The 8 Most Common VOIP Fraud Types

1.  PBX Hacking

A hacker takes control of a PBX (or of a retail customer telephone system, for example by trying admin passwords). Once the attack is successful, the hacker establishes a call-forwarding or a dial-thru to high priced destinations.

Then the hacker originates many calls to the PABX, usually from an IP-based source to avoid detection, and the PBX forwards the calls to the high price destinations. Alternatively, the hacker can use software that initiates the calls by itself, avoiding the need to generate incoming calls. This fraud scenario is most of the time used in combination with IRSF or calls hijacking. This is also the preferred method to perform call reselling fraud.

The impact for the retail customer is that he will receive an invoice for calls he didn’t perform. Besides that, depending on the importance of the attack, the customer could become unreachable and/or could lose capacity.

From the retail service provider viewpoint, the risk is to have to credit the stolen traffic to the PBX owner.

2. CALL RESELLING

A wholesaler adds a destination to their price list at a much lower price than the standard price. This attracts traffic from other wholesalers. As terminating traffic far below the standard price is not a viable method, the wholesaler hacks a PBX and uses it as a switch (see above). The wholesaler pays nothing, and the traffic will be charged to the customer whose PBX has been hacked.

3. IRSF (INTERNATIONAL REVENUE SHARE FRAUD)

High revenue regular destinations and IPRS destinations are extremely sensitive to fraud, given the significant revenue that can be generated in a relatively short period.

Premium Rate Services are specific services providing information or entertainment through calls to specific numbers that are charged at a high rate. The revenue generated may be shared between the number/network owner and the provider of the service.

Several mechanisms could lead to fraud with regard to Premium Rate Services: the service provided does not provide the promised service, the service provider extends the duration of the call using different methods (see FAS description), or the service provided generates non-legitimate and artificially inflated traffic (for example through PBXhijacking or Wangiri).

In most cases, a massive amount of traffic is generated in a short period of time.

4. WANGIRI

Wangiri is a Japanese2 term describing a missed call campaign (literally, “One (ring) and cut”). The mechanism is based on CLI spoofing, spamming and IRSF.

The fraudster originates massive calls to mobile subscribers (Target Subscribers) in a specific country, or to a specific mobile operator (Target Mobile Operator).

The fraud scenario is as follows: after one or two ringing tones, the call is dropped. The targeted customer has no chance to answer, and will see a missed call displaying a manipulated CLI. This CLI belongs to a Premium Rate Service number, usually disguised as a local number. When the targeted customer calls back this number, he will usually hear an adult oriented recording.

The target subscriber is unknowingly dialing an extremely expensive number for which he will be billed in his next invoice, and almost certainly will dispute the invoice with his mobile operator.

Alternatively, fraudsters can use SMS spamming to motivate a call back from the target customer.

• The fraud occurred in Japan for the first time.

6. CALL HIJACKING

Some percentage of the calls from network A which should be terminated in network C is intentionally routed by transit operator B to an announcement server playing a recorded message.

The caller will never reach the legitimate called party. Transit operator B charges all calls at the rate committed and has nearly 100% margin on all calls which are routed to the recorded message. The transit operator offers low prices and due to that, it gets much traffic.

All in all the traffic towards a transit operator that hijacks calls increases, because end customers would initiate a further call after running on a recorded message.

7. FAS (FALSE ANSWER SUPERVISION)

For this type of fraud, a party in the traffic flow chain sends a false signal indicating that a call has been established, even though this is not the case. Calls are being charged for longer call duration than the correct value: calls not connected are billed as completed calls, the calling party is charged for the call set-up time (early answer, dead air, artificial answer, …), the calling party never can reach the called party but is charged for the call duration (combination with call hijacking).