International Toll Fraud/International Revenue Share Fraud (IRSF)

Similar to domestic toll fraud, international toll fraud is perpetrated by bad actors exploiting parts of the world that are extremely expensive to deliver phone calls to. This type of fraud is called International Revenue Share Fraud (IRSF) because oftentimes, nefarious/fraudulent companies acquire expensive international phone numbers and sell them to anyone who’ll pay money for them.

These phone dealers are often referred to as International Premium Rate Number Providers (IPRN), who often buy cheap, low-cost circuit connections to reputable carriers, so they can get paid for calls that terminate on the phone numbers that they have acquired. Bad actors buy expensive international phone numbers from the IPRNs and have their people (lieutenants) robo-dial calls to these phone numbers.

The payment chain begins when the calls are placed from a location in the U.S. The remainder of the money chain includes all intermediate service providers that have to pay their upstream provider partners to handle these international calls. Eventually, the IPRN companies get a ‘cut’ of the charges to complete these calls, because they’re the “holders” of the fraudulent phone numbers in the first place. The diagram below shows the typical money flow and how IRSF can be perpetrated.

Typical Money Flow of IRSF

IRSF Fraud can take on many forms and cost innocent, unknowing victims a lot of money. Many times bad actors “hack” into PBXs, IP-PBXs, Cloud-phone systems and enterprise phone systems, and enable outbound international calling. Once this hack occurs and outbound international calling is fraudulently enabled, the bad actors proceed to dial-out to extremely expensive international phone numbers in countries all over the globe. This, in turn, costs all intermediate service providers, as well as the innocent victim, who'll most likely receive an expensive bill in the next 30 days.

Here are the best practices that customers can follow to prevent the flow of International Toll Fraud/IRSF from their network toward ours:

• Determine which countries, your platform specifically supports calling to, and then restrict calling to all the remaining countries. Limit international dialing to only authorized customers, employees, and end-users who require it. Restrict all others.
• Look for large volumes of SIP 487 response codes in short periods of time on your network. Using something known as “Hyper-duration robocalls”, bad actors typically “probe” networks looking for cracks in the network that will allow completed international calls. During these “hyper-duration” storms, bad actors typically launch large volumes of SIP INVITE messages in a short period of time (thousands of INVITE messages within 5 mins or less), followed very rapidly by SIP HANGUP (487) messages.
• It’s important to note that call attempts that don’t complete, don’t necessarily equal unsuccessful calls. All rapid-fire attempts/hangups in a short period of time should be considered a red flag for possible fraudulent activities in the near future.
• When you see more than an average of about 60 SIP 487 messages per hour, look at your traffic for fraudulent activity and calls to fraudulent destinations. If you discover suspicious/fraudulent behaviors, take measures to block/prevent future attempts of these types of international calls from reaching us.
• Ensure that passwords to your company’s network equipment are unique to each unit of equipment, contain random characters, made random in length, and are NOT the passwords that were pre-configured at the time of purchase/installation. These passwords must be changed often and only shared with personnel authorized to make changes to your network equipment. Zero-knowledge password managers are highly recommended.