Telecommunication Frauds — Schemes and Concepts

Jing Luan
12 min readDec 30, 2020

This article summarizes my understanding and references gathered while I read about telecommunication frauds across the internet. The resources for this article are all publicly available through internet. My main references are mainly transnexus.com and wikipedia.

Downloaded from Courtney Myers’s article on preventing VoIP Fraud
downloaded from Courtney Myers’s article on preventing VoIP frauds

I. Schemes to defraud telecom service providers

The classifications here are mainly quoted from the article “Telecom fraud prevention guide” by TransNexus. All credits should be attributed to TransNexus. I just summarize my own understandings of their articles.

  • Call transfer fraud: the hacker hacks the PBX (private branch exchange) and uses it to send SIP INVITE to Softswitch which subsequently routes call to international carrier. Hacker instructs PBX to blindly transfer call to hacker phone service so that Softswitch sends SIP INVITE to hacker phone service. As a result, hacker’s subscribers speaks to international destination through Softswitch, bypassing the PBX. The company which owns the PBX gets charged, while the hacker charges its subscribers.
  • False answer supervision: a fraudulent wholesale provider may have published cheap rates for terminating calls. Service providers routing calls through the fraudster wholesale provider would get charged for calls that are not answered but get disguised as answered by the false answer supervision. For example, the fraudster may play a “not in service” message and then bill the service provider for more than 10 seconds of calling. The key attributes of false answer supervision is 1. short phone calls, 2. calling party hangs up nearly 100% of the time, 3 high answer seizure ratio.
  • IVR: Interactive Voice Response, is a telephony technology that can process a combination of touch tones and voice inputs. It usually uses voice prompts to provide greetings or informational messages within a telephone voice processing system.
  • Location routing number fraud: a wholesale provider desires to avoid charges from LRN dips (refer to LRN above). Most providers will run a LRN dip to look up the LRN associated with the dialed number. However, many won’t do so if an LRN is already provided in the SIP INVITE. A fraudulent source network may embed a fake LRN for a relatively cheap terminating destination when the dialed number actually resides in a high-cost rural area. As a result, the wholesale provider charges the fraudster for the cheaper call but has to eat the cost of the expensive call. The cost the provider pays for may be as high as five times of the charge it bills the fraudster.
  • Revenue sharing fraud (Traffic Pumping): it conspires with a destination that charges high rates and then inflates traffic to that destination at little cost to itself. The key attribute of this type of fraud is a spike in traffic to high-cost destinations, and these spikes often occur over holidays or weekends.

* International revenue sharing fraud (IRSF): the most damaging and prevalent VoIP fraud. Common destinations include West African countries, UK mobile phones and satellite phones

* Traffic pumping: telephone regulations require long-distance carriers must pay access fee to local exchange carriers for calls to their subscribers. Rural carriers charge substantially higher access fees than urban carriers. In order to increase their incoming call volume, rural carriers sometimes partner with phone service providers to route their calls through the rural carriers. These providers may include phone sex and free conference call providers which expect high volume of incoming calls. A similar scenario occurs internationally with fraudsters setting up conference servers in third world countries and making deals with (often state-owned) telephone companies. Signatures of traffic pumping include 1. the ratio of terminating terminating (incoming) interstate calls and originating (outgoing) interstate calls is more than 3-to-1; 2. 100% traffic growth in a month year-over-year.

