FRAUD & SECURITY BUSINESS BRIEFING 2013: The definitive guide to fraud types
There are an estimated 400 different types of fraud permeating the wholesale telecoms markets. As schemes become more sophisticated and the crooks harder to catch, carriers are increasingly finding themselves outmanoeuvred and footing the bill. Here Capacity identifies the types of fraud they are up against.
The first Michael Smith knew that fraudsters had tapped into his company’s phone system was when he received a letter from Verizon reassuring him that the phone giant was cancelling a $260,000 phone bill. It turned out that criminals had made thousands of calls to a raft of premium-rate numbers in Somalia over the course of a single weekend in the autumn of 2009. But that was just the start of a three-year nightmare and a $1.15 million lawsuit that could have cost Smith his company and his 14-strong workforce their jobs.
For what no one realised was that the fraudsters were also channelling calls through AT&T using a simple dial-around service. By the time the second part of the scam was discovered a further four days later, the crooks had run up an additional $892,000 in call charges. Smith, whose Ipswich-based company makes drill bits for local factories in Massachusetts, normally pays around $700 a month in phone costs. AT&T never disputed that the calls were fraudulent, but contested that Smith acted negligently by not taking appropriate precautions to protect his phone system from hackers and filed a suit seeking to recover $1.15 million in costs and interest charges. Citing Federal Communications Commission regulations, the phone giant also tried to uphold a legal right that allows the company to collect payment from the owner of a phone line, regardless of who actually makes a call. AT&T dropped the suit at the eleventh hour.
Welcome to the world of Private Branch Exchange (PBX) hacking, the fastest-growing of all telecoms scams and a perfidious crime that is set to cost the industry close to $5 billion in lost revenues this year alone.
How it works: The attacker seeks to exploit lax security arrangements at small companies who buy off-the-shelf phone systems and ask inexperienced engineers to install them.
The hacker calls companies using a PBX system (lists of which are readily for sale on hacking communities) at random, leaving a voicemail with a fake phone number; the attacker then phones back to see if he can guess the voicemail password; the fraudster then uses the callback feature on the system to ring any number he wants.
Hackers can quickly find their way around the frailties of various PBX phone systems on the market and typically know the default security settings for most current models, making the fraud even easier to commit.
Once they are in, criminals will sell low-cost international calls to their own customer base and re-route them through the phone system of an unsuspecting victim or tap into premium rate phone numbers in far-flung destinations with high termination costs.
A US fraudster who set up a low-cost internet calling company was recently sentenced to 15 years in jail after illegally re-routing more than 100,000 minutes of calls through the hacked networks of 15 unsuspecting companies. The fraud cost his victims a total of $1.4 million.
It’s not uncommon for crooks to link a PBX attack to an international revenue share scam such as that which befell Michal Smith. More sophisticated crooks will install auto-dialling and dial-around software – a 2009 attack on an Australian company’s PBX, for example, generated 11,000 calls in just 46 hours, leaving the firm’s service provider with a bill in excess of A$120,000.
Who takes the hit?: In the first instance, wholesale carriers typically bring pressure to bear on the provider serving the end customer, although carriers are legally within their rights to seek recompense from the phone system owner and are fearful of any legal precedent that might undermine those rights. Many telcos therefore feel obliged to pursue the victim regardless of how or where the fraud was committed and despite the obvious reputational damage that a “David versus Goliath” lawsuit can cause.
How to fight back: Phone system owners are urged to beef up security procedures, encourage staff to set complex passwords and to routinely download new software fixes that close the door on known hacking tricks. Other potential avenues to explore, depending on the nature of the business, include blocking international calls and disabling the callback feature, as well as requiring staff to change their voicemail password frequently.
The roll call of carriers tricked into providing VoIP services to Vinod Tonangi, a 33-year old convicted fraudster who also went by the names of Frank Soss and Justin Peterson, is as long as it is distinguished: AT&T, Verizon and France Telecom, to name but three, were all taken in by a complex web of lies around which the fraudster built an entirely fictitious start-up VoIP provider. He set about luring key wholesale players in the VoIP market to extend capacity to him on credit, which he then sold on to other genuine wholesalers for a huge mark-up. Tonangi went to remarkable lengths to make the scam, which is known as a long-firm fraud, look convincing: he set up fake business addresses at the Empire State Building, created email accounts in the names of non-existent departments and fabricated year-end financial reports that bore the logo of a national accounting firm (thereby inferring that his company’s accounts had been signed off).
