Email a colleague    

April 2017

Bypass Fraud Evolves: New Threats from Outgoing SIM Box Bypass & Spikes in CLI-Tampering

Bypass Fraud Evolves: New Threats from Outgoing SIM Box Bypass & Spikes in CLI-Tampering

Is the fraudster’s mindset fundamentally different from that of your average honest person?

Well, maybe not.  Consider this: all of us who participate in the free enterprise system — as owners, employees or independent agents —aim to exploit certain advantages we have in the game.  It could be technical skills, knowledge, leadership, money, relationships... or many other things.

We then leverage that “special something” to discover and exploit markets that are out of balance.  For instance, traders invest in stocks or currencies that are undervalued.  Successful entrepreneurs deliver products people are clamoring for, but no one is properly delivering.

Often the ticket to riches is access to deeper levels of knowledge.  Investor Warren Buffet (second richest man in the world) once said that successful investing in like watching a parade while standing on your tiptoes.  Likewise, a biologist finds his pot of gold by seeing things in a microscope that others fail to notice.

But only the fraudster (or corrupt insider) is willing to go the next step: to pursue those opportunities by breaking the law, risking jail time — or worse.

So the first step to stopping fraudsters is understanding human nature.  And the next most important thing is mastering the technical playing field where the fraudster plays.

Araxxe is one of the foremost companies in the world peering into the psychology and habits of fraudsters, then anticipating their moves and putting defenses in place to protect an operator’s revenue.

I recently caught up with Philippe Orsini, VP Product Management, who provided an insightful update on new developments in bypass and SIM box fraud his company is dealing with.

Dan Baker, Editor, Black Swan: What’s happening in the world of SIM box fraud these days?  Are we getting better at controlling this type of fraud?

Philippe Orsini: Well, Dan, it obviously depends on your region of the world and the local market.  As you would expect, Africa and Asia are still the most impacted parts of the world, and Araxxe continues to serve clients in those regions.

Traditional in-bound SIM box fraud remains a constant threat to the termination revenues of operators — and the tax revenue of governments in these countries.

But now we see emerging a new form of SIM box fraud threat, what we call "outgoing SIM box".

So what do you mean by Outgoing SIM Box fraud?

It’s very simple actually.  SIM box fraud is always about the tariffs — or the margins you can get by bypassing legal call distribution channels.

To understand what “outgoing SIM box fraud” is about, let’s first review how billing for mobile traffic has evolved.

Five or six years ago, if you looked at mobile-to-mobile traffic in Italy, for instance, an Italian mobile operator would sell its SIM cards to terminate traffic on its own network.  And soon thereafter it became practical to terminate all domestic mobile operator calls on their networks at no additional charge because retail rates were low.  In short, it was not worth the cost of billing for traffic between the Italian operators.

However, in the past few years, a new trend in Europe has been to offer SIM cards that terminate on international destinations.  These are the so-called "world plans" which usually feature a flat fee number of minutes across 5, 10 or 20 selected countries.  And the tariff packages for these world-plan SIM cards are priced aggressively to attract new customers.

But now fraud is occurring in countries within these world plans where the mobile termination rate is very high.  For example, Albania’s termination rate is very high, so if an operator in Italy has a bundled “world plan” where Albania as one of the destinations, fraudsters will try to exploit that by pumping lots of low cost calls through to Albania.

Interesting, so the fraudster gets the same benefit of pumping traffic without the risk of operating illegal SIM boxes in Albania.

Yes, Dan.  Going further with my example: this Italian mobile operator would definitely be impacted if their tariff plan failed to account for the huge traffic volumes being pumped into Albania.

Relatively few calls to Albania were expected: the lion’s share of traffic was projected to go to low cost destinations such as France, Switzerland, and Germany perhaps.  If we would normally see 5% of calls ending in Albania, if that volume spikes to 20% of all calls, the underlying profits of the world plan would be terrible.  It could even put them in the red.

I see, so this outgoing SIM box fraud is very deceptive because it goes against the normal fraud pattern in bypass.

True.  And the other interesting twist is that this Italian mobile operator would suffer no revenue loss from this fraud.  However, they would see a tremendous increase in their interconnect costs because many more calls are terminating in Albania.

At first, fraud managers often don’t understand this fraud: their first instinct is to look at revenue alone.  They might say, "Hmm.  This is a very successful rate plan that is generating lots of international calls!"

But looking deeper, of course, you notice that while SIM card sales are high, you’re losing big on the wholesale side paying all these high interconnect charges to Albanian mobile operators.

Now to exploit this fraud requires the fraudster be very familiar with the termination rates in different countries and with the rate plans offered by the mobile operators worldwide — and knowing where the profit margins are best.  And maybe the fraudster shifts from using SIM boxes to terminate traffic in Italy and instead uses them to pump a ton of calls from Italy to Albania.

This outgoing SIM box fraud is a very interesting case.  At usual, the fraudsters are adept at finding unique ways to exploit big price differences in markets.  Any other new kinds of bypass you’re seeing?

