International revenue share fraud (IRSF) is a type of fraud that manipulates complex global routing of international calls to generate profit for fraudsters. A common misconception is that this does not involve valid phone numbers assigned to businesses or consumers – however, these numbers can be exploited too.
Telecommunications providers can better protect themselves with minimum impact on user experience by understanding this process and learning how to mitigate the risks.
The complex routing of international calls
At the core of IRSF lies the complex system of global call routing, which presents numerous opportunities for abuse. Routing of international calls is determined by various factors, including geographical distance, network redundancy, infrastructure, number of intermediaries, and routing protocols used by telecommunications providers.
The large number of potential routes a call can take makes it challenging for telecommunications providers to track and detect fraudulent activity. For instance, a call routed from one continent to another could pass through a variety of transit carriers, submarine cable routes, and satellite routes, leading to hundreds of possible routing combinations. This complex wholesale market for international traffic allows international premium rate number (IPRN) providers to insert themselves into the routing chain, often without the knowledge of the originating and destination telecommunications providers.
In this environment, IPRN providers position themselves as legitimate routes for international traffic, offering payouts for traffic routed through their numbers. This creates a financial incentive for fraudsters to use IPRN providers for their own traffic.
IPRNs should be associated with services that charge higher rates, like adult content, technical support, conference calls, information or entertainment services. In the context of IRSF, however, no legitimate service is being provided. The call originator is often unaware of the IRSF calls, as is the case for calls originating from hacked telephony systems or stolen or compromised account credentials.
How IRSF hijacking works
IRSF hijacking is the process by which calls are routed through IPRN providers who, to generate revenue, short-stop the calls and do not send them to destination networks. They pay their customers to whom they assign IPRNs and generate fraudulent calls.
‘Full’ IRSF hijacking involves all calls to IPRNs being short-stopped. ‘Selective’ hijacking, on the other hand, means only certain calls, such as those made during specific times (e.g., after business hours) or from particular numbers, are hijacked. This makes fraud harder to detect, as many legitimate calls still go through normally.
Perpetrators regularly change, rotate or recycle numbers they use from the IPRN providers to avoid detection. When a specific IPRN is flagged as fraudulent or blocked by telecommunications providers, fraudsters move on to a new IPRN. This cycle, and the recycling of numbers that comes with it, ensures a steady flow of revenue for fraudsters.
To establish access and before launching a full-scale IRSF attack, fraudsters often use the tools sourced from IPRN providers such as such as web-based panels reporting access, test numbers, automatic diallers to test IPRNs, or access reports and notifications. These tools and associated test calls help them determine which routes are profitable and operational, allowing them to fine-tune their attacks. By testing various routes and IPRN numbers, fraudsters identify those that generate the most revenue without detection. The IPRN providers also communicate where there is access to their IPRNs, to attract more traffic and reduce the need for fraudsters to make test calls.
Why valid numbers are also used in IRSF attacks
IPRNs often use random number ranges, including those that may later be assigned to legitimate enterprises like banks, airlines, hotels, and customer service centres. These numbers may initially be used as IPRNs for revenue sharing before being assigned to real users and enterprises by network operators. This creates a risk when telecommunications providers rely on simple blocking mechanisms for numbers used in IRSF attacks, as they may inadvertently block calls to legitimate businesses in routes where there is no hijacking, leading to customer complaints.
Fraud prevention managers are often misled when dealing with valid numbers involved in IRSF attacks or flagged as IPRNs. To verify if a number is compromised, they may call it directly – if selective hijacking is in place, or if the call isn’t routed through an IPRN, the call will reach the legitimate enterprise. This leads managers to mistakenly believe there’s no fraud associated with the number. It’s only when the unusual surge in fraudulent traffic becomes apparent that they realise the true extent of the attack. In some instances, when the fraudsters combine the fraud with arbitrage (exploiting the price difference of retail plans and the payout from IPRN providers) or carry the fraud over a long period with reasonable usage, such fraud may remain undetected for sustained periods, which increases risk.
Rather than strictly blocking calls to IPRN numbers, the industry needs to focus on detecting and acting on compromised accounts instead. By dealing with the source of the issue, the industry is more able to prevent large-scale fraud. This is necessary, because as well as the risk of blocking legitimate numbers, fraudsters will continue testing new numbers until they find those that bypass strict blocking mechanisms anyway.
For example, a valid number used by a major airline (+44-XXXXX0787), was also advertised by an IPRN provider as an eligible payout in a high-jacking scheme.
The legitimate customer service number, listed on the airline’s website, is also advertised by an IPRN provider with a payout of 0.0260 to 0.0312 USD/minute. To tackle the issue of valid numbers used for IRSF, fraud prevention managers must be aware of key challenges:
- Calls pass through multiple international voice carriers, making it difficult to trace when and where they were hijacked. Identifying the exact point of fraud often requires collaboration with multiple international carriers, complicating detection and resolution.
- Selective hijacking blends fraudulent activity with regular traffic, making detection harder.
- Strict number blocking risks impacting valid calls. Instead, managers should aim to block callers identified as co-fraudulent.
Mitigating risk
To effectively combat IRSF, telecommunications providers need to adopt a comprehensive approach involving:
- Use of real-time preventative fraud intelligence which tracks IPRNs available to fraudsters. It’s inefficient to rely on weekly updates or sharing of fraudulent numbers after the IRSF attacks have taken place. Fraud intelligence must be updated continuously to reflect the latest threats and help understand which IPRNs are active, and in which routes they are being used. Tracking IPRN test numbers alone or reporting numbers used in previous IRSF attacks, is not preventive in nature – it’s after-the-fact or out of date.
- Monitoring call patterns for irregularities and identifying who is calling IPRNs. This kind of proactive monitoring detects IRSF and hijacked calls early, before attacks, with minimum false positives.
- Collaborating with carriers and network operators to ensure there is transparency and change all routing when required. Close collaboration of this sort helps identify and address suspicious routing before it leads to significant losses.
Recognising the need for greater knowledge of fraudsters’ operations and their weaknesses, the GSMA launched the GSMA IRSF Prevention service. Engineered with a deep understanding of the hacker’s mindset, this industry-leading tool is built to help stay one step ahead. The service provides a means to understand the nuances of IPRNs and the routes in which they are employed – something crucial to fraud prevention.
Guided by an intelligence-driven strategy, this service and its leadership empower enterprise to move beyond merely reacting to fraud. Its real-time automated platform ensures proactive prevention, keeping threats at bay before they strike.
This is the fifth and final blog in our series on IRSF misconceptions, wrapping up with a complex topic of number validity and fraudsters’ use of IPRN. Understanding this is crucial for gaining insight into how fraudsters and their accomplices operate, and ultimately, in fortifying your defences against them.
You can read the rest in our misconception series below:
- Misconception #1: an updated numbering plan can save you
- Misconception #2: more data equals better protection
- Misconception #3: fraud destinations are static
- Misconception #4: risk of revenue share fraud comes from voice calls, not SMS
Read more about GSMA IRSF Prevention here or book a demo with us here.