Q1: What is Internation Revenue Share Fraud (IRSF)?

A: IRSF is a specific type of roaming fraud in which traffic is artificially inflated (traffic pumping) to premium rate numbers around the world.

Fraudulently obtained subscriptions are used in a roaming scenario to make long duration outgoing international calls to number ranges with high termination costs, which typically involve small or remote countries, or international satellite operators.

The calls generally do not reach the geographic destination associated with the number range called, but are routed by interconnect carriers to a third party audio text or premium rate service provider. Revenue for the calls is shared between the service provider and the caller.

IRSF is triggered by fraud enablers such as PBX hacking, SIM card cloning, International roaming fraud, subscription theft, etc.

Q2: How is IRSF detected?

A:  The delays in recognising IRSF activity, and delays in blocking SIMs or B-numbers makes IRSF extremely difficult to prevent and combat.

The typical call pattern for revenue sharing fraud is a spike in traffic to high cost destinations. These spikes typically occur during holidays or weekend periods, when systems are not monitored.

Detection methods vary considerably in terms of effectiveness, implementation costs, ease of deployment, etc. According to the GSMA, these include:

• Near Real-Time Roaming Data Exchange (NRTRDE) solutions, provided the files are exchanged within minutes, and the NRTRDE data is analysed for suspicious or fraudulent activity.
• High Usage Reports (HURs), which can be slow, as they may dependent on billing cycles. HURs can easily be missed by analysts, especially if received outside office hours. HURs contain limited call date information used for subscriber profiling.
• • CAMEL functionality, a detection method limited to VPMNs offering CAMEL and HPMNs provisioning CAMEL to post-paid customers.
• VLR – HLR Interaction. SS7 based monitoring of Authentication Requests/Responses (triplets). The information provides real time information but is limited to location data and a gross estimate on the level of calling.
• GRX (GPRS Roaming Exchange). All GPRS traffic is routed via HPMN and it is managed as if it were on the Home network. As a result, detection is enabled locally.
• GPRS ISP Roaming, but this method is rarely deployed by operators. 

Q3: What is FraudStrike™ and what can it do?

A: FraudStrike™ is a powerful yet cost-effective fraud management system (FMS) specifically enabled for the detection and prevention of IRSF activity during or prior to an attack.

It comprises a unique and live database of over 300,000 International Revenue Share (IRS) test numbers obtained from IPRN resellers to test that a revenue share destination and number range can be connected from a given location. These test numbers, if used correctly in a hotlist, are an extremely useful tool to alert operators of a pending or live IRSF attack.

FraudStrike also comprises algorithms and detection techniques to support the accuracy of the detection process, and to minimise false positives.

FraudStrike™ will sit alongside any existing fraud controls or fraud systems.

FraudStrike™ can also be configured to detect multiple other fraud types (PBX/VoIP fraud, Wangiri, domestic fraud, SIM box detection, etc.)

Q5: How does FraudStrike™ differ from other commercial number databases on the market?

A: FraudStrike™ contains IRS test numbers that we know are currently being offered for use in the market. This includes the many ITU numbers that are allocated to operators and are then leased to IPRN resellers. Many of these numbers technically comply with ITU recommendations, and so will not generally be offered in other databases, but can still be used in these types of attacks.

Q6: How does FraudStrike™ differ from the GSMA hotlist number database?

A: The GSMA hotlist number database is compiled using operator fraud reports of actual IRSF incidents and therefore relies on the goodwill of operators to share such information with the GSMA. It also relies on the GSMA publishing updates to these numbers and actively managing the database. And as many of the numbers contained in the GSMA Hotlist Number Database have already been used to terminate fraudulent calls, they may be of no value.

FraudStrike™ is an actively managed database with updates every 2-4 weeks. Typical updates will contain any new numbers identified, plus retained numbers not published by the IPRN resellers during the period, as it has been found that often these numbers will re-appear, or have been traded with another reseller.

In this way the latest version of the FraudStrike™ database is always up to date with all known test numbers that may be used.

FraudStrike™ will alert you to a likely IRSF attack, before fraud losses escalate.

Q7: How are the IRS test numbers kept up to date?

A: New IPRN resellers are being identified regularly, and existing number resellers are updating and changing their numbers frequently, certainly on a monthly basis. To ensure that FraudStrike™ numbers are current, the database is updated every 2-4 weeks to include any new numbers identified since the last update. 