Well, another bypass I’ll mention is not exactly new.  It’s fraudulent CLI (Caller Line ID) changes, also known as CLI re-filing, a growing bypass type in Europe because of changes in regulations and increased competition.

Operators in the European Union are under pressure to increase their revenues because competition has brought prices down and also because the revenue operators earn from roaming fees is considerably reduced.

So increasingly European operators are implementing so-called “differential mobile termination rates” to countries outside of Europe.  Now a French operator, for example, must still maintain low termination rates for traffic from member countries in the European Union.

Let’s take the case of France and Morocco to illustrate the problem.  Traditionally an operator in Morocco could terminate calls in France at a very low rate.  Yet when a French operator terminates a call in Morocco, the termination rates are very high.  So the rates were absolutely asymmetric.

But now, to recover more revenue, the French operator tacks on a non-European surcharge to traffic coming from Morocco.

And how is this non-European differential surcharge applied to the traffic?

Dan, it’s all based on the interconnect origin-based billing rate which is calculated on the CLI phone number (or A number) transmitted to the destination operator.

So in my example, if the CLI says the origin is Spain, you pay one cent per minute; if the CLI says Morocco, it’s 6 cent per minute.  Big difference.  And when an operator doesn’t want to pay the 5 or 6 cents per minute surcharge, what they can do is fraudulently change the CLI to pretend the traffic is coming from Spain, Italy, or another European country — and they will not be charged the high termination rate.

And I believe any operator in the interconnect chain has the technical ability to modify that CLI number, right?

Correct.  And that’s where the dilemma lies, for there’s no easy way to determine exactly who is committing the fraud because several operators can be in the chain.  The only way you can analyze which interconnect operator is doing the fraud is to do lots of test calls across many routes to trace the true origin of calls made from various corners of the word.

Now even though this fraud has been active for quite some time, European operators don’t seem to appreciate how much money they are losing through these CLI-altering schemes.

The prevailing attitude seems to be: "Okay, maybe we will experience a small amount of fraud from CLI altering, but at least, 80% of my traffic from Morocco will be charged at the higher rate."

Even still, losing 20% of the high rate traffic is a lot of money to let slip out the door.

In any kind of SIM box or bypass fraud, two different solutions are used.  You have the robot calling firms and SIM box fraud specialists such as Araxxe, and the FMS solution providers also play a role.  Can you explain to us the differences between these two roles?

Well, the best anti-fraud solution is always a combination of fraud solutions, isn’t it?  I mean, there is certainly high value in combining what a WeDo or Subex does and what Araxxe does.

Yet we at Araxxe are very different from a Subex or WeDo because we don’t have the big data warehouse storing the full traffic all these years to perform profiling and analysis, etc.  In SIM Box detection, our CDR analysis is much more focused.  We don’t deal with all the traffic or all the users, but only a sample of CDRs derived from the particular test calls our robots are making.

And the number of calls we make varies: we could be making 1,000, 5,000, or 100,000 calls per month — depends on the need at the particular operator.  So we approach the client and say, "If you want us to analyze your SIM box problem, you need to send us the CDRs of our robot calls.”

FMS companies like Subex and Neural Tech play an important role in SIM Box fraud mitigation by maintaining a rich history of usage for each phone number.  They also ensure their application scales/performs well, the database is tuned, and the dashboards and reporting are excellent.

But to be honest, in SIM box fraud control, the technical platform is only secondary.  What matters most is the experience of the fraud analyst or user of the platform who knows what profiling rules to implement in the system.

Maybe the old 80:20 rule applies here.  In SIM box fraud control, 80% of the value comes from the user’s knowledge and 20% from the technical platform.  And in IRSF, it’s the other way around: 20% user, 80% technical platform.

I would agree with that.  IRSF detection is far more methodical.  It lends itself to automation and data analysis.  A phone number is either in the blacklist or it’s not.  Or it fits an analytical pattern that raises the level of suspicion, so you block the call.

SIM box fraud is not so simple.  The fraudster adapts its strategy depending on the defense.  So it’s kind of an electronic cat vs. mouse game: there are attacks, counter-measures, and counter-counter measures.  This is why the experience and training of the fraud analyst is so key.

Another analogy: it’s the difference between using MS Word as a typing platform versus using MS Word to write a novel: the skill of the writer is almost everything in producing a great novel.

Thanks very much, Philippe.

Copyright 2017 Black Swan Telecom Journal

Philippe Orsini

Philippe Orsini

Philippe Orsini is VP Product Management at Araxxe, a specialized company providing End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Philippe, who joined Araxxe in 2007, is in charge of product portfolio management and new product creation.  He also manages key client accounts mainly in North Africa and Europe.

After graduating from a top French “Grandes Ecole” and the Universidad Politécnica of Madrid (Spain) in telecommunication, Philippe has been developing strong insight and operational expertise in the communications industry across Europe.

Philippe has spent most of his work experience working at consulting companies, such as IBM Global Services or Accenture.  He has been managing large IT systems implementation projects and in-depth consulting studies in the distribution and telecommunication industries.   Contact Philippe via

Black Swan Solution Guides & Papers

cSwans of a Feather

Related Articles