  • Multiple call transfer fraud: it is a form of revenue sharing fraud. The fraudster hacks a PBX, makes a phone call to a high-cost destination, asks the PBX to transfer the call to another high-cost destination, then the fraudster hangs up leaving the call between these two high-cost destinations on without being noticed for hours. It is hard to detect because on many platforms transferred calls do not count against concurrent calls. These fraudulent calls could stay on in the network until the carrier finds them and shuts them up.
  • Call forwarding fraud: is a form of VoIP fraud. The fraudster compromises the account of a user of a PBX or a voicemail system, signs in using the compromised account and sets the account to forward to high-cost destinations, then calls the compromised user’s phone number.
  • International NANPA fraud: NANPA (North American Numbering Plan Administration) lists numbers in World Zone 1 which include phone numbers in North America, the Caribbean, and US territories. Phone calls to these calls are not regarded as international calls although some off-shore numbers reside in high-fraud areas such as in the Caribbeans.
  • Voicemail hacking fraud: the fraudster finds a device with an easy-to-guess, sets up the callback number to their IRSF phone number, logs into the account, finds their missed calls, signals the voicemail system to call the IRSF number, and leaves the call connected as long as possible, often hours or even days. Studies show that 5% of the default voicemail passwords are 1–2–3–4 and 0.7% are 0–0–0–0 and users often do not change the default.
  • Wangiri fraud: “wangiri” means “one and cut” in Japanese. The fraudster makes a huge number of phone calls, rings only once and hangs up, costing nothing to the fraudster because the calls are not connected. The apparently missed calls lure the recipients to call back to high-cost destinations e.g. premium rate numbers (see Abbreviations). A SMS variant of wangiri fraud is through leaving a message like “Call back immediately, this is urgent!”.
  • Toll bypass fraud: also known as Interconnect Fraud, GSM Gateway Fraud or SIM Boxing. Bypass fraud is the unauthorized insertion of traffic into a carrier’s network. The fraudsters use advanced technologies to disguise expensive international calls as cheap domestic calls by effectively bypassing the payment system internal calls normally go through. They often sell long-distance calling cards to overseas. When customers call number on these cards, the fraudsters make those calls look like domestic calls. How does it work? A subscriber/customer of the fraudster’s calling card makes an international phone call, normally it should go through LEC (Legacy Telephone Company, PTT) which charges a toll fee. However, the fraudster routes the call through internet to a SIM Box. The SIM Box then connects to a cell tower in the local area of the called party, making the call look like from a local customer, so the fraudster pays a significantly reduced toll fee.
  • Toll free fraud: the fraudster often conspires with a CLEC (competitive local exchange carrier). The fraudster uses its VoIP technology to make multiple calls to a toll-free phone number, often that of a large cooperation, through its partner CLEC. The competitive local exchange carrier (CLEC) makes a dip to the SMS/800 database to check whether that number is in use and if yes looks up the routing instructions. The CLEC then transfers the call to another network for termination. The other network terminates the call by connecting to the toll-free number. The owner of the toll-free number pays the other network. The other network pays for the CLEC for originating access fees (fee for originating a phone call). The CLEC pays for the SMS/800 database for dipping fee. At last, the fraudster and the CLEC shares what is left.
  • Wholesale SIP trunking fraud: a customer buys wholesale SIP trunking service to provide multiple channels to its end users’ DID phone numbers. The fraudster steals this customer’s credentials and sells the whole SIP trunking service to legitimate users. This type of fraud is hard to detect because both the callers and recipients are legitimate. It often features a huge number of apparently random calls. The destinations are not particularly high cost, but neither are they cheap. Countries like Vietnam, Laos, and other middle-priced Asian countries show up often. The traffic often appears to be to residential numbers. Such frauds may be from prepaid calling card companies operating a VoIP platform in an offshore facility. Prepaid calling services are well suited to exploit this type of fraud since there are no calling numbers linked to customers. The IP address of the prepaid calling platform is the only link to trace the fraudster but IP addresses are easy to hide.

II Schemes to defraud subscribers

The best way to prevent these schemes is to educate subscribers best practices in protesting their personal information, e.g. creating strong passwords, carefully examining phone bills for unrecognized calls.

  • Calling card fraud: the fraudster may call a subscriber, pretend to be a service provider representative, and ask for the calling card number for “verification” purposes.
  • Lost or stolen phones and SIM card fraud: simple to understand.