Q8: Why would I utilise FraudStrike™ on inbound roaming traffic?

A: This is an opportunity to provide some added value to your roaming partners. IRSF losses through the use of a SIM card roaming in a visited network can increase at a rate of $10,000 per hour. A visited network is required to provide a home network with details of roaming calls within 4 hours. Alerting your roaming partner of likely IRSF activity an hour or two before they receive NRTRDE files could help them avoid significant fraud losses. This is likely to be seen as a differentiator of service from other in-country networks, and could result in your organisation being considered a preferred roaming partner, consequently increasing your roaming revenues.

Q9: Can we just block the numbers in the FraudStrike™ database?

A: FraudStrike™ contains numbers that are being advertised as International Revenue Share test numbers. We do not recommend that these numbers are blocked, but rather kept in the hotlist so you can be alerted to any activity on the network that could be construed to be a potential IRSF attack. If you block these numbers, which are not typically used in the actual IRSF attack itself, then you will lose the intelligence that these numbers can provide as an early warning system. Fraudsters often have access to more than one device and an early warning of a likely IRSF attack does provide the opportunity to investigate, and identify any other devices that should also be blocked. Some IPRN Resellers do also provide numbers for legitimate purposes, such as content services, Psychic lines etc. Blocking these numbers could prevent customers accessing a legitimate service, and revenue would be lost.

Q10: I have heard that some FraudStrike™ users have occasionally located an assigned customer number within the database. How can that happen?

A: If a number is entered in the FraudStrike™ database, this is because it has been advertised by an IPRN Reseller on their rate card or test number schedule. Some IPRN Resellers are heavily involved in number misappropriation (number hijacking), and will often hijack a small operators complete number range during a period when they intend carrying out an IRSF attack. In this case, they will often publish assigned customer numbers which will only generate revenue for them during the period of the number hijack. This is another very good reason why FraudStrike™ numbers should not be blocked. In this case, a very quick investigation could reveal that the call is placed by a legitimate customer to the genuine user of the FraudStrike™ advertised number.

Q11: Other than IRSF what else can FraudStrike™ be used for?

A: Since FraudStrike™ contains a list of active IRS test numbers it can be used for a number of purposes other than detecting IRSF attacks. One example is using the FraudStrike™ database for Wangiri fraud detection. By replacing the last 2 digits of the IRS test numbers with wildcards we have a premium number database consisting of over 2 million numbers. Monitoring calls from these numbers onto your network, especially where these numbers are dialling more than a certain number of unique domestic numbers, has been shown to be effective in detecting Wangiri fraud attacks. Similarly this also works as an outgoing hot list if a rule is set at say >5 calls to a specific FraudStrike™ range from different subscribers in xx minutes.

Q12: Does it really work?

A: Yes. Our experience has shown that FraudStrike™ is very effective at preventing IRSF. It is actively managed and updated on a regular basis and while we don't claim that it contains every single IRS test number it does provide very good protection.

Existing FraudStrike™ users now regard this database as the key defensive tool in their IRSF detection strategy.

Q13: Why should operators choose FraudStrike™ over traditional detection methods (e.g. HURs)?

A: The advantage of using FraudStrike™ over other detection methods such as HUR’s is that FraudStrike™ uses a proactive approach to IRSF prevention instead of reactive. With the use of the IRSF Test Number database, the fraudster can typically make a number of test calls testing the full connectivity to the premium rate service. Once these Holist Fraud alerts are generated these subscribers activity can then be monitored and stopped very early on in an IRSF fraud attack.

Using alternative methods such as HUR’s are more of a reactive approach to IRSF prevention whereby the reports will only alert on an IRSF fraud attack as it is carried out. As a result, FraudStrike™ can work towards a much faster speed of detection than other alternative IRSF prevention techniques.

Q14: Why is it called IRS Test number database?

A: FraudStrike™ contains over 300,000 test numbers, that is numbers which can be provided to a potential customer or fraudster to confirm that this number/range can be called from the country he is calling from, and device he is using (for example a fraudulent SIM card or hacked PBX).

These numbers are obtained from over 160 international premium rate number reseller websites and are regarded as “test” numbers as they are advertised to potential fraudsters to test their connectivity before carrying out a fraud attack. 

Q15: How are the test numbers obtained?

