This article was prompted by Eric Priezkalns’ recent report of a ‘Robin Hood’ vigilante who used a traffic-pumping fraud (aka artificial inflation of traffic or AIT) to fund denial of service attacks on suspected robocall scammers. When I started in telecoms, I was always sceptical of telcos which claimed they had been defrauded by other telcos, but, over time, I came across ‘blue on blue’ telecoms fraud and I thought a few examples may provide some insight for current risk assessment and investigation processes.
Virtual Number, Virtual Money
Back in the 1990s, fraud management was a much slower and more cumbersome process. On a Monday morning, I would receive an automated report of the most active numbers over the weekend, with both originating numbers and dialled numbers. This allowed me to identify abuse of our own numbers and also hacked switchboards. The latter stood out because they received tens of thousands of calls. It was standard procedure to notify the switchboard’s serving operator, because our fraud detection was often faster than theirs. One Monday, the report identified a different sort of victim: a virtual network operator which offered a ‘follow-me’ service where its customers could re-direct calls from their virtual number to their home, office or mobile number.
It turned out that the virtual network operator was conducting a trial with six established customers who had been allowed to add international divert to their package. It was one of these customer numbers which had been abused, with thousands of fraudulent international calls diverted through the follow-me number. I advised the victim operator of the issue and, eventually, briefed the CEO on the relevant risks and countermeasures. So far, so ordinary. But, as an incidental part of the investigation, I talked to someone who knew more about the victim operator and told me something the CEO hadn’t mentioned. A couple of years previously, the ‘victim’ operator had been running out of money and had boosted its working capital with a significant fraud. Virtual network operators received their revenue as a share of its connected minutes, so this operator employed a technical specialist to boost its traffic by looping thousands of calls to its virtual numbers from 0800 freephone numbers. The freephone operator believed it was a victim of fraud and engaged in a long and bitter dispute with the virtual network operator, but ended up paying out the revenue share. The GBP400,000 raised by the fraud (equivalent to GBP810,000 or USD970,000 in today’s money) kept the virtual network operator in business until it was trading at a profit.
Box Splitting Is a Numbers Game
A few years passed and I engaged with a couple more CEOs, with two very different outcomes. In order to grow their subscriber bases, UK network operators were selling subsidised prepay mobile phones so that a mobile costing GBP80 could be bought in stores for GBP50. This subsidy attracted the attention of grey market traders who were buying up all the stock they could find at GBP50 and exporting the devices into markets where they sold at the local equivalent of GBP80. This export trade also coincided with the emergence of VAT carousel fraud where massive tax sums were defrauded in the alleged trade in mobile phones.
The box-splitting issue came to light indirectly, due to a massive increase in credit card fraud on prepay top-ups. I discovered that before the subsidised mobiles were exported, the SIMs were removed and sold off for GBP1 each. Large numbers of SIMs were bought by fraudsters who applied the maximum top-up, GBP70, with stolen credit card numbers before selling the SIMs for GBP20. If you’d seen the mobile numbers with fraudulent top-ups, you would have quickly realised they came from the same number blocks and therefore, probably from the same customer shipments. Subsequent data analysis identified five distributors where a significant proportion of their subsidised prepay sales never appeared on our mobile network. Initial analysis suggested we were wasting at least GBP15mn in subsidies annually.
I took the issue to the CFO who agreed with my concerns and pointed me at the Marketing Director. He wasn’t so keen on my explanation – after all, he was hitting his targets, so what’s the problem? He denied his distribution channel was costing the business GBP15mn and insisted on a bigger data sample (I had used three months’ data) and analysis in conjunction with his team. Together with his team, we educated the distribution channel, provided them with monthly analysis of their activations and followed up on ‘holes’ in the number ranges with subsidy ‘clawback’.
And so to the CEOs, who are both well-known media personalities in the UK. One CEO denied liability for his downstream channel and any connection to the trade in ‘SIM free’ devices. The other looked at the data, apologised for his employee’s behaviour and wrote out a cheque for GBP1mn in lost subsidy before going back to start disciplinary proceedings for the staff who had continued to participate in grey market sales.
