Lessons learned from call forwarding attacks

A new ClearIP customer enabled call forward blacklisting. They experienced a telecom fraud call forwarding attack over the weekend. Here’s what happened:

  1. After hacking into a few customer accounts and setting up unconditional call forwarding, the fraudster launched 1,700 call attempts to 17 different high-cost countries within the North American numbering plan.
  2. None were successful. Not a single one.
  3. Legitimate calls, including domestic forwarded calls, were not blocked.
  4. Based on the termination rates of the destination countries in this attack and a modest estimate of likely call duration, the ClearIP system has already paid for itself for a long time.

Call forwarding telecom fraud prevention

Call forwarding telecom fraud is a common attack profile. Telecom service providers, and their customers, are vulnerable to this attack primarily because many customers like to use simple, easy-to-guess passwords on their customer portal accounts. Hackers run software programs that try to guess simple passwords. Sometimes they find one.

There are two very simple ways to completely block this attack:

