12 Toll Fraud Prevention Tips for VoIP Providers
Each year, voice service providers lose more than $50 billion to fraud. Unprotected PBX and VoIP/cloud communications services are sensitive to hackers and fraud, resulting in service downtime, call quality issues, as well as direct financial loss.
In particular toll fraud is a major source of concern. Fraudsters artificially generate a high volume of international calls on expensive routes, making calls to what are known as “premium rate numbers” and then take a cut of the revenue generated from those calls.
Bicom Systems and thinQ have the tools, techniques, and technology you need to avoid fraud. Bicom sipPROT prevents common attacks by monitoring sip traffic and updating your firewall to block attacks. When you add thinQ’s least cost routing (LCR) plus origination and termination services, you’ll prevent fraud, deliver maximum up-time, and save 40-70% on your calls.
Top Tips to Prevent VoIP Fraud
1. Offer limited service plans in your local market.
2. Only offer international calling services to clients who request it.
3. When possible, turn off international calling on the carrier side.
4. When offering international service plans, place spend limits for a given time period.
5. Set a low credit limit for each master extension.
6. Enable limits to cap all international calls per given time period ($10 per day?)
7. thinQ’s platform has integrated, customer-controlled cap pricing to prevent fraudulent traffic from impacting your bottom line.
8. Require a signed agreement accepting the liability of international calls.
9. Change the default international code from 011 (default) to 0201 (or another code).
10. Choose a VoIP platform that has integrated IP authentication (rather than insecure username and password authentication).
11. Enable granular call blocking to known problem rate centers/countries.
12. Turn on soft and hard-limit notifications to monitor spend daily.
Eric Johnson, Bicom Systems offered his insights in a recent joint webinar with thinQ:
In 2017, the Cyber Threat Defense Report came out and you’re not going believe it. They determined that we are under attack. We’re under attack in every way, shape, and form at this point. This is not a trending issue that’s sky rocketing through the roof.
In the healthcare industry it’s a 60% increase in fraud year over year, and in the power and utility companies, they saw a 527 percent increase in attacks just over one year.
So this is obviously a major issue. What are they doing? There’s couple of ways they’re coming at us, one is denial of service, which is always a big one. It’s easy to get into network or a particular device and slow the system down, bog it down, gaining control of your system.
The other one it’s a little bit newer is eavesdropping. Basically hackers are able, with the computer system, listening in on the calls and then pulling out critical information. Anything from cell phone numbers, to bank accounts, credit cards, health information, things like that.
They’re also spamming. We’re all familiar with spamming with our email systems. It’s always a pain. It has to filter them out. It’s even worse when it’s coming over your phone system.
And then of course the big one is theft of service. This is money. They’re using your system to make phone calls, and then you’re getting the bill and you have to pay it.
One reason we got together with thinQ to create this webinar was a post online by a VoIP provider talking about how they were attacked. It was a midsize company in Florida. They had their phone system breached.
What happened was the intruders leveraged a call forwarding feature, which came back to the service provider’s soft-switch, and then they began to terminate thousands of calls. It’s was a clear example of premium rate toll fraud over a weekend, sending the calls to Africa. So the service provider asked about insurance to cover their loss. Errors and omissions insurance, the cost for them was $5,000 in losses, so he was looking for insurance.
So, how do I prevent an attack? There are many ways to prevent an attack, but you have to do something or else you will be impacted. So we want do everything we can to prevent an attack.
With Bicom systems we have a soft switch, and then laying over the top of our soft switch we have SIP protection software. It’s called sipPROT. It’s extremely effective and it provides real-time protection against SIP attacks. It’s monitoring live traffic. It’s not waiting for something to happen and then reporting on it. It’s monitoring live traffic, it’s blocking and unblocking IP addresses, it’s using pattern recognition. Basically brute force or SIP protocol anomaly detection, our software is out in front. Before your customer knows there’s a problem, you know there’s a problem and you can react.
Bicom sipPROT was one the first in the industry. It’s been out in the field for a long time. It’s deployed worldwide with more than 400 deployments. Really, it’s been smooth sailing in a lot of countries. We’re talking in the Middle East, and Europe, and Africa, South America, and of course here the United States.
We’re proud to say that’s saved service providers millions of dollars. And of course those countless hours of sleep not lost to the administrators.
SipPROT climbs in between that firewall in your network and protects what was your PBX was. That’s our soft switch, it protects the voice and provisioning services, with the network layer SIP security software module.
The immediate benefits of it is a 24 hour day, 7 days a week monitoring service. It’s a rapid response, it’s going detect the attackers, it’s going to block them before your customers know what’s happening. It’s going to save you time, because you can focus on solving the problem rather than head-scratching as to what’s going on out there, locating the issues and then trying to determine what to do next. With sipPROT, you know what’s going on immediately and you can react.
You also get better customer service because in our example, a customer obviously lost money. So he’s losing in a few ways. One, he had to pay out, there was a financial loss for him. Two, there’s a possibility he could lose that account. So of course, there’s a financial loss just to bottom line of his business and then the third one when we look at increasing revenue you want that reputation where the system is up and running, it is secure, it’s protected, it’s being monitored and managed professionally. That’s going to increase revenue because your customers are going to tell others about it.
Bicom Systems is a worldwide company, with offices in Europe, Canada, South America, and the United States. Our mission is to unify communications. So we’re an advanced software company. We have soft-phones, call centers, deploy in the cloud, if you prefer a complete turnkey system.
Eric Leon from thinQ offered his insights into toll fraud during the second half of our webinar:
thinQ, pronounced think, started in 2009. We’ve focused all of our efforts on building cloud voice and messaging services. So we are a natural pairing with Bicom, in which you can now gain access to all of thinQ’s 45 plus domestic and international providers. So we become the conduit for the Bicom platform in order to get your calls completed both inbound and outbound.
So what is toll fraud? Why does it exist in the first place? A big point of frustration is that providers often find that they get no cooperation from their vendors when it comes time to pay up for the toll fraud.
Toll fraud happens when a third party infiltrates your system, that could be at the device level, could be in the cloud, it can be at your PBX, whatever it might be, and then they begin to make calls or receive calls without your permission.
Currently it’s estimated at over $7B dollars annually in fraud. If we look at the past five years, it’s increased by five to six fold. So these are all estimates. We don’t know the full details and one of reasons behind that is because it’s not often reported.
So why does it even exist in the first place? What’s the motivation behind it for these fraudsters? Well, they’re usually internationally-based in a country that makes it extremely hard to prosecute, so they have very little risk of being held accountable for it and it offers them an extremely high profit margin.
You might be wondering, they’re just making a bunch of calls, what are they doing? Reselling it? What does it look like and so forth? So once the hackers have infiltrated your system and they begin to traffic pump to a predetermined destination. They have worked it out with that local provider in order to get a kickback on that revenue that they send to them. So if they’re going to do that, if they’re going start traffic pumping to a specific destination, what I want to understand is what is that pattern going to look like?
They focus on the window of opportunity. Often times you’ve been infiltrated for days, if not weeks before the actual event occurs. And what they’re generally waiting for is an after-hours time period. A time period when people typically don’t make calls, so they create a programmatic process in order to send massive amounts of calls, and Eric illustrated that in this presentation, where a typical user might only have 5, 10, or maybe even 50 live calls during the daytime. The fraudster can be sending thousands of live calls between the hours of 6:00 p.m. and 4:00 a.m. when nobody notices.
I think it goes without saying that they’re going to be doing this on weekends as well. Anytime they believe that you won’t be able to spot what’s happening, or your carrier won’t be able spot what’s happening, they’re going to focus their efforts on those time periods to maximize their returns.
I also like to look at sort of what geo data is associated with that. So we do billions of minutes across the thinQ network each month. We have thousands of customers who utilize our platform.
What we typically see is that the fraudsters focus on the Caribbean islands or international destinations. So not everybody realizes that the Caribbean islands are actually part the North American number plan, and that all it takes is a 1 before the number to dial the Caribbean. Unfortunately, it’s one of highest areas in which fraudulent traffic is concentrated.
For international destinations, what they’re looking for is somebody who’s willing to accept a ton of traffic at a very high price point. They’re calling destinations that are many multiples of your average rate, in order to maximize their return with a minimal amount of effort.
So why are you on the hook? Let’s look at it from that perspective. Why is it that it’s between 6 p.m. and 4 a.m. you send thousands and thousands of calls, you rack up a bill that’s equal to your entire years worth of usage? Why is it that your carrier is so insensitive and makes you know pay up on that bill anyway?
When carriers interconnect to other carriers, in the United States there are 10,000 facilities-based telecommunications companies. That means your call is traversing dozens of providers on every call. So whenever a carrier signs an agreement with another carrier in order to get that traffic completed, that agreement usually comes with a clause in it. And that clause is, essentially, “I don’t care what type traffic it is that comes across it, it’s a consumption model, so if you use a minute, you pay for a minute.”
It’s very difficult to prove its fraud. So it really leaves us with no recourse to fight against that. So now that we have an understanding of what toll fraud is, I want to take a look at what thinQ offers.
There’s a few tools here that can help us further mitigate our fraud risk.
The first line of defense is always going be in your physical and network security that you control. This happens before you ever even get to the carrier, as Eric so eloquently talked about the benefits of Bicom’s sipPROT product.
So what are we going to do in these cases? So what I want talk about is carrier level fraud mitigation. What kind of tools can you use with thinQ’s cloud platform in order to protect yourself?
And the categories we’re going to look at is first, how are you authenticating your traffic? That’s your permission to send traffic across your carrier. Do you have capabilities of things like geo-blocking, do you have capabilities of things like rate-blocking? Do you have capabilities of notifications when you hit certain things, and do you have hard limits that prevents you from having a catastrophic usage?