Once Tonangi had confirmed lines of credit with a wholesaler, he would bust the limits on his account, usually over the course of a bank holiday weekend when the VoIP providers were least likely to notice unusual patterns in his trading. When wholesalers eventually caught up with him, he would offer to pay an instalment to keep the service open. In all, a total of eleven wholesale operators lost $4.4 million to the scam.
How it works: Long-firm fraud is an old-school sting that just happens to work effectively in the VoIP world. The greater the weight of supporting evidence that a fraudster can provide to show that his fabricated business is trading profitably as a wholesale VoIP provider, the bigger the credit lines he is likely to extract from his victims.
Typically, the fraudster will establish a good record for prompt payment and a growing business, which he supports by offering extremely aggressive termination rates to other carriers. Then, over the course of a long weekend, he will “bust out” of his pre-arranged limits, banking the revenues from his side of the supply chain but defaulting on any obligations to the suppliers. The suppliers are then fobbed off with promises to pay, fake wire transfers and fabricated law suits while the fraudster makes sure he has recouped any remaining payments from providers that he has supplied services to.
Who takes the hit?: The legitimate wholesale provider is out on a limb on this one. Moreover, the losses associated with the scam can escalate the longer the victim treats the firm as a straightforward non-performing debtor rather than an outright fraud.
How to fight back: Long-firm fraud is less about trying to keep one step ahead of highly sophisticated software developers and more about good, old-fashioned credit control. The more vigorous the background credit checks, the less prone to a sting a wholesaler will be. Providers can also insist on up-front payments and even bank guarantees from new customers. Moreover, they can put volume-triggered blocks on accounts that they see as vulnerable to prevent fraudsters from busting their limits over suspicious trading periods.
Within five minutes of trawling through one of the many chat communities for VoIP providers, you are likely to come across a link to FASservice.net – a website that incredibly sells software to help fraudsters fool phone systems into thinking that a call has been answered and can therefore be billed, when it has not.
Explaining how the fraud works, the website says that its software “simulates calls to numbers that are out of network coverage and subsequently provides false billable airtime to the calling party”. Their words, not ours.
“The service pretends to be a real mobile carrier and plays back real mobile carrier messages such as ‘the number you are calling is not currently reachable, please try again later’, while charging for this,” it continues.
Helpfully, the website recommends restricting the fraud to mobile subscribers, because users are less suspicious when they hear an out-of-service message. But it advises: “It is up to you to decide what message to play to the caller and which traffic to apply the service to.”
Astonishingly, the website goes on to break down how an FAS fraud can help bolster turnover: “Mixing 10% of fake FAS calls into a route with 15,200 billable minutes a day can generate a 21% increase in profits,” the website says, assuming the user takes a mark-up in keeping with most transit carriers of 0.5 cents a minute.
It is as slick a sales pitch as you might expect from any genuine software provider and it serves to illustrate just how big the potential for supervision fraud really is.
How it works: A service provider in the chain sends a false signal back down the line indicating that a service has been established when it has not, thereby allowing the fraudster to make a call look as though it has been completed, and thus billable. Typically, the fraudster might attract unwitting wholesalers to its service by offering very competitive termination rates without ever having any intention of completing the calls. By playing a not-in-service message, the crook is able to bill the originating service provider for an additional 10 seconds of calling time.
A variation on the false answer supervision fraud is to stop the disconnect signal pinging back to the originating service provider when the called party hangs up on the call. By delaying the signal for a few seconds a provider intent on committing fraud can rack up extra billing time.
Who takes the hit?: As ever, the end consumer is the ultimate victim of FAS, though the originating service provider risks a good deal of reputational damage if the phone user discovers that he has been paying for calls that never got through. The insidious nature of FAS fraud means that criminals try very hard not to get discovered – the chances of a phone user cross-checking calls that did not connect to the intended recipient are at best very slim.
This is a high volume, low margin crime that is tricky to detect and even harder to prove – indeed, there are circumstances when bona fide providers will unwittingly generate false answers as a result of badly-configured equipment.
How to fight back: The biggest giveaway is an above-average number of calls that last for between five and ten seconds. Recognising this, fraudsters have started to limit FAS calls to less than 2% of total traffic, making it even harder to uncover. However, there are analytics now available that can probe a sample of all calls to determine whether rogue supervision signals are being dispatched.
By measuring the length of a sample of calls against the expected duration of those calls, it might also be possible to uncover fraudulent activity. If discovered, wholesalers will typically re-route the traffic to another service provider, but it is unlikely that carriers would succeed in recovering lost revenue through the courts.