III Schemes conducted over the telephone

  • Account takeover: the fraudster may steal someone’s bank account credentials, call the bank pretending to be that customer trying to obtain more information about this customer’s accounts.
  • Telecom denial-of-service (TDOS): the fraudster floods a telecom service provider’s by a huge number of unauthorized phone calls, impairing the provider’s ability to serve legitimate users. The fraudster then uses the TDOS for extortion. It is similar to data network denial-of-service (DDOS) which has been reported to attack hospitals, police stations and other public services.
  • Phishing: uses phone calls or messages in order to steal one’s personal information. The fraudster may insert phony addresses, websites or pop-up windows in messages.

Concepts

They are in alphabetic order.

  • Call termination: when a caller dials a phone number, there are 3 steps. 1. Origination — the caller’s device connects to the caller’s service provider. 2. Transportation — the caller’s service provider/network connects to the recipient’s service provider/network. 3 Termination — the recipient’s service provider/network connects to the recipient’s device. The last step is called “termination”. The toll paid by the customers is shared among all providers/networks involved in all these 3 steps. This “termination” service is referred to as wholesale because it is sold and purchased by network operators rather than retail customers. The cost induced by the 3rd step is called “termination rates”.
  • CLEC: Competitive Local Exchange Carrier, is a telecommunications provider company (sometimes called a ‘carrier’) competing with other, already established carriers, generally the incumbent local exchange carriers (ILEC).
  • conference calls: conference calls in which more than two parties are involved. Free conferencing is different from traditional conference calling in that it has no organizer fees, no human operator, and allows for multiple people to connect at no cost other than that of any other phone call (local or toll). Companies that provide free conference call services are usually compensated through a revenue-sharing arrangement with the local phone company, sharing the termination charge for incoming calls to a phone carrier.
  • DID: Direct Inward Dialing is a telephone service that allows a phone number to ring through directly to a specific phone at a business instead of going to a menu or a queue and needing to dial an extension.
  • GSM: Global System for Mobile communications.
  • GSM Gateways: A GSM Gateway or Fixed Cellular Terminal is a device which reduces costs when calling from a fixed telephone line to GSM network. In general, calling from the fixed network to a mobile network is more expensive than calling between mobile networks, but a GSM gateway allows you to save the difference.
  • ILD: International Long Distance
  • IRSF: International Revenue Share Fraud (see below)
  • IP: Internet Protocol
  • LNP: local number portability, means that a subscriber can keep his/her phone number after switching to a different carrier.
  • LRN: Location Routing Number, a 10-digit number that facilitates the routing of phone calls to numbers that have been transferred from one carrier to another. The routing of phone calls are through the public switched telephone network (PSTN). A subscriber (customer) does not need to change his/her apparent phone number and instead only the underlying LRN needs to be changed, which is called “local number portability (LNP)”. The correspondences between the apparent phone numbers and LRN (location routing number) are stored in a database called Service Control Point (SCP). Using LRN (local routing number), the local telephone exchange queries or “dips” the SCP (database) for the LRN associated with the dialed phone number. This “dip” induces cost.
  • NANPA: North American Numbering Plan Administration, is a telephone numbering plan for World Zone 1, which comprises twenty-five distinct regions in twenty countries primarily in North America, including the Caribbean. Some North American countries, most notably Mexico, do not participate in the NANP.
  • PBX: Private Branch Exchange, is a phone system in an enterprise that manages incoming and outgoing phone calls as well as an organization’s internal communications.
  • Premium-rate telephone numbers: are telephone numbers for telephone calls during which certain services are provided, and for which prices higher than normal are charged. Unlike a normal call, part of the call charge is paid to the service provider, thus enabling businesses to be funded via the calls.
  • PSTN: public switched telephone network, is the aggregate of the world’s circuit-switched telephone networks that are operated by national, regional, or local telephony operators, providing infrastructure and services for public telecommunication. The PSTN consists of telephone lines, fiber optic cables, microwave transmission links, cellular networks, communications satellites, and undersea telephone cables, all interconnected by switching centers, thus allowing most telephones to communicate with each other.
