of apparently random calls. The destinations are
not particularly high cost, but neither are they cheap. Countries like Vietnam, Laos, and other middle-priced Asian
countries show up often. The traffic often appears to be to residential numbers.
TransNexus customers have reported tracing this type of fraudulent traffic coming from prepaid calling card
companies operating a VoIP platform in an offshore colocation facility. Prepaid calling services are well suited to
exploit this type of fraud since there are no calling numbers linked to customers. The IP address of the prepaid
calling platform is the only link to trace the fraudster. Unfortunately, geolocation cannot always be used to identify
the fraudster. These services can be offered via a tunnel through the Internet that hides the true IP address of the
fraudster. The public IP address of the fraudster’s calling platform could be the IP address of a hosted Virtual
Private Network (VPN) service while the actual prepaid calling platform is located in a different part of the world.
1. Fraudster’s softswitch registers with service provider’s softswitch using stolen user name and password
2. Legitimate user places a call
3. Fraudster sends INVITE to service provider’s softswitch
4. Softswitch routes call to international long distance destination
If a criminal gains access to a subscriber’s lost or stolen phone, he will be able to gain unauthorized access to the
subscriber’s network. Once recognized as a ‘bona fide’ customer, fraudsters then have access to a network and
are able to carry out revenue generating schemes that can seriously damage reputation and bottom-line
profits. The true impact of subscription fraud often goes unrecognized because providers mistake it for bad debt.
How to Prevent Lost or Stolen Phones and SIM Card Telecom Fraud
Subscribers should report lost or stolen equipment immediately to their service provider. Service providers can
often add the lost device to the national list for lost or stolen mobile devices so that it cannot be used on their own
or other service provider’s networks.
Account Takeover
Phoneprinting routinely identifies over 80% of inbound fraud calls to enterprise contact centers, saving millions of
dollars in losses and contact center expenses a year.
TDoS attacks can impair a voice network’s availability, but can also be used as a tool for extortion. TDoS attacks
have been in the news recently as a threat to public safety, as fraudsters have taken to using TDoS attacks against
hospitals, police stations, and other public services.
Vishing
Vishers pose as a legitimate business to attempt to gather information from someone. That information can then
be used for identity theft or other forms of fraud.
1. Fraudster calls the Utility Company while spoofing the ANI of a customer. The fraudster then navigates
the utility’s phone system to gather customer data, especially credit balance.
2. Fraudster calls customers who are behind on their payments while spoofing the utility company’s ANI.
The fraudster, pretends to work for the utility company, and demands payment over the phone in order
to get the customer’s credit card information.