Instead of handing a call on to a terminating operator, a crooked transit provider
will divert it to a pre-recorded message or a busy signal, but charge the originating provider as if he had delivered the traffic on to its final destination. The fraudster gets two bites at the cherry in this particular scam, not only banking terminating fees that should be going to a bona fide carrier, but also benefiting from higher volumes which tend to come about when the caller tries a second time to complete the phone call.
How it works: The fraudster lures unsuspecting wholesale carriers by offering aggressively competitive termination fees: he can afford to do so, of course, because he has no intention of completing the call in the first place. Once a relationship is established, he directs a percentage of calls to a terminating message, but charges the carrier as if he had delivered them to their destination.
Who takes the hit?: Ironically, the very advances that VoIP operators are trying to incorporate into next-generation services are the very ones that can expose them to enhanced security risks. VoIP offerings that support sophisticated calling mechanisms such as three-way calling and call transfer are particularly vulnerable to crooks looking to tap into a signal and divert a call illegally. Ultimately, the terminating carrier pays the price for this lax security, foregoing the fees that are rightfully theirs.
How to fight back: Given their position in the transport chain, carriers may find it extremely difficult to identify potential fraudsters, let alone suspect destinations where hijacked calls may be heading. That in turn means it is impractical to try to block specific numbers or number ranges.
However, anti-fraud analytics are coming on in leaps and bounds and there are a number of obvious flags that can alert a carrier to potential scams. Traffic that will warrant further investigation might include patterns where a high number of calls terminate long before their expected duration, or where the number of calls charged relative to the number of calls initiated is unusually high. There’s no better fraud detection tool than common sense, of course, and given that most call hijackers must lure wholesale partners into their clutches with the promise of ultra-cheap connectivity, then a simple rule of logic must apply: if a termination rate seems to be too good to be true, then it probably is.
According to the Communications Fraud Control Association (CFCA), wholesale operators lost $3.8 billion to revenue share fraud last year. But the real cost to the industry is considerably higher – not least because many other types of fraud are committed in part to drive traffic to premium rate numbers. For example, subscription fraud and identity theft, PBX hacking, call hijacking and the use of malware in mobile phones are all variations on a fraud theme that ultimately looks to generate cash through international revenue share arrangements.
To appreciate just how embedded in the psyche of fraudsters IRSF actually is, consider this fact: according to fraud management specialists Xintec, there were 17 phone number aggregator websites offering revenue sharing services at the end of 2009. By the end of last year, that number had exploded by 141% to 41. Such sites openly advertise revenue sharing deals to many countries with high termination rates, such as the Pacific Islands, and invite visitors to register online to immediately start generating revenue. All that a fraudster needs is a stolen credit card, or access to an unwitting company’s phone system and he is away.
How it works: Even within the general confines of international revenue share fraud, there exists a wide range of scams: the service provider may not actually offer the advertised service at all, but simply divert the calls to a ringing tone, or the service provider might deliberately extend the length of the call without the caller knowing. A recent development is for fraudsters to hijack premium rate numbers in high-risk locations such as Somalia and Cuba and “park” them in countries where the international code is considered to be more legitimate.
But what unites most IRSF scams is that the fraudster typically tries to generate a massive amount of artificially inflated traffic to a small number of destinations in as short a period of time as possible. Crime rings in some countries, such as the Philippines, use pools of human labour to make the calls; others use scams on social media or spam email urging people to enter a prize draw.
Who takes the hit?: It is difficult for wholesale providers to distinguish whether traffic destined for a premium rate service is legitimate or not. TV show traffic, for example, has all the characteristics of a potential fraud – huge call volumes to a very small batch of numbers in a short space of time – and yet it is bona fide. The i3Forum supports a dispute mechanism in cases where IRSF is suspected, but the originating services provider must first prove that there is a direct link between the fraudster initiating the traffic and the owner of the premium rate numbers at the other end of the scam. As the most exposed link in the payment chain, originating service providers often find themselves taking the hit. In the days before sophisticated anti-fraud analytics hit the market, an IRSF scam might typically generate profits of around $1 million. These days, the window tends to stay open for a matter of hours rather than days and the ultimate hit is more likely to be in the region of around $50,000.
How to fight back: Fraud teams now closely monitor destinations that command the highest termination rates and keep lists of premium rate numbers within those countries. They look for large chunks of traffic that have exactly the same interval between each individual call (say, 1 second) and they are also on the alert for calls that last an inordinate amount of time. Moreover, international carriers routinely share so-called “hot lists” of countries and phone number ranges currently being targeted by the criminals.
Stefan Amon, head of wholesale at Telekom Austria, has developed a new anti-fraud package that can detect if wholesalers are being tricked into charging domestic rates for what should be international traffic. When he demos this among fellow carriers and other service providers, there is often a palpable sense of shock as he shows them just how many black boxes on their networks are fraudulently spiriting traffic into cheaper channels.