  • SAS: Switched Access Service is a telecommunication carrier service that provides a two-point path to a customer’s facilities from an end user’s premises.
  • satellite phones (satphones): is a type of mobile phone that connects to other phones or telephone networks through radio of orbiting satellites instead of terrestrial cell towers. The advantage of a satellite phone is that it’s not limited to areas covered by cell towers and it can be used almost everywhere on the Earth. The mobile equipment, known as the terminal, varies widely from that looking like a 1990’s mobile phone to that looking no different from a smartphone.
  • SCP: Service Control Point, a database storing correspondences between dialed phone numbers and their LRNs (Location Routing Numbers). Refer to LRN.
  • SIM Box (SIM bank): is a device containing a number of SIM cards which are linked to GSM gateways. A SIM box can have SIM cards of different mobile operators installed, allowing it to operate with several GSM gateways located in different places.
  • SIP: Session Initiation Protocol, it refers to a TCP/IP-based network protocol which can be used to establish and control communication connections of several subscribers. SIP is often used in Voice-over-IP telephony to establish the connection for telephone calls.
  • SIP INVITE, is the foundation for every SIP phone call. The SIP INVITE request is the message sent by the calling party, inviting the recipient for a session. The SIP headers included in this SIP INVITE request provide information about the message.
  • SIP Trunk: is a method where the “trunk” or the main line to a business telephone system is an internet connection rather than a traditional copper phone line. Through Wholesale SIP Trunking, you provide multiple channels to which your clients’ DID (Direct Inward Dialing) numbers are ported.
  • softswitch (software switch): it connects telephone calls between subscribers through a telecommunication network, usually using VoIP technologies. It is implemented in software running on a general-purpose computing platform, unlike its traditional counterparts which is a hardware designated for connecting calls.
  • Somos, Inc. (formerly known as SMS 800 (Service Management System), Inc.): is a company that manages registry databases for the telecommunication industry. Additionally, the company is the North American Numbering Plan Administrator (NANPA) since 2019–01–01, under a contract granted by the Federal Communications Commission (FCC). Somos, Inc. administers the assignment of toll-free phone numbers in the North American Numbering Plan, e.g. 800, 888, 877, 866, 855, 833, 844. Calls to these numbers incur no toll charges for callers.
  • supervision: e.g. answer supervision, disconnect supervision. Answer supervision uses an electric signal to indicate that the call has been answered. It is necessary for billing purpose because unanswered phone call should not be billed. Disconnect supervision indicates that the call has been disconnected so that the called party is free to receive new phone calls.
  • toll free phone number (freephone number): is a telephone number that is billed for all incoming calls instead of incurring charges to the calling parties. All possible toll-free numbers are contained in a centralized database called the 800 Service Management System (SMS/800). The SMS/800 knows whether a number (1–800, 1–888, 1–877, 1–866) is available or in use, and if it’s in use, what the customer’s routing instructions are.
  • VoIP: Voice over Internet Protocol, also known as IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol. The terms Internet telephony, broadband telephony, and broadband phone service specifically refer to the provisioning of communications services (voice, fax, SMS, voice-messaging) over the public Internet, rather than via the public switched telephone network (PSTN), also known as plain old telephone service (POTS). Background (The End of the Copper Line): the traditional copper telephone lines is prone to theft, in need of repair and expensive. Several states have authorized an end to copper landlines. Voice over Internet Protocol (VoIP) converts voice, video and data to travel easily across fiber, cell networks or Wi-Fi. It is the top 1 choice for US consumers under the age of 35. Approximately 24% of businesses in the US are still using telephone landlines today, representing a huge number of organizations to convert.
  • VoIP Fraud: voice over internet protocol services transmit phone calls through high-speed internet instead of traditional land-based telephone lines. A phone call transmitted through VoIP does not go from the caller to the recipient directly but rather goes through multiple layers of VoIP service providers or wholesalers. VoIP systems save money and resources but also provide inroads for frauds.

--

--