IRSF misconception #3: fraud destinations are static

GSMA’s Fraud Services Product Director Jordi Castellvi, responsible for our recently introduced GSMA IRSF Prevention service, explains some of the misconceptions around large scale SMS AIT and voice fraud.

The misconception of static IRSF destinations

Much of International Revenue Share Fraud (IRSF) involves redirecting traffic to high-cost destinations, often at premium rates. Prevention necessarily involves detecting a fraudulent destination, but it’s a common misconception to believe that such destinations remain static. In reality, IRSF fraudsters are relentlessly innovative, constantly seeking out new vulnerabilities and creating less-monitored routes to exploit. This means fraud destinations are highly dynamic, often shielded by the legitimate traffic within the automated and trust-based systems of the telecom wholesale market. This requires organisations to continuously adapt their defence strategies.

The intricacies of routing international traffic across multiple carriers

The routing mechanisms and operational nuances of the telecom wholesale market are key to understanding dynamic destinations. In the journey from origin to termination of a call or SMS, up to ten different vendors may be involved. An organisation’s outbound international traffic may pass through a convoluted network of vendors each with their own suppliers, prices and traffic routes. These prices, combined with an appraisal of the effectiveness of each route, are used as the basis for routing algorithms which determine which vendor and route should be used. Fraudsters exploit this layered, trust-based system, partnering with various vendors within the wholesale industry. In this predominantly automated and trust-based ecosystem, tracking and scrutinising every change remains challenging.

The anatomy of IRSF numbering and the challenge of detection

Fraudsters blend IRSF traffic with legitimate calls, making detection difficult. They masquerade as legitimate entities, offering seemingly beneficial rates for call termination to desired destinations. In reality, they are positioning themselves to divert specific IRSF-targeted traffic for their own fraudulent gain, while passing legitimate traffic onto other unsuspecting vendors. When seeking to enable either ranges of numbers or thousands of unique numbers from a given destination country, fraudsters typically take three key steps:

Using curated, real-time data ensures swift and effective responses to emerging threats. It narrows the focus to the most pressing and relevant indicators of IRSF, enabling mobile network operators and communication service providers (CSPs) to identify, verify, and counteract fraudulent activities promptly. By reducing the noise and honing in on actionable data, operators and CSPs can prevent potential revenue loss and shield consumers from fraud.

  1. they look for a vendor already terminating significant commercial traffic to that country;
  2. they then offer to terminate calls at a rate just below market value, but simultaneously arrange for another wholesale vendor to handle the legitimate commercial traffic;
  3. this allows them to focus on creating numbers at will, hijacking calls to those numbers and terminating them, and thus collecting money for the IRSF-targeted calls whilst commercial traffic remains untouched.

Routes mixed with IRSF and commercial traffic are difficult to detect and can remain unnoticed for extended periods. Moreover, they are often inadvertently prioritised by telecom routing algorithms because they exhibit excellent metrics, such as high answer seizure ratios (ASR) and lengthy average call durations – attractive pricing further obscures the fraudulent activity.

Proactive detection: the only viable solution to dynamic IRSF destinations

For these reasons, detection cannot rely on traditional monitoring alone. The key to adapting to the dynamic nature of IRSF lies in proactive detection. The only way to swiftly identify compromised accounts, vendors or routes is through prior knowledge of the numbers currently and potentially used for IRSF. Without these numbers, there can be no financial gain to IRSF or SMS AIT, so knowing them in advance is the most effective method for rapid detection and remediation.

This is where the GSMA IRSF Prevention service becomes invaluable. It provides an extensive live database of high-risk numbers to pre-emptively flag or block fraudulent communications. Access to such timely information enables organisations to set up defensive measures that can automatically flag or block calls and SMS to these high-risk numbers, vastly reducing the window of opportunity for fraudsters to profit from their schemes.

Adapting to the IRSF threat landscape is not optional, it’s imperative. Combatting IRSF means being as dynamic and sophisticated as the fraud itself. Companies must embrace flexibility and remain vigilant, equipping themselves with advanced prevention tools like the GSMA IRSF Prevention service.
By staying ahead of the curve, organisations can better protect their interests and those of their customers from the perils of IRSF.

Read more about GSMA IRSF Prevention here or book a demo with us here.