Call Replay: Spying or Fraud?

Over the last 2 years, I’ve been aware of periodic complaints from customers on different mobile networks who claim their calls have been recorded.  The customers report that during the call they notice they aren’t hearing live audio from the other party, but a recording, replaying audio content from earlier in the conversation.  I have experienced it myself and remember thinking the other party was repeating himself but then realising I was hearing exactly what he had said previously, and in fact the call content was being replayed.

How much do we know about call replay?

Not much.  I’m only aware of a small sample, which is often lacking detail, but the common features are that this only occurs on international calls and the call replay only involves one side of the conversation.  Also, call replay tends to be reported by customers concerned about professional confidentiality, e.g. lawyers and bankers, who believe they may have been the target of illegal interception.  However, I believe the sample is affected by selection bias, as customers exchanging cake recipes may also have experienced call replay and merely regarded it as a network fault, so dropped the call and re-dialled.  For info, I didn’t report my call replay experience to my network operator because I thought it would be a waste of my time.

Why is it happening?

Having spoken to several industry players, there are two likely causes, illegal interception or fraud.  You should never discount the possibility there may be a combination of both.

Part or all the call is being intercepted and recorded but I’m not aware of evidence to indicate where it is occurring, who is responsible or the motive behind the interception.  Without a representative sample, it’s not possible to identify common factors which may shed light on the involvement of state actors and/or organised crime.  Hopefully, you would agree that replaying the target his own conversation and alerting him to the interception isn’t a very professional approach so, based on information currently available, my conclusion is that it doesn’t look like the work of national intelligence agencies.

So, if it’s not the spooks, what’s the evidence that it’s fraud? – what’s the motive, who is the fraudster and who is the victim?  Currently, the best explanation I can offer is that call replay is a symptom of ‘call-stretching’, which includes several practices employed by fraudulent carriers to increase their margins.  Many of you will be familiar with the fraudulent use of false ring, false answer and late disconnect for this purpose.  If you haven’t come across them:

  • False ring occurs when a carrier deliberately extends the period when the caller hears the ring tone and charges it as a connected call when the call isn’t connected, and no charge is due.
  • False answer involves the carrier faking a connected call and introducing a false answer message e.g. “The person you are calling has not responded, please try later” or “Your call is being re-directed to another number, please hold…”
  • Late disconnect involves continuing to charge for a connected call after a disconnect signal has been sent.

Although these tactics may be only adding seconds to each call, their cumulative effect can deliver a significant uplift for the fraudulent carrier.

In the case of call replay, the consequence is that the call duration is extended whilst one party listens to the replay, realises it is a recording, and at some point, terminates the call.  I believe that in almost every case, the result is a second call which invariably involves discussing what just happened and then either finishing the original call or, where confidentiality is a concern, deciding whether another communication channel should be used.  The net result is longer net chargeable call durations for the fraudulent carrier.

Why it matters

This issue occurs on international calls, and this is the type of traffic most commonly associated with high value customers, which is also the user group most concerned about professional confidentiality.  When call replay occurs and causes them concern they’ll report it to your customer services or security team and expect you to provide them with an explanation and an assurance that it cannot happen again.  Can you do that?  Has anyone in your company heard of call replay and, if so, can they explain it to the customer?  Does it matter that the call replay didn’t happen on your network if the customer moves his business to another operator?

What can you do about it?

First, awareness.  Make sure your security team knows about call replay or send them to find out and then prepare a short, simple statement to explain it.  Make sure customer care teams are told about call replay and capture and forward all relevant customer reports; they should use the statement prepared by the security team to explain the issue to the affected customers.

Second, detection.  Use the reports from customer care to define and measure the problem – how many reports and between which networks and countries did they occur?  Where permitted, I recommend sharing information between operators and industry groups to get a better picture of the issue.  Combine this with other relevant information, e.g. False Answer Supervision, to identify the ‘dirty’ routes and, by inference, the dirty carriers.

Third, prevention.  Just to be clear, tier 1 carriers aren’t using call replay, it’s something that’s happening lower down the distribution chain, but it’s the tier 1 carrier which is selling you the routes.  Work together to identify the dirty routes and have the tier 1 carrier remove the dirty carriers; if your existing carrier can’t give you clean routes, you always have the option of moving them to another carrier.

Conclusions

I asked what is the motive, who is the fraudster and who is the victim?  Whilst my call replay sample is small, I’m more convinced by a clear financial motive than a vague suspicion of espionage.  So, in my view, the fraudster is a budget carrier somewhere in the chain and the victim is the end user – your customer.

I expect operators’ analysis will demonstrate a commonality with other fraudulent call stretching tactics and confirm that call replay is happening on low grade international routes as another means of increasing margin.  However, I don’t discount alternative explanations – if you have a better one, please feel free to share it and benefit everyone affected.

David Morrow
David Morrow
Dave has 35 years of law enforcement, investigation and fraud management experience including multiple international assignments. He is a recognised telecoms fraud expert and for a number of years chaired the GSMA workgroup responsible for Security & Fraud Risk Assessments.

Dave now provides fraud management support as an independent consultant.