The Changing Risk Profile for Revenue Share Numbers

After eight years of continued growth, the efficacy of the PRISM International Premium Rate Number (IPRN) database for mitigating the risk of IRSF and wangiri fraud continues to surprise. PRISM is a database of IPRN’s that are, or have been, advertised by IPRN Providers for use as international revenue share numbers, where the caller receives a share of the termination revenue for any IPRN’s that they call, and has become a tool in the early detection of IRSF and wangiri attacks. When we started PRISM back in 2013/2014, we had a database of some 70,000 numbers. As of 20 November 2020, this has grown to over 6.2 million numbers.

We currently update PRISM every 2 weeks, and this update frequency became necessary when we became aware of most IPRN Providers changing their number offerings a lot more frequently, obviously in an effort to avoid their numbers being discovered and blocked. During the first 3-4 years of our PRISM journey, the top 10 high risk destinations did not change much, and these 10 destinations (such as Latvia, Cuba, Lithuania, Somalia etc.) accounted for 46% to 50% of all numbers in PRISM. During the last 3-4 years we have seen the percentage of advertised numbers relating to the top 10 high risk destinations drop considerably to the effect that as at 20 November 2020, these 10 destinations are now responsible for only 14.5% of the numbers in PRISM.

Each year we analyze the download data we receive to get a better understanding of changing geographical risks, looking at both the continents which represent the greatest calling risk, and then countries within those continents. There has been a 148% increase in numbers being advertised in the year November 2019 to November 2020. There is very little change in the distribution of numbers across the continents although Oceania is noticeable as the continent with the lowest increase in numbers advertised with an increase of just 84%.

In addition to the PRISM database, we also provide a separate database of Mobile Station Roaming Numbers (MSRN’s) that are being advertised as IPRN’s. We assume that arrangements have been made for these calls to be hijacked and ‘short-stopped’ at another destination. These MSRN’s would end up as a PRISM number because of them being advertised by an IPRN Provider, and some of our PRISM users would then block these, which was preventing roamers from that home network from receiving calls. By identifying these MSRN’s and providing them in a separate list, our users can now enter these into a separate monitoring list to identify any abuse on them.

We are constantly reminded of the value PRISM can provide by the work we do for International Law Enforcement Agencies. We will typically identify between 50% and 80% of any IPRN’s used in an IRSF attack, and in most cases will find that the attack could have been avoided had PRISM been in use at the time of the attack.

Colin Yates
Colin Yates
Colin has enjoyed a long and distinguished career in telecoms fraud, security and investigation. He joined Telecom New Zealand in 1990 as a Security Adviser and went on to hold a string of senior fraud management roles in Vodafone offices in AsiaPac and Europe. Since 2012 he has run his own consultancy which is best known for its PRISM database of numbers commonly used by fraudsters. Colin frequently gives advice about IRSF to groups such as the ITU, FBI, and Europol. He has held various management roles within industry groups, including the GSMA, CFCA, FIINA, ATRFA and PITA. He is a Certified Fraud Examiner (CFE) and has been honored many times for his work, including induction into the RAG Hall of Fame.