Detection and Intervention Systems Combat Subscription Fraudsters
By Mario McCash
Subscription fraudsters come in all types, and each prey upon telecommunications
service providers that eagerly welcome new customers in this highly competitive market. In
subscription fraud, a person establishes telephone service at a business or residence,
runs up a high volume of calls–often international–and abandons the service without
paying the bill. Frequently, subscription fraud also includes large numbers of collect and
billed-to-third-number calls as well. The people committing fraud leave the premises
before the first bill is delivered or service is cut off for nonpayment.
Telephone service providers can improve their effectiveness by implementing a
comprehensive program that encompasses business office practices, front-end tools and
programs and back-end tools and processes. Last month, Part 1 of the series examined
subscription fraud prevention tools and practices; this month the focus is on monitoring,
detection and intervention systems.
Telecommunications service providers should evaluate the feasibility of developing
programs to improve early detection. Call-duration tests, tracking of country codes where
fraudulent calls are frequently directed, for example, can provide the first indications
of a problem. Calling volumes, for example, might be accumulated for new accounts to flag
potentially abusive calling. Further investigation would be necessary to demonstrate
whether fraud has been committed. Moreover, in cases where special billing and collection
contracts exist between local telephone and long distance companies, additional steps can
All telephone service providers can deploy or implement specially targeted algorithms,
thresholds and reporting and performance measurements in their traditional fraud
management programs to help manage subscription fraud. Com-monly known as back-end
detection, it is a key component in the subscription fraud management program when paired
with business office practices and front-end software solutions discussed in last month’s
Carriers can implement new account algorithms, which apply special treatment
to new accounts with little or no calling histories. Also, new account algorithms not only
watch new(er) accounts regardless of credit score, but also apply other special treatment
for those accounts opened with little or no identification, or those with suspicious
circumstances or data.
Dialed-digit analysis allows carriers to determine if there is a match in the
calling patterns of a newly activated account to the phone numbers listed on the
application. Business or work phone numbers, numbers of relatives and home phone numbers
(if something other than a residential landline application) all can be compared to the
actual calling patterns of the subscriber. Alerts then can be generated if there is an
unusual absence of terminations to the numbers provided on the application. Dialed-digit
analysis also can be used to monitor for multiple account activations, a common symptom of
a subscription fraud case.
Fraud Management Systems
Fraud Management System (FMS) detection systems monitor for unusual calling
activity, such as international or calling to and from "hot" numbers with a
history of fraudulent activity. Any time a newly acquired account begins to call from or
to previously identified fraudulent automatic number identifications (ANIs), the detection
system could put out an alert for further investigation.
High Toll Alerts
New accounts with higher-than-average call volumes can be indicative of
subscription fraud. High toll alerts and/or velocity checks can notify carriers when newly
activated accounts begin to accrue high volumes of calling activity or high-dollar billing
amounts. Also, toll credit limits can detect cases of subscription fraud when new accounts
attempt to exceed the established limits.
Signaling and Call Detail Monitoring
Monitoring of signaling system 7 (SS7) and automatic message accounting (AMA)
records are examples of tools carriers can use to prevent extraordinarily large single-day
losses due to subscription fraud. With alternatively billed services (collect, third-party
and calling card/credit card) or operator-assisted calls, the line information database
(LIDB) should be used to provide velocity checking to prevent large losses.
‘Snitch’ or ‘Hot’ Lines
When an installation technician suspects, while on the subscriber premises,
that the service order may be a case of subscription fraud, the lines are referred to as
"snitch" or "hot" lines. The distinction is that the alert of the
potential subscription fraud case originates from the service technician.
Carriers should monitor account maintenance or service activity, such as
change of address requests/reports, requests for presubscribed interexchange carrier (PIC)
changes, line number changes, line additions or deletions, additions and deletions of
passwords, feature add-ons or deletions, deposit waivers, toll credit removal or increased
limit, etc. These items should be monitored after account activation and/or after
the initial service order is received. Fraud managers should determine the best method for
obtaining this data, such as links to the FMS, reports sent to fraud operations from the
other servicing departments or online connectivity to the other serving systems.