A: As detailed above, these test numbers are obtained from over 160 international premium rate number reseller websites. These websites are analysed frequently and the hotlist database is constantly updated, i.e. with updates available every 2-4 weeks, with the total numbers growing each month.

Q16: How can we be sure these test numbers will be used for fraud?

A: The FraudStrike™ database now contains numbers representing 221 country (dialling) codes. This represents 88% of the world’s Country Codes that have been issued, so any one of these could be responsible for an expensive IRSF attack. If a number is in FraudStrike™, then it is there because it has been advertised on an IPRN Providers website. 

Q17: What if a FraudStrike™ database match is not a fraud?

A: FraudStrike™ may raise false positives once deployed on your system – there are a number of reasons for this;

• IPRN Resellers advertising genuine customer numbers at destinations where hijacking is a common method of facilitating IRSF. If these numbers are called during a period when the hijacking arrangement with a dishonest operator is not in place, the call will terminate as dialled. This will generate a false alert.
• There are some IPRN Providers who are operating legitimate businesses and sourcing numbers from number range owners to be used for billing purposes, tele-voting, content services etc. A percentage of these Providers are regularly finding that their own numbers are being hijacked, some quite consistently. Consequently, a test number used this week that is found to be non-fraud, could be part of a hijacking operation the following week and represent a fraud.
• Similarly, some industry Groups encourage transit and wholesale carriers to use only trusted routes towards certain destinations. Consequently two calls to a PRISM number, one originated through an operator using Least Cost Routing (LCR) and one through an operator using a trusted route, could have completely different outcomes. While both should generate a PRISM alert, the LCR call is likely to be a positive alert while the second call may not.

It is important to note however that if a number is in FraudStrike™, then it is there because it has been advertised on an IPRN Providers website. FraudStrike™ does not compete with the GSMA Hot Number Range list. The GSMA list contains numbers that have been used during an IRSF attack. The FraudStrike™ database contains Test Numbers which will be used prior to an IRSF attack so that the fraudster can confirm that the device and country he is calling from, is permitted to terminate a call in the country and number range he wishes to call. FraudStrike™ alerts can also occur during the traffic inflation phase of an IRSF attack as often a fraudster will find the need to test new numbers while the IRSF attack is in progress.

Q18: Does FraudStrike™ also monitor inbound roaming traffic?

A: Yes. FraudStrike™ can monitor both Roaming-In and Roaming-Out traffic of an operator as well as Domestic and Fixed Line traffic feeds should IRSF be an issue under these traffic types.

Alerts can be raised for Inbound Roaming traffic alerting an operator of fraudulent activity of an inbound roamer to their network as best practice. This operator, while under no financial requirements, can then alert the parent operator of the fraud attack at the early stages when captured using FraudStrike™.

Q19: What does a typical IRS test call look like?

A: A typical test call will consist of very short calls (sometimes as short as 2 or 3 seconds) to these test numbers. FraudStrike™ will allow you to drill down to the actual CDRs that were generated when these test calls were made. If you have suffered an IRSF attack at any time, look through the fraud calling schedule, and the test calls will be obvious. These will generally be between 1 and 5 short calls to the same numbers followed by multiple calls to different numbers within the same ranges. If the called country is changed midway through the IRSF attack, you will generally see more short duration calls to that Country Code, again checking to ensure that this new Country can still be connected from the device being used.

Q20: How can IRSF affect my prepaid roamers - surely it can only decrement the balance to zero?

A: Perhaps it would help to provide a few examples of IRSF impacting Prepaid:

1. This is an actual incident that occurred around 2014. There were problems in an operators IN Platform where a configuration table holding VLR number ranges was incomplete. As a result, any VLR number ranges not contained in this table, and where prepaid Camel signalling was set-up, would allow free voice services on the networks associated with the missing VLR number ranges. This continued for over 3 months during which time the retail value of prepaid calls made, and not charged, exceeded €3 million. While initially, this issue could be regarded as a network error and a Revenue Assurance issue, once some prepay users realised that their prepay balance was not being decremented for calls to some IRSF destinations, they started making calls to these IRSF numbers. They did this knowing that they would not be charged, they would receive revenue share income, and their home network would be defrauded. The IN configuration problem, and the associated IRSF were not detected because Prepay usage was excluded from all fraud monitoring as it was considered safe. This was the largest fraud that operator had ever experienced.
2. There have been incidents reported where a fraudster has worked in collusion with an internal employee of an operator and disabled or reset the prepay flag which avoids calls placed through that simcard being routed to the Prepaid Gateway and the real time billing system. When an IN prepaid service tries to set up a call, the HLR flag will direct the call to the IN platform to check the service balance. If the prepay flag is disabled or reset, usage is permitted but the call records are not passed to the IN system for rating or credit balance checking. Records will be sent to the billing system, however any charging records are likely to be discarded and sent to a suspense account. It is likely that if an FMS excludes prepay records by IMSI or MSISDN, therefor any calls to IRS destinations will not be identified.
3. The perfect example of IRSF decrementing a prepay customers balance is when it is associated with Wangiri fraud - Prepay customers returning a 'missed call' which will terminate on a high value IRSF number, normally with a message that will compel them to remain connected until their prepay balance is exhausted. From an operators viewpoint, no money is lost, however this does result in a very poor customer experience. Wangiri Fraud cases that have been discussed in the media are typically very critical about an operator failing to identify this fraud and issuing a warning to its customers, or blocking the Wangiri number/s in the switch.

With examples 1 and 2, the likelihood of these types of incidents is low but the impact if they do occur can be very severe. With example 3, the incidents of Wangiri Fraud have increased significantly over the past 12-18 months and the early identification of these incidents, allowing customers to be warned and IRSF numbers blocked is a great opportunity to add real value to the customer experience.

There are a number of associated frauds also that may be used in association with IRSF on Prepay. These include Credit Card Fraud (fraudulent recharges for use with IRSF), Voucher Fraud (using the fraudulent voucher balance for IRSF), and Fraudulent credits to Prepay account (Through Internal Fraud and sharing the IRSF income with Fraudster).

Q21: How will the FraudStrike™ Database be effective in addressing PRS fraud on my domestic users?

A: Provided one or more of the over 300,000 International Revenue Share test numbers is called by a fraudster, and all domestic and roaming call records are subject to analysis by FraudStrike™, then an alert will be issued to prompt an investigation into the call or calls. If calls are made within the domestic network to a domestic (in-country) Premium Rate Service Number, then these will not identified by FraudStrike™, as it does not include domestic PRS numbers. FraudStrike™ will however identify IRSF Test Numbers, which are in the database, if these numbers are called within the home Country. For example a Latvia IRSF number being called from a fraudulent SIM card or hacked PBX within Latvia (although some number providers do block access to these numbers from within the domestic network). In respect of domestic PRS numbers, monitoring calls into these numbers is generally a specific function of the FMS.

Q22: Isn't the best approach to block all the numbers on the FraudStrike™ Database so the fraudsters cannot call them?

A: Some operators do suggest this approach however we do not recommend it. The over 300,000 numbers within FraudStrike™ are mostly test numbers, that is a number which can be provided to a potential customer or fraudster to confirm that this number/range can be called from the country he is calling from, and device he is using (for example a fraudulent SIM card or hacked PBX). It is extremely unlikely that this test number will be used to inflate traffic into that IRSF number range. Once the fraudster has confirmed that he can make these calls, he will go back to the number provider and obtain additional numbers to the same destination so that he can start his traffic inflation. The Test Number will generally then be used by another potential customer or fraudster for the same purpose.

The IPR Number Resellers will have tens of thousands of International Revenue Share numbers in behind the Test Numbers which they can distribute to those who have been successful with the test numbers. The Resellers do not generally advertise these IRS numbers, so we do not know what they are. If the test numbers are blocked, it is likely that the person making the calls will go back to the Reseller and be issued with another number, which the FraudStrike™ Database may not be aware of, to make the test calls. If this was successful, then the fraud will commence.

By using the FraudStrike Database as a hot-list, to provide an early warning of what could be a potential IRSF attack, it allows a Fraud Analyst to start an investigation to confirm whether or not this activity is in fact fraud, then to block the device being used, and/or to try and identify any other devices under that fraudster’s control.

It should also be remembered that not all IRS calls are made by fraudsters, some could be genuine. There are some legitimate businesses that may contract with a number provider to issue revenue share numbers for activities such as bill payment, accessing content services, voting lines etc. Blocking all of the Test Numbers may deprive your organisation of a potential revenue stream.

Q23: What is the best approach when I see calling to numbers on the FraudStrike™ Database?