There are a variety of different means that a provider can use to snip out your username and password information. I won’t go too into detail on that because it’s not that type of webinar today. But regardless, they are very sophisticated at finding out that information. Once they gain access to your username and password authentication with your carrier, they’re free to use their own server and send multiple calls over the platform; if not thousands of calls over the platform. You’re never even the wiser.
So if we look at an IP authentication method, this is one the most basic ways to protect yourself. When you have IP authentication you now have a two-way communication with your carrier that is based on a physical IP address.
Now some you might be saying to yourselves, you can fake an IP address, but what you can’t do is take both pathways. You can fake an IP address to a carrier, but when that carrier says, “great, I’m about to set your call up,” they communicate back to the actual real IP address and that real IP address would say, “I didn’t set anything up with you,” and the call will never establish. So using IP authentication puts a physical location, and so if your hacker happens to be in a foreign country on a server and they’re trying authorized it from an alternative IP, they will be unable to provision traffic across that carrier.
thinQ is a cloud-based platform that allows you to manage your calls over every single major network globally. We give it all to you prepackaged and we give you the free management tools to cultivate those carriers and to manipulate those carriers. One of features that we have inside of there is cloud geo-blocking so you can break things into geographical segments and block based on that information.
For example, you could create a group inside of our platform that says, “I want to remove all availability of calling the Caribbean, a known fraudulent destination.” This could be your first line of defense. If you don’t happen to be calling the Caribbean or international, you can geo-block it on our platform, and that’s a real-time tool that you can block and unblock at any point time.
You can geo-block based on country. So you could sit there and say, “I just don’t want to send any calls to Malaysia or wherever it might be.” You can begin to get more granular. You might have identified that there’s a particular state that you don’t want to call. I never send a call to Alaska, if somebody is sending a call to Alaska it must be fraudulent.
You can block based on the rate-center. And for those of you who not familiar with the rate-center, you can pretty much think of it as the first six digits of the phone number, just a little bit more broad than that.
You can block by the area code as well, or NPA. So, one of the nice things about this, and I’ll bring up a quick case example is, it’s not outright fraud, but somebody did want to prevent it. There’s high cost for calling “free conference call” numbers. You can block the first three or six digits of those numbers in our platform, preventing that from ever being called. So these are quick and easy tools for you to make broad stroke decisions and lower your risk of fraud to different locations.
So you can block the NPA and the NXX. Which brings me to my next topic. In our cloud tools we also give you the ability to do rate-blocking. Again, if we’re looking at the typical traffic pattern of these fraudsters, they’re not sending calls to places that cost, you know, a quarter of a tenth of a penny, they’re sending calls to destinations that cost a penny or two pennies or six pennies. In some cases it can be as high as 32 cents per minute. So what our system allows you to do is create blanketed cap limits that will block based on the segment.
So, for example, I could say for all of my traffic to North America, I never want to complete a call over one cent and you can do that because 90 percent of the U.S. population is at a rate well below that. So somebody happens to be calling some obscure territory, it’s probably due to traffic pumping and fraudulent traffic. So you can dictate that rate per minute per segment.
You can manipulate that price based on international traffic, versus North American traffic, versus Caribbean traffic. You can really get as granular as you want. The way I like to think of it is, in about 2 seconds you can create easy and simple rules. No matter what your requirement is or what experience you’ve had in the past, you can create a customized solution around that.
Plus thinQ sends notifications to you of events that are occurring. So not only are you getting our technology and 24/7 support team who’s always looking at traffic for any sort of anomalies or variables, but we are allowing you to block, we are allowing you to create these sort rate notifications based on certain segments across the platform.
We also offer a customer-controlled daily spend notification. So you would say in our system, “On a typical day I only spend $20. So I want to be notified when I get to $18.” So what’s so valuable about that? Well, if it’s nine o’clock in morning and we send you a notification that you’ve already spent $18 for the day, you might understand that something is happening unexpectedly.
You can go into the portal and see in real time exactly what’s going on with your traffic pattern. We also have hard limit notifications, which is a little different than a soft limit. So again in the same example of, “I usually only spend about $20 day.” Well, you might find it necessary to create a hard limit at $22 a day, “If I’ve spent $22 for the day, I want you to turn off my international and then I will activate it again inside of the portal.”
This prevents you from racking up that hundred thousand dollar bill overnight, and you have serious cost mitigation in the process. You also get notifications when you reach your daily maximum. One of the nice thing about our notifications is, it’s going to tell you exactly what traffic pattern we’re looking at that moment in time. So if you happen to be traffic pumping to Russia, you’re going to get that hard limit notification, “You spent $22, seems like 98% of your calls are going to Russia and you’re averaging a rate of 18 cents per minute.”
Reach out to us at thinQ. We’re happy to do a deep dive and live demo to show exactly how the platform performs, whether it’s for fraud or how you can just improve your cost structure, your quality around your voice traffic.