Bypass fraud, also known as SIM boxing and interconnect fraud, is perpetrated on a huge scale using advanced SIM boxes that can be controlled from pretty much anywhere on the planet. Essentially, the scam disguises inbound off-net calls so that they look like on-net traffic, thereby bypassing the higher termination fees that would normally apply to international traffic. According to the CFCA, carriers lost $2.9 billion to the fraud in 2011, an increase of 44% since 2009.
How it works: This is a complex fraud that requires a significant investment in technology and a thorough understanding of individual network architectures. It also requires the fraudster to set up a legal entity in order to strike interconnect agreements with legitimate wholesalers and the crook must also keep a bank of local lines up and running through which to channel the diverted international traffic. Typically, he will do this by setting up a series of pre-paid connections, as these require less documentary support. The typical bypass box will aim to capture between 60 -90 lines and will siphon off around 15,000 minutes per line per month.
The scam is particularly prevalent in many African and Middle Eastern countries where there is a big gap between the cost of terminating national and international calls.
Who takes the hit?: Consider, for the sake of argument, an international call between two countries that costs €0.8: the initiating provider will take around €0.5 and the terminating carriers €0.3. By setting up a SIM box on the network, a fraudster can steer the call via a VoIP connection to the destination for a termination fee of just €0.05. The difference represents an 83% hit in terms of lost revenue to the terminating carrier. It is estimated that international carriers lose anything up to 6% of total revenues to this activity.
Of smaller but still significant consequence is the fact that the caller will routinely suffer poor quality of service, a phenomenon in these days of increasing churn that can directly hit bottom-line revenues at originating service providers hard and fast.
How to fight back: It is a cause of major frustration among carriers that most countries legally define telecoms fraud as the “intention not to pay” for a phone call. In the case of bypass scams, the fraudsters are more than happy to stump up terminating fees; they simply disguise the traffic so that a much lower charge applies. This makes pursuit through the courts very tricky indeed.
One popular method to uncover bypass fraud is to blanket-test parts of the network by generating a huge number of calls. While this typically has a very high success ratio – usually 90% or more – the fraudsters can programme their SIM boxes to detect such “sweeps” and immediately shut down an operation when the alarm sounds. A better approach is to profile a sample of calls over a suspect line: a high number of voice-only calls; a high ratio of outgoing to incoming calls; or a lack of common number calling are all strong indicators of bypass fraud.
Depending on your point of view, arbitrage is either an opportunistic fraud that seeks to exploit aberrations in flat-rate pricing plans among carriers, or the cornerstone on which the principle of the free market squarely rests. AT&T came down firmly in the former camp when a clutch of eight local operators in Iowa discovered a loophole in tariffs designed to support local carriers in rural areas
back in 2007. Essentially, the operators were arbitraging the system by sourcing low cost calls from around America and charging a high termination rate to the carriers who had the misfortune to carry them to Iowa.
The lure in this particular case was that VoIP account holders were offered free international calls provided they dialled through a local Iowan number on the way. AT&T’s termination costs with local operators shot up from around $2,000 a month each, to $2 million a month after the loophole was discovered, prompting the carrier to sue. State regulators closed the loophole in 2010.
How it works: Arbitraging flat rates is a complex business – small operators spend a good deal of time and effort looking for loopholes in fixed-rate tariffs that they can exploit by sending large volumes of traffic from destinations with cheap termination rates to those with much higher fees.
Many opportunities, however, tend to only exist for a small period of time, as
carriers and operators are able to bring their considerable legal weight to bear on arbitrageurs at every turn.
Who takes the hit?: In the eyes of the law, the retail carrier behind the flat-rate offer bears sole responsibility for any losses arising out of retail arbitrage fraud. Any wholesale partner that becomes involved in handling traffic is entitled to believe that the retail operator has got his sums right and can turn a profit out of a flat-rate plan. Moreover, if the retailer has priced the service wrongly, they are equally entitled to assume that he has had the sense to include a rider in the contract to either introduce a limit or cancel the service altogether if fraud is suspected.
How to fight back: If the bread and butter of arbitrageurs is inaccurate pricing, then the first line of defence against them is to make sure that flat-rate pricing models have been stress-tested to the nth degree.
Carriers can build in an extra layer of protection by imposing a volume limit of, say, 1,000 minutes per month to higher-rate destinations covered by the scheme. And it might also be wise to build in mechanisms to block access to premium rate numbers, where appropriate.