When we got to the year end, I had a catch-up meeting with my liaison colleague in Marketing:
You were wrong Dave; the subsidy loss wasn’t GBP15mn. It would have been GBP22mn…
Fraud or Arbitrage?
Probably the most common intra-telco dispute is billing. There is always a winner and a loser and the loser wants its money back. In some cases, the loser is a victim of fraud but the winner denies wrongdoing and claims to be engaging in ‘arbitrage’.
I have sounded off about this before, but if you’re not familiar with the arguments, arbitrage is defined as:
the practice of taking advantage of a price difference between two or more markets, the profit being the difference between the market prices.
Let’s look at a situation where a number range has been incorrectly rated and traffic suddenly floods in from multiple sources and in huge volumes, causing a substantial loss for the unlucky telco which has been under-charging for that range. The telcos routing their traffic to that range justify their exploitation of these errors as ‘arbitrage’. They argue they took advantage of an opportunity to buy below the market rate, so what’s wrong with that?
If you find a large bundle of notes in the street, the law in most countries requires you to hand it in as lost property. You may then become the legal owner if its unclaimed. However, if you don’t report or surrender the money, you can be charged with ‘theft by finding’, also known as ‘larceny by finding’ and ‘stealing by finding’. Ripping off a wrongly rated number range is the same. A burglar still commits an offence even if you forgot to lock your door.
Exploiting a rating error like this is not arbitrage or fraud. It is theft, and in my experience, it is only the winners who call it arbitrage.
Who Are the Villains?
The examples I provided all identified telcos as the victims, but were they really defrauded by other telcos? Examine the above examples and ask yourself who has the means, the motive and the opportunity.
In the box-splitting scenario, until I dug into the subsidy issue, everybody, including our own Marketing Director, was hitting their targets, so everyone was happy. The motive is money, so everyone has motive. When it comes to means and opportunity, sales transactions are all handled by salesman or sales managers. They decide who gets the stock. The damage was done by corrupt sales employees taking bribes from grey market traders. The distributor CEOs were unaware of the methods being used to achieve their sales figures and their companies made no more profit from a grey market sale than a genuine sale.
If we look for means and opportunity, its obvious that the arbitrage loss is caused by whomever makes decisions about routing tables and then points traffic to under-rated destinations. But they don’t gain financially from that traffic, so that cannot be their motive. These days, everyone has objectives or targets and that person running the routing tables will have a target for margin (cost vs sales) and probably for volume too. Exploiting an under-rated destination helps drive their profit margin and is likely to increase volume, so it helps them hit their targets. Managers rarely question how people hit their targets. Their time is usually taken up dealing with staff who aren’t meeting objectives. Staff who hit targets are left to their own devices, or used as examples of how to get the job done. If you’re looking for risk in a sales environment then start with the best sales people, not the worst ones.
Then there are the CEOs; my examples included one good CEO, one bad CEO and one in the middle. CEOs are entrepreneurs; their job is to take risks and some of them sail close to the line on legal and regulatory issues. If they cross that line, it is more likely to be during their early careers or when companies are small and there is less to lose. I doubt the criminal CEO I encountered would take the same risks now and I think the chances of being defrauded by a telco are much less than being defrauded by a telco employee. Maybe you’ll look at those allegations of telco fraud slightly differently in future.
Making the Case for Fraud Reduction
Over the years, I’ve seen different approaches to calculating fraud values, including those where fraud managers try to make the numbers as big as possible in the belief that big fraud numbers mean big fraud budgets. I have seen too many loss calculations and business cases forensically dissected to risk submitting questionable numbers; when I told the CEO we were wasting GBP15mn, I knew I could prove it. If your calculation includes assumptions, consider applying a range of values to those assumptions. When you submit the calculation, use the lower value, as you can rely on the people looking at your numbers to be bright enough to work out the worst-case scenario for themselves. Remember that when you quantify fraud loss, it’s not just your numbers but your credibility that is at stake.