Carriers should consider operational policy implementations such as
restricting the amount of changes possible within a certain time frame from activation,
e.g. 30 days. This is a particularly useful restriction on address changes for new
Collection systems could aid in subscription fraud detection; all newly
acquired accounts with no payments received, or first-payment defaults, could be flagged
to the fraud operations department for further investigation and review. Also partial
payments, low-usage bill paid in the first month, insufficient funds payments, payment by
credit card that could be stolen, the payment of multiple accounts with one credit card or
the payment of one account by multiple credit cards all could be determinants in
subscription fraud detection.
Fraud investigations are an integral part of any fraud management program and are not
merely a reactive function–they’re incorporated into prevention and detection processes.
Last month we discussed how investigations begin at the point of application with
appropriate screens. As noted earlier in this segment, suspect accounts then are flagged
to determine whether subscription fraud exists and whether blocking is appropriate. Next
month in our segment on measurement, reporting and analysis, we’ll look at investigating
patterns and trends to determine whether cases can be linked to each other.
Here we will discuss investigating confirmed cases of fraud for prosecution, including
identification, location, apprehension, indictment, conviction and restitution.
There are local access tariffs (or fraud tariffs) that are state-specific
that outline rules carriers must follow in terms of subscription fraud management. Most of
these tariffs do allow carriers to terminate service due to suspicion or confirmation of
subscription fraud. However, some tariffs may require an effort by the carrier to notify
the customer that termination of service will/may take place. Carriers should check their
local area tariffs to ensure compliance to termination and notification requirements in
subscription fraud cases.
Carriers should provision service in a way that is "investigation friendly."
Carriers should try to avoid tipping off subscription fraud thieves to prevent flight,
particularly if there is any desire to prosecute the offenders. Thus, caution should be
exercised in mailing written warnings of suspension.
Root Cause Analysis
Root cause analysis is a discovery process unique to each carrier, but
generally results in causes, impacts and recommendations for tackling a specific fraud
Losses due to subscription fraud (in single or grouped cases) can be spread
out among multiple carriers (especially long distance carriers). When cases involve long
distance carriers with direct billing arrangements, it is likely that no single loss at a
carrier is sufficient enough to warrant (from a practical standpoint) an investigation
aimed at prosecution. Hence, with many cases of subscription fraud, a coordinated approach
with other carriers may be to effect a prosecution. Due to this dynamic, many carriers’
goal or purpose with subscription fraud investigations is for credit/service denial,
blocking or service termination. Subscription fraud investigations for prosecution are the
exception with many incumbent local exchange carriers (ILECs). However, wireless carriers
may be more proactive in investigating subscription fraud for prosecution (and again for
those who do pursue these types of investigations, it is recommended that the Toll Fraud
Prevention Committee (TFPC) document on coordinated investigations be considered).
Subscription fraud investigations not only include 1+ traffic (wireless or
landline), but also collect, bill-to-third party and card traffic. Because subscription
fraud can involve a variety of service types, carriers should be diligent to ensure proper
coding or labeling of a fraud case so the carrier correctly knows the full scope of the
problem. This means a card investigation also can be a subscription fraud investigation.
This not only will allow better reporting, but also improved practices that reduce the
losses due to subscription fraud. Accurate and complete subscription fraud investigations
also can lead to a reduced risk of improperly tagging a case as bad debt.
A telephone service provider that protects its own network, such as by blocking calls
from a problem telephone line/account, can help protect the industry as well. Telephone
service providers can work cooperatively with each other through their respective security
departments. In that way, efforts to investigate accounts, document any abuse and shut
down the fraud will help prevent its migration to another company.
Mario McCash is the Business Development Manager for Fraud Services at Illuminet and
co-chair of the Subscription Fraud Task Force for the Toll Fraud Prevention Committee. He
can be reached at email@example.com.
Editor’s Note: This is the second in a three-part series on
subscription fraud. Last month’s installment covered prevention tools and practices. This
month, Part 2 covers monitoring, detection and intervention. In November’s issue, Part 3
will discuss measurement, analysis and reporting.
For the second year, we've identified the people, organizations, techs and trends expected to have a major impact o… twitter.com/i/web/status/1…
October 16 2019 @ 18:12:06 UTC