Email a colleague    

April 2017

Bypass Fraud Evolves: New Threats from Outgoing SIM Box Bypass & Spikes in CLI-Tampering

Bypass Fraud Evolves: New Threats from Outgoing SIM Box Bypass & Spikes in CLI-Tampering

Is the fraudster’s mindset fundamentally different from that of your average honest person?

Well, maybe not.  Consider this: all of us who participate in the free enterprise system — as owners, employees or independent agents —aim to exploit certain advantages we have in the game.  It could be technical skills, knowledge, leadership, money, relationships... or many other things.

We then leverage that “special something” to discover and exploit markets that are out of balance.  For instance, traders invest in stocks or currencies that are undervalued.  Successful entrepreneurs deliver products people are clamoring for, but no one is properly delivering.

Often the ticket to riches is access to deeper levels of knowledge.  Investor Warren Buffet (second richest man in the world) once said that successful investing in like watching a parade while standing on your tiptoes.  Likewise, a biologist finds his pot of gold by seeing things in a microscope that others fail to notice.

But only the fraudster (or corrupt insider) is willing to go the next step: to pursue those opportunities by breaking the law, risking jail time — or worse.

So the first step to stopping fraudsters is understanding human nature.  And the next most important thing is mastering the technical playing field where the fraudster plays.

Araxxe is one of the foremost companies in the world peering into the psychology and habits of fraudsters, then anticipating their moves and putting defenses in place to protect an operator’s revenue.

I recently caught up with Philippe Orsini, VP Product Management, who provided an insightful update on new developments in bypass and SIM box fraud his company is dealing with.

Dan Baker, Editor, Black Swan: What’s happening in the world of SIM box fraud these days?  Are we getting better at controlling this type of fraud?

Philippe Orsini: Well, Dan, it obviously depends on your region of the world and the local market.  As you would expect, Africa and Asia are still the most impacted parts of the world, and Araxxe continues to serve clients in those regions.

Traditional in-bound SIM box fraud remains a constant threat to the termination revenues of operators — and the tax revenue of governments in these countries.

But now we see emerging a new form of SIM box fraud threat, what we call "outgoing SIM box".

So what do you mean by Outgoing SIM Box fraud?

It’s very simple actually.  SIM box fraud is always about the tariffs — or the margins you can get by bypassing legal call distribution channels.

To understand what “outgoing SIM box fraud” is about, let’s first review how billing for mobile traffic has evolved.

Five or six years ago, if you looked at mobile-to-mobile traffic in Italy, for instance, an Italian mobile operator would sell its SIM cards to terminate traffic on its own network.  And soon thereafter it became practical to terminate all domestic mobile operator calls on their networks at no additional charge because retail rates were low.  In short, it was not worth the cost of billing for traffic between the Italian operators.

However, in the past few years, a new trend in Europe has been to offer SIM cards that terminate on international destinations.  These are the so-called "world plans" which usually feature a flat fee number of minutes across 5, 10 or 20 selected countries.  And the tariff packages for these world-plan SIM cards are priced aggressively to attract new customers.

But now fraud is occurring in countries within these world plans where the mobile termination rate is very high.  For example, Albania’s termination rate is very high, so if an operator in Italy has a bundled “world plan” where Albania as one of the destinations, fraudsters will try to exploit that by pumping lots of low cost calls through to Albania.

Interesting, so the fraudster gets the same benefit of pumping traffic without the risk of operating illegal SIM boxes in Albania.

Yes, Dan.  Going further with my example: this Italian mobile operator would definitely be impacted if their tariff plan failed to account for the huge traffic volumes being pumped into Albania.

Relatively few calls to Albania were expected: the lion’s share of traffic was projected to go to low cost destinations such as France, Switzerland, and Germany perhaps.  If we would normally see 5% of calls ending in Albania, if that volume spikes to 20% of all calls, the underlying profits of the world plan would be terrible.  It could even put them in the red.

