ECC Newsletter May 2019

A to Z of Fraud Types

The A to Z of Telecoms Fraud Techniques involving E.164 numbers

Most telephone and mobile phone users have been victims - or potential victims - of fraud in their lifetime. The tech support scam is one with which many European users will be familiar where a caller pretends to be a computer technician from a well-known company. They say they’ve found a problem with your computer and ask you to give them remote access to resolve the problem. They then try to make you pay for fixing a problem that never existed in the first place. There is no exact science involved in targeting victims. Scammers make millions of "spam" calls in the hope of finding a victim. This is enabled by developments in technology that allow end users to manipulate CLI and generate multiple spam calls from a single source.

Global spam calls have grown 325% to 85 billion worldwide, according to the first Global Robocall Radar Report, released in February 2019 by Hiya, a Seattle-based company. The report found that Spain, the UK, Italy, France, Argentina and the United States receive the most nuisance and fraudulent calls. Such calls are far and away the biggest consumer complaint to the Federal Communications Commission in the US with over 200,000 complaints each year - around 60 percent of all the complaints it receives.

E.164 telephone numbers often play a role in fraud and misuse. According to the ITU, international E.164 numbering resources are misused when the use does not "conform to the relevant national numbering plan and/ or relevant ITU-T recommendation(s), assignment criteria for which it was assigned or when an unassigned numbering resource is used in the provision of a telecommunication service".

But what are the types of fraud involving E.164 numbers? This article provides an overview of the main types that are commonplace. A combination of the following methods can often be used in tandem to commit fraud.

CLI Spoofing: Calling Line Identification (CLI) spoofing is a method whereby a fraudster manipulates the telephone number in the CLI field, leading the person they are calling to think that the call has come from a different location, organisation or person. It is commonplace that a national geographic number or a mobile number that the called person recognises is spoofed. Because the end user trusts the CLI, they are more likely to part with credit card details, bank details or other personal information during the call. Often, the fraudsters originate the calls from developing countries where they are unlikely to be prosecuted or even detected.

International Revenue Share Fraud (IRSF): This is one of the oldest and most perpetrated forms of fraud facing the telecoms industry, proliferating particularly with the growth of mobile phones. With IRSF, the fraudsters artificially inflate traffic volumes to certain sections of the national numbering ranges - usually to premium rate numbers. As premium rate numbers are based on a revenue sharing payment model, the end-users of the premium rate numbers receive a payment for each call they receive. Witholding of payments to these end-users is one way of eliminating such fraud.

Wangiri: A Japanese word meaning ‘one ring and drop’, Wangiri is a scam whereby the caller cuts off just as the phone rings. The person receiving the call sees a missed call message with an international number displayed as CLI. If they call the number back, usually a premium rate or high tariff destination number, they will be charged a lot of money. Here, the fraudster usually uses an automated technique to simulate multiple calls in a very short period of time. You’ll often see many people within an area receive calls close together and telecoms operators monitor traffic patterns in an attempt to identify wangiri traffic so that the calls can be blocked or the presentation of the CLI for such calls can be restricted quickly.

Refiling/re-origination of traffic: Here, the fraudster manipulates the originating number by replacing the “A number” in the call signalling of the real originating country outside the European Economic Area (EEA) with a number from a country within the EEA. They do this because the call termination tariffs differ between EEA and non-EEA countries due to intra-EU roaming regulations. This creates an arbitrage opportunity for bad actors in the value chain and causes problems for both the transit and terminating operators whose revenues are affected. End-users are also affected as they cannot reach the calling party if they try to call back using the CLI presented.

Hacking of accounts/PBX: In this case, the fraudster hacks a telephone account or corporate private branch exchange (PBX). They then generate traffic to premium rate numbers as described earlier with IRSF. The victim is then billed for the call origination charges while the receiver of the call on the premium rate number receives a payout from their terminating operator.

Traffic collectors and roaming fraud: Using what are known as Subscriber Identity Module (SIM) boxes, the fraudsters generate artificial traffic to premium rate numbers, known as "traffic collectors". The perpetrators often use stolen SIM cards from people who are travelling and roaming in other countries. The home network will eventually block the SIM when the customer reports it stolen but not before the perpetrator has made a large number of calls.

Malware in apps: Some unofficial app stores have applications containing malware that can generate calls to premium rate or high tariff numbers. The end-user is often unaware that they have downloaded the malware until their bills come through by which time the fraudsters have made their money.

Subscription fraud: In this case, a fraudster will subscribe to a telecom service but intends on never paying for it. They tend to use false identities and stolen credit card details to set up the subscription. At the other end of this scale, the end-user subscribes unknowingly to a service after clicking on pop-ups on the internet. The subscription charge will appear on their phone bills.

Call hijacking / short stopping: When a caller makes a call, the call must flow from the originating operator through one or more transit operators to a terminating operator before reaching the end user. Call hijacking or short stopping occurs when a “dishonest” operator ends the call on their network before it reaches the destination. If a call is intercepted by a transit operator with a recorded announcement, the transit operator can charge the originating operator for the total transit and termination fee. Often, though, only some of the traffic is rerouted to unassigned numbers so few complaints are initiated, making detection less likely.

Telecoms fraud is a high volume, low value business. In cases where potentially thousands of consumers are defrauded of small amounts of money then the chance they will make a complaint is low. Also, as the fraudsters are often located in developing countries, the local authorities do not pursue them as the complaints are made by victims in other countries where the authorities do not have the necessary jurisdiction to take action.

The industry mindset towards combatting fraud has started to shift. Consumer protection now commands a similar priority to revenue protection and collaboration and cooperation between law enforcement authorities, operators and regulators, both nationally and internationally, is increasing. ECC Report 275, prepared by the ECC’s Working Group Numbering and Networks, examines the motives methods and opportunities for committing fraud and makes a number of recommendations for best practices to effectively tackle fraud. The report calls on all stakeholders to share information and collaborate, and as a first step in this direction, WG NaN organised a public workshop on the role of E.164 numbers in international fraud and misuse of electronic communications services in Brussels on 11 December 2018. The next article in this edition of the ECC Newsletter provides a summary from the public workshop. Read it here.

Freddie McBride
Deputy Director
European Communications Office