What Is New with IRSF Fraud?

In recent years there have been significant changes in the behaviour of International Premium Rate Number (IPRN) providers, particularly around the destinations being advertised for International Revenue Share Fraud (IRSF) and Wangiri calling activity. This was primarily prompted by the introduction of the EU Roam Like Home (RLAH) directive, which resulted in a gradual change in destinations being offered. The suspicion is that this enabled the exploitation of calling bundles which had a single tariff for multiple destinations. This resulted in a change of the typical high risk destinations which, following the EU Directive, started to include many destinations which were previously considered low risk.

Introduction

Historically, certainly in the years leading up to 2018, the same countries would usually appear in the top 10 terminating IPRN destinations month after month, these being the most prized destinations by fraudsters owing to the high pay-outs associated with their call termination rates. These countries were destinations such as Cuba, Latvia, Lithuania, Somalia, and others.

Since 2018, there is evidence that the focus of these destinations has been extended to include a much wider range of country codes, with many of these being previously considered of low risk, and of little interest to fraudsters because of their low termination rates.

These changes are believed to have been driven by more efficiencies in most telco’s fraud detection capabilities which has resulted in common fraud destinations (and numbers) being known, and either blocked or hot-listed by originated carriers. Another contributor, particularly relevant to the lower termination rate destination numbers, is the revenue opportunities that are being created for fraudsters, and those engaging in arbitrage, through the various tariff offerings now commonly offered which allow multiple destinations to be called using one bundled tariff service.

Same Old Fraud…

As already stated, the top 10 IRSF destinations changed very little for many years, so it was quite an easy task for Fraud Analysts to channel much of their detection activity towards these high-risk destinations. If an IRSF attack was detected, it was unusual if one of the top 10 risk destinations was not included in the dialled destinations during that incident. We identified these top 10 destinations by the quantity of numbers for each destination being advertised by IPRN Providers, and the number of IPRN Providers who were advertising them. This methodology was generally confirmed through the fraud reports and surveys submitted through the various industry Fraud and Risk Forums.

My business has maintained PRISM, a database of International Premium Rate Numbers advertised by IPRN Aggregators, for the past 8 years. This has grown from an initial database of 17,000 IPR numbers in 2013, to a database which now contains over 10 million numbers (as at 20 August 2021). In 2014 we were finding around 4,000 numbers advertised each month, 1,700 of them being new numbers. We are now finding around 3 million numbers advertised each fortnight with between 300,000 and 600,000 of these being new numbers each month. The new number total reached a high during August 2021, when we identified 2.7 million new IPRN’s for the month (these are numbers not previously advertised by any IPRN Provider).

We perform an analysis to identify the top 10 destinations in the database, and the top 15 currently advertised, each fortnight before this updated database is distributed to the many CSP’s who subscribe to our service. The top 10 destinations from the total database numbers normally have only one or two changes per month. However, the top 15 currently advertised will now generally have between 8 and 12 changes which reflects the destination changes IPRN Providers are making every fortnight or month.

…But New Destinations

3 years ago, the top 10 destinations advertised by IPRN Aggregators accounted for 42% of the total database, which consisted of 220 destinations. The list of destinations as of August 2021 now includes 239 countries, and the percentage of the top 10 destinations has been decreasing over the past 3 years. As of 20 August 2021, the top 10 only accounts for 23.7% of the total database.

Unfortunately, fraud incident reporting within the industry has declined over the past year or two, so we no longer have the benefit of reviewing fraud incident reports to maintain awareness of what destinations are being targeted for IRSF. From the few incidents I become aware of each month, there are always destinations listed which I would not have expected to see in previous years.

What Has Changed?

There is no doubt that many of the IPRN Providers are moving their focus away from the traditional high risk/high termination rate destinations and adding many of the lower risk/lower profit destinations. They accept the trade-off of lower settlement rates against the potential longer detection times that makes this strategy more profitable for them. The fraudsters understand these lower risk destinations are not subject to such intense scrutiny, so it is likely that the IRSF terminating number will remain active for a longer period.

The total numbers advertised in August 2020 was 2,670,265 while in the same month of 2021, the total advertised figure was 6,417,374 million, an increase of 140%. Six of these top 10 destinations were significantly above this 140% figure. It is noted that only two destinations that were in the top 7 in 2018 are also found in the top 10 for 2021: these are the United Kingdom and Somalia.

Taking the top 7 destinations from 2018 and looking at the percentage increase in all numbers for those 7 destinations in 2020/2021, 5 of these 7 destinations show an increase of considerably less that the 140% average increase in all numbers advertised over this period.

The changes in advertised IPRN’s is certainly a clear indication that IPRN Providers are changing their advertised number stocks more than once per month, and our analysis shows that not only are numbers being changed, but also destinations are being changed regularly. The quantity of new numbers added has increased year on year since we started the IPRN Database back in 2013/14. In the year September 2019 to August 2020, we added 5.76 million new numbers, whilst in the year Sept 2020 to Aug 2021 we added just over 10 million numbers.

Conclusions

It is clear that IPRN Providers are both increasing their number stock considerably and changing the destinations they are advertising. We are also concerned at the increase in Mobile Station Roaming Numbers (MSRN’s) that are being advertised. As of 20 August 2021 we had 142,476 MSRN’s advertised and this has increased from 121,295 in August 2020. As a direct dial call cannot terminate to an MSRN (used for transiting roaming calls only) it is assumed these MSRN’s are being ‘hijacked’ and short-stopped at a foreign destination. If these MSRN’s are blocked, that could impact a roaming customer from receiving calls, and result in complaints. It must be assumed that one or more IPRN Providers have access to the IR21 documents to source these numbers.

Colin Yates
Colin Yates
Colin has enjoyed a long and distinguished career in telecoms fraud, security and investigation. He joined Telecom New Zealand in 1990 as a Security Adviser and went on to hold a string of senior fraud management roles in Vodafone offices in AsiaPac and Europe. Since 2012 he has run his own consultancy which is best known for its PRISM database of numbers commonly used by fraudsters. Colin frequently gives advice about IRSF to groups such as the ITU, FBI, and Europol. He has held various management roles within industry groups, including the GSMA, CFCA, FIINA, ATRFA and PITA. He is a Certified Fraud Examiner (CFE) and has been honored many times for his work, including induction into the RAG Hall of Fame.