I see, so this outgoing SIM box fraud is very deceptive because it goes against the normal fraud pattern in bypass.

True.  And the other interesting twist is that this Italian mobile operator would suffer no revenue loss from this fraud.  However, they would see a tremendous increase in their interconnect costs because many more calls are terminating in Albania.

At first, fraud managers often don’t understand this fraud: their first instinct is to look at revenue alone.  They might say, "Hmm.  This is a very successful rate plan that is generating lots of international calls!"

But looking deeper, of course, you notice that while SIM card sales are high, you’re losing big on the wholesale side paying all these high interconnect charges to Albanian mobile operators.

Now to exploit this fraud requires the fraudster be very familiar with the termination rates in different countries and with the rate plans offered by the mobile operators worldwide — and knowing where the profit margins are best.  And maybe the fraudster shifts from using SIM boxes to terminate traffic in Italy and instead uses them to pump a ton of calls from Italy to Albania.

This outgoing SIM box fraud is a very interesting case.  At usual, the fraudsters are adept at finding unique ways to exploit big price differences in markets.  Any other new kinds of bypass you’re seeing?

Well, another bypass I’ll mention is not exactly new.  It’s fraudulent CLI (Caller Line ID) changes, also known as CLI re-filing, a growing bypass type in Europe because of changes in regulations and increased competition.

Operators in the European Union are under pressure to increase their revenues because competition has brought prices down and also because the revenue operators earn from roaming fees is considerably reduced.

So increasingly European operators are implementing so-called “differential mobile termination rates” to countries outside of Europe.  Now a French operator, for example, must still maintain low termination rates for traffic from member countries in the European Union.

Let’s take the case of France and Morocco to illustrate the problem.  Traditionally an operator in Morocco could terminate calls in France at a very low rate.  Yet when a French operator terminates a call in Morocco, the termination rates are very high.  So the rates were absolutely asymmetric.

But now, to recover more revenue, the French operator tacks on a non-European surcharge to traffic coming from Morocco.

And how is this non-European differential surcharge applied to the traffic?

Dan, it’s all based on the interconnect origin-based billing rate which is calculated on the CLI phone number (or A number) transmitted to the destination operator.

So in my example, if the CLI says the origin is Spain, you pay one cent per minute; if the CLI says Morocco, it’s 6 cent per minute.  Big difference.  And when an operator doesn’t want to pay the 5 or 6 cents per minute surcharge, what they can do is fraudulently change the CLI to pretend the traffic is coming from Spain, Italy, or another European country — and they will not be charged the high termination rate.

And I believe any operator in the interconnect chain has the technical ability to modify that CLI number, right?

Correct.  And that’s where the dilemma lies, for there’s no easy way to determine exactly who is committing the fraud because several operators can be in the chain.  The only way you can analyze which interconnect operator is doing the fraud is to do lots of test calls across many routes to trace the true origin of calls made from various corners of the word.

Now even though this fraud has been active for quite some time, European operators don’t seem to appreciate how much money they are losing through these CLI-altering schemes.

The prevailing attitude seems to be: "Okay, maybe we will experience a small amount of fraud from CLI altering, but at least, 80% of my traffic from Morocco will be charged at the higher rate."

Even still, losing 20% of the high rate traffic is a lot of money to let slip out the door.

In any kind of SIM box or bypass fraud, two different solutions are used.  You have the robot calling firms and SIM box fraud specialists such as Araxxe, and the FMS solution providers also play a role.  Can you explain to us the differences between these two roles?

Well, the best anti-fraud solution is always a combination of fraud solutions, isn’t it?  I mean, there is certainly high value in combining what a WeDo or Subex does and what Araxxe does.

Yet we at Araxxe are very different from a Subex or WeDo because we don’t have the big data warehouse storing the full traffic all these years to perform profiling and analysis, etc.  In SIM Box detection, our CDR analysis is much more focused.  We don’t deal with all the traffic or all the users, but only a sample of CDRs derived from the particular test calls our robots are making.

