Phone App Traffic Pumping Fraud

The risk of traffic pumping, or International Revenue Sharing Fraud (IRSF), has been limited to business phone systems that get hacked and allow a fraudster to generate thousands of calls to high cost destinations. Residential customers, with a single phone line, have not been a risk for traffic pumping fraud. However, that has now changed with residential phone apps.

This week at the Communications Fraud Control Association meeting in Baltimore, a major communications company revealed the risk of traffic pumping fraud that can arise from residential subscribers.

Today, most new residential telephone subscribers obtain their voice telephone service bundled with Internet service. In this service the plain old telephone service (POTS) is a voice over IP (VoIP) service riding over the Internet connection back to the service provider's telephone network softswitch. With this service, it is common to provide a phone app so the residential customer can use their computer, iPad or smart phone as their residential telephone device.

With this convenience, it would be normal for a residential subscriber to install the phone app multiple times. For example, in a family of five, the phone app could be shared and might be installed ten or more times. For this communication provider, a single residential subscriber could enjoy up to 28 different installations of the phone app.

This is the opportunity fraudsters discovered. A single residential telephone subscription could enable up to 28 simultaneous calls for international revenue sharing fraud. Now a single residential account could support the same fraudulent call volume as a small business. However, unlike businesses, residential subscribers do not have a phone system that can be hacked.

To exploit this opportunity, the fraudsters needed an insider. They infiltrated an outsourced, offshore call-center that handled overflow calls for the communication provider. By bribing a call center supervisor they were able to obtain account details for multiple subscribers. Using this information they were then able to install multiple phone apps and begin their International Revenue Sharing Fraud operation.

Clicky