A: In the event of a calling number matching a number on the FraudStrike Database:

• FraudStrike will generate an immediate alert and this information will be dispatched in real time to the Fraud Analyst;
• This alert should be treated as a priority alert and dealt with immediately;
• An investigation should then be completed in accordance with the standard operating procedure within the Fraud Department for IRSF incidents (remember that in most IRSF cases, Fraudsters will have access to more than one calling device and more than one IRSF terminating number);
• If IRSF calls are detected, these numbers should be blocked to avoid further calls, but the Test Number should remain active in case the fraudsters wish to test another device.
• If the call to the FraudStrike™ Database test number has been followed by multiple, overlapping or simultaneous calls to the same number range, then you can be 99.9% sure that this is an IRSF attack, and take down the device that is being used to originate the calls.

If there are no further calls following the call or calls to the Test Number, then you may be fortunate enough to have identified a potential IRSF incident before the traffic inflation starts.

There can often be a delay of up to 1-4 hours between the time a Test Call is completed and the time the traffic inflation to additional numbers commences. This time period allows the fraudster to obtain further numbers from the Reseller, and if he is intending to use others to assist him in generating this traffic, to get them into position also. This becomes a critical period where the Analysts and Investigators need to convince themselves whether or not this is likely to lead to an IRSF attack if they do nothing, and if they are convinced it is leading to a fraud attack, take whatever steps are necessary to identify any other SIM cards or devices that may be under that fraudster’s control, so that they can also be neutralised.

Experience has shown us that if you identify and stop one IRSF attack, by all means celebrate your success, but remain vigilant. Generally the fraudsters will come back and try again within a few hours or days, believing that the operator will feel safe once the initial fraud incident is shut down.

Q24: What should I do if I see inbound roamers calling IRSF test numbers?

A: It is our view, and one which we hope is shared by most others in the industry, that a VPMN (visited network) should be notifying the HPMN (their roaming Partner and the owner of the fraudulent SIM card) as soon as they become aware of, or suspect IRSF activity within their network. The VPMN has a contractual obligation under the NRTRDE agreement to notify the HPMN of their call traffic within 4 hours of call completion. However, most networks will identify IRSF activity well before this time period, usually within 1 hour of an IRSF attack commencing. The VPMN should not be delaying this notification until the next NRTRDE notification is due.

Delaying this notification to meet the 4 hour NRTRDE timeframe may result in some additional revenue for the VPMN, as the HPMN will be required to pay those charges. However for many reasons, whether they be moral, demonstrating that they are a good roaming partner, wanting to ensure that fraudsters make as little money as possible, or simply working on the basis that roaming partners (or operators) should not profit from fraud, will hopefully prompt the VPMN to find someone within the HPMN that they can advise of a likely fraud.

I think that all of those involved in the prevention, detection and investigation of IRSF will agree by now that unless the industry works together to try and stop this fraud, we never will succeed.

Q25: How can one quantify or report the loss associated with pre-paid lines involved in IRSF?

A: If we look at the types of Prepaid Fraud referred to above, generally the losses are reported in the same way as Post-paid fraud, although it is important to differentiate between post and pre-pay to ensure that the true risk of prepay is identified. Our experience now makes it clear that Prepay is not 'risk-free' as we all thought a few years ago. For those who have not seen it, we would encourage you to download and read the GSMA Permanent Reference Document FF-03, Advice on Prepaid Services, which identifies most of the known fraud risks associated with Prepay.

Some of the Prepay Fraud methods do result in a customer unwittingly having their prepay balance removed, and this provides an additional opportunity to report on the customer impact of fraud. It certainly helps getting some of the customer relationship people within the organisation on-side if an operator reports that say 10,000 plus prepay customers were impacted by Wangiri Fraud and lost all of their prepay balances.

Q26: How do I use FraudStrike™?

A: FraudStrike™ is essentially a hotlist that can be applied to all called numbers including switching elements on the domestic network and also on all roaming traffic. Once an alert is generated the originating device and subscriber should be investigated to see if they are fraudulent. XINTEC offers a very quick-to-implement FraudStrike™ package consisting of an FMS (FMSevolution) with full alerting and reporting capability and the FraudStrike™ database which is automatically updated every time a new FraudStrike™ update occurs.

XINTEC can provide a SaaS or fully deployed option on this software and typical setup times for roaming traffic is of the order of a few days.