And the number of calls we make varies: we could be making 1,000, 5,000, or 100,000 calls per month — depends on the need at the particular operator.  So we approach the client and say, "If you want us to analyze your SIM box problem, you need to send us the CDRs of our robot calls.”

FMS companies like Subex and Neural Tech play an important role in SIM Box fraud mitigation by maintaining a rich history of usage for each phone number.  They also ensure their application scales/performs well, the database is tuned, and the dashboards and reporting are excellent.

But to be honest, in SIM box fraud control, the technical platform is only secondary.  What matters most is the experience of the fraud analyst or user of the platform who knows what profiling rules to implement in the system.

Maybe the old 80:20 rule applies here.  In SIM box fraud control, 80% of the value comes from the user’s knowledge and 20% from the technical platform.  And in IRSF, it’s the other way around: 20% user, 80% technical platform.

I would agree with that.  IRSF detection is far more methodical.  It lends itself to automation and data analysis.  A phone number is either in the blacklist or it’s not.  Or it fits an analytical pattern that raises the level of suspicion, so you block the call.

SIM box fraud is not so simple.  The fraudster adapts its strategy depending on the defense.  So it’s kind of an electronic cat vs. mouse game: there are attacks, counter-measures, and counter-counter measures.  This is why the experience and training of the fraud analyst is so key.

Another analogy: it’s the difference between using MS Word as a typing platform versus using MS Word to write a novel: the skill of the writer is almost everything in producing a great novel.

Thanks very much, Philippe.

Copyright 2017 Black Swan Telecom Journal

Philippe Orsini

Philippe Orsini

Philippe Orsini is VP Product Management at Araxxe, a specialized company providing End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Philippe, who joined Araxxe in 2007, is in charge of product portfolio management and new product creation.  He also manages key client accounts mainly in North Africa and Europe.

After graduating from a top French “Grandes Ecole” and the Universidad Politécnica of Madrid (Spain) in telecommunication, Philippe has been developing strong insight and operational expertise in the communications industry across Europe.

Philippe has spent most of his work experience working at consulting companies, such as IBM Global Services or Accenture.  He has been managing large IT systems implementation projects and in-depth consulting studies in the distribution and telecommunication industries.   Contact Philippe via

Black Swan Solution Guides & Papers

cSwans of a Feather

Related Articles

  • Black Swan Guide: Araxxe’s Revenue Assurance Consulting, Testing, and High Definition Billing Analysis Service by Dan Baker — How Araxxe’s end-to-end revenue assurance complements switch-to-bill RA  through telescope RA (external and partner data) and microscope RA (high-definition analysis of complex services like bundling and digital services).
  • Subex’s IDcentral Monetizes Telco & Enterprise Data to Deliver Digital ID & Risk Metric Services for Financing, KYC & More interview with Shankar Roddam — A new digital intelligence service that monetizes the idle data of telecoms and enterprises while also earning a good return for the owner of the data.
  • Opportunities & Obstacles: Consultant Luke Taylor Muses on the State of the Telecom Risk Assurance Business interview with Luke Taylor — A rambling discussion on the state of the risk assurance business with Luke Taylor, independent consultant in telecom revenue/fraud assurance and solution requirements and marketing.
  • LATRO’s Tips for Launching a Successful Revenue & Fraud Assurance Program for Mobile Money Operations in Developing Countries interview with Don Reinhart — A company building mobile money RA/FM tools and  managed services gives a concise, but detailed tutorial on how the Mobile Money Ecosystem works.  Revenue assurance pros will get tips on  what to look for in analytics/assurance tools, controls, and professional services.
  • A WeDo Conference Talk: Consulting & Analytics: Improving your Business Today, Enhancing it Tomorrow interview with Carla Cardoso & Bernado Lucas & Thomas Steagall — Leading risk management consultants explain their mission and walk-through RA, subscription fraud, and collections cases.  They also explain how analytics and machine learning can supplement process optimization.
  • PrologMobile’s Simple and Brilliant Plan to Save US MNOs Billions a Year in Recovered Phones & Retained Customers interview with Seth Heine — An expert in the mobile phone reverse supply chain explains how MNOs — via a neutral third party information exchange — can recover their original phones on the used market and save huge sums in multi-year customer retention.
  • WeDo Explores the IoT Ecosystem in Search of Tomorrow’s Pivotal Fraud & Business Assurance Solutions interview with Carlos Marques — A veteran product manager scans the IoT terrain, discusses key fraud and assurance challenges, and explains the preparatory steps WeDo is taking to become a key player in this emerging market.
  • New Report: Telecom Fraud & Business Assurance Solutions, Services & Strategies by Dan Baker & Luke Taylor & Colin Yates — TRI publishes a new market research report, Telecom Fraud & Business Assurance Solutions, Services & Strategies.  Free executive summary available.
  • Subex Juggles a Wide Variety of Business Assurance and Big Data Analytics Use Cases interview with Rohit Maheshwari — A expert in business assurance solutions explains top use cases such as: IoT security, big data analytics/AI, network asset optimization, multi-player gaming assurance, onboarding mobile subs, and AI customer analytics.
  • MTN Agility: Mastering Exponential Technologies in Revenue/Fraud Assurance and Beyond interview with Danie Maritz & Tony Sani & Luke Taylor — An in-depth look at RAFM operations and innovation at the MTN Group.  Topics discussed include RA/fraud control challenges, strategies, and MTN’s journey to exploit exponential tech (AI, robotics, and ML) in its RAFM program and support of internal non-telco businesses.
  • From Byzantine Software Contracts to Simple & Flexible RA Managed Services interview with Philippe Orsini — Is the way B2B/enterprise software is sold and delivered today progressive — or is it Byzantine in the age of cloud?  An expert lays out the case for managed services in RA and billing verification.
  • Premiere Experts Set to Speak at Summer RAG Conference in London, July 7th and 8th by Dan Baker — The Risk and Assurance Group (RAG) has announced that its 2016 summer conference will expand into a two-day event and feature many premiere experts. 
  • WeDo Hosts Revenue Assurance & Fraud Management Conference in Washington DC by Dan Baker — Black Swan is pleased to announce what looks to be a first class revenue assurance and fraud management conference being put on by WeDo Technologies, on October 1st and 2nd in beautiful Washington DC.
  • Test Call Generators: An Essential Test & Debugging Tool in Mobile Billing Assurance interview with Steffen Öftring — An “active” test call generator (TCG) can see problems that a “passive” revenue assurance system is blind to.  Here’s a discussion on the test call RA  process, over-the-air calls versus core call injection, and test call networks in global roaming RA.
  • The Revenue Assurance Game: How the Rules Change in the Era of IoT & Mobile Broadband interview with Rene Felber & Gadi Solotorevsky — Revenue assurance is perhaps the hardest of telecom functions to define because the term is used in so many different senses.  This discussion on the evolving role of revenue assurance was catalyzed by a survey of experts in the profession.
  • Day in the Life of a Revenue Assurance Analyst interview with Michael Lazarou — Revenue assurance is much more than a software category.  It’s individual analysts struggling to help their larger organizations get a handle on system errors and coordination problems.  In this interview, an analyst reveals the many challenges of getting the revenue assurance job done at a small GSM operator in Europe.
  • Revenue Assurance: History and New Beginnings in RA Maturity interview with Daniela Giacomantonio & Gadi Solotorevsky — The Roman Forum was the center of commercial life in ancient Rome.  Now, two millennia later, the Forum lives on in the exchange of ideas across countless professions and  media.  In this interview, two Revenue Assurance experts discuss both the new RA Maturity initiative of the TM Forum and the value of telco/solution vendor collaboration.
  • Migrating systems or launching LTE next year?  Don‘t forget transformation assurance & optimisation by Efrat Nissimov — System transformations and network migrations are major  revenue impacting events and they should raise a big red flag.  Why?  Because data integrity issues are bound to crop up as CSPs move vital data from a legacy system to something new.  It’s time for transformation assurance.
  • How can Cable/DSL Internet Providers Meet the Usage-Based Billing Mandate? interview with Ryan Guthrie — The popularity of YouTube, Netflix, and Hulu other video outlets has turned the tables on service profitability for cable/DSL service providers.  Many are moving to usage-based billing, but that largely unprepared for the revenue assurance aspects of this move.  This interview explains the technical challenge and points to solutions in billing, speed caps, and traffic revenue monitoring.
  • CABS Revenue Assurance: How Rural LECs can Recover $284 Million in Revenue Shortfalls interview with Kelly Cannon & Darrell Merschak — Independent rural LECs in the U.S. still rely on the AMA/EMI billing formats for CABS billing, even as that format has proven to be highly inaccurate as a source of inter-carrier records.  This interview includes an analysis and discussion of revenue recovery techniques ILECs can use by leveraging SS7 probes.  Also discussed are billing strategies, traffic dumping threats, and the possible fallout from the FCC’s bill-and-keep mandate.
  • Make Business Assurance Progress Every Day: How to Set Goals, Automate, and Energize Your Team interview with Kathleen Romano — Business assurance (BA) skills have wide applicability outside the revenue assurance and fraud mangement domains.  In this article, a telecom executive explains how she’s applying her BA skills in the Payments area.  In addition to discussing the key operational challenges in Payments, the interview also provides keen insights on setting goals in business assurance, leading a team, and making critical decisions.
  • LTE Rollout: Make it a Smashing Success with Risk Assessment, Controls, and Marketing Offer Analytics by Gadi Solotorevsky — LTE brings splendid new capabilities to mobile users.  But like 2G and 3G deployments before, operators can only make money if they successfuly plan, coordinate, deploy fast, and pay attention to pricing plans and the customer experience.  This article lays out a 3-phase tactical guide on  how revenue analytics professionals can add value in LTE service risk assessment, controls, and marketing offer analytics.
  • RA Prevention: How to Manage Revenue Risks and Communicate RA’s Value to Senior Execs by Shaul Moav — The era of revenue assurance prevention and risk assessment is here.  Several of the mature operators of the world have developed their own methodologies and tools.  Using firefighting and fire prevention as a metaphor, the article details a new commercial software approach explaining the goals, method of risk evaluation, and senior executive dashboards developed for the process.
  • Precision Clockworks: How Revenue Assurance Synchronizes with the Business at Swisscom interview with Marco Pollinger — An expert revenue assurance department is one whose work dovetails well with the lines of businesses it supports.  In this interview you’ll learn how Swisscom manages its revenue assurance function for maximum effect.  The article discusses: the operator’s innovative RA organization, the screening and RA approval of new services, its pre-production bill audits, and its coordination with corporate risk management.
  • Versatile, Portable & Corrections-Savvy: Quest for the Swiss Army Knife of Revenue Assurance Software by Mark Yelland — Revenue assurance maturity models are not cast in stone.  Since  best practices will change over time, it’s healthy to explore moving maturity models forward.  For example, great gains have been made in leakage detection, but RA corrections has been harder to master.  The author dreams about seven functions that should ideally come together in a single all-purpose revenue assurance software tool.
  • Bringing Strategic Planning & Value Engineering to Revenue Assurance interview with Maged Fawzy — Engineering and architectural techniques have a role in revenue assurance.  This interview with a top Egyptian RA consultant explains how continuous risk assessment and long range — yet flexible — RA planning can sharpen a carrier’s RA program and lead to better use of revenue assurance software and integration services.
  • Forensic Fossils: Is Your Revenue Assurance Shop Fit for Display at a Natural History Museum? interview with Jim Marsh — Without the continuous guiding light of seasoned revenue assurance leaders, even the best teams of RA professionals, technology, and business processes can fossilize and lose their vitality.
  • Revenue Assurance: The Magical Market Cap Multiplier by Van Howard & Curtis Mills — Many operators today consider revenue assurance yesterday’s opportunity.  But this article shows why significant revenue and cost leakage can still go undetected, even in companies with dedicated RA departments.  Also discussed are the benefits of a broader or more “forensic” approach to revenue assurance, an approach that boosts the bottom line regardless of the automated tools already in place.
  • From Risk to Robust: Turning the Big Picture Into a Real Agenda for Change in Telecoms by Eric Priezkalns — Inspired by a Financial Times article written by Nassim Taleb, author of “The Black Swan”, here is an insightful and entertaining primer on telecom risk management.  The article takes ten risk management lessons from Taleb and applies them specifically to the communications industry.  You’ll learn about the value of small scale trials, organization accountability, cures for a blame culture, incentives that work, the power of simplicity, and more.
  • Synthesizing the Telecom Business Assurance Practice With the Analytics World by Dan Baker — Business assurance is a wrapper term that allows you to draw a circle around various telecom assurance, control, and optimization activities.  This article maps business assurance as a subset of telecom analytics, constrasting it with marketing analytics while a diagram shows where biz assurance fits in the larger B/OSS world.
  • CABS Revenue Assurance Disputes: May the Carrier With the Best Data Win by Cheryl Smith Rardin & David West — Revenue assurance innovation is far easier when partners cooperate to make it happen.  This articles shows how a U.S. operator, software vendor, and consultant teamed to develop a breakthrough in Carrier Access Billing (CABS) assurance.  Learn about: the dispute resolution data gap that needed to be filled, the partnering strategy, the implementation challenges, and payback results.
  • Revenue Assurance vs.  Business Assurance: Who’s the Rightful King of Controls Software? interview with Sergio Luis Silvestre — Business controls software, originally developed for RA, is finding application in other areas of the business such as internal audit, collections, security and risk management.  This article argues that “business assurance” is the best term to describe this broader set of  controls software that can find a home in numerous departments or functions of a CSP’s business.
  • PwC on the Business of Revenue Assurance Consulting & Mentoring interview with Tim Banks & Dan Stevens — Revenue assurance consulting firms offer a broad range of services to clients these days.  The article explains the practice of mentoring RA mangers and providing a CFO with visibility on the status of an operator’s business controls.  Perspective is also offered on the value of RA software and the opportunity to broaden the RA practice scope.
  • Robots for Hire: Verifying Accuracy In the Age of Complex Mobile Billing/Charging interview with Xavier Lesage — As real-time charging and complex lifestyle calling plans gain credence across the globe in wireless, billing quality issues will rise in importance.  This article discusses a unique managed services approach to invoice testing and roaming fraud protection that checks results against advertised or published source data for the utmost accuracy.
  • Ericsson: Revenue Assurance Consulting With an NGN Flavor interview with Thomas Steagall — Helping operators detect billing and provisioning problem is merely table stakes in the RA services business these days.  The article discuss why operators need to ramp up their RA function with service experience and group-wide financial health monitoring.  Advise is also offered on: key RA maturity questions, risk-and-reward contracts, and how to extract greater value from software investments.
  • Do-It-Yourself RA for Small Operators and MVNOs interview with Mark Yelland — Budget-minded small operators and MVNOs are no longer hamstrung in RA capability anymore.  This article offers high-leverage strategies for operators who cannot afford expensive RA software tools.  With  data access, brains, and a DIY philosophy, any small operator can map a  path to greater RA savings, maturity, and program growth.
  • Revenue Assurance Maturity: Report From the Arena interview with Eric Nelson — Revenue assurance maturity can‘t be easily computed.  How do you  compare the KPIs of Comcast billing with that of mobile money RA in Western Africa?  Even still, this article offers some universal RA wisdom from a straight-shooting veteran of carriers large and small.  Topics discussed include: dashboard or process, COTS vs. inhouse solutions, and tips on gaining internal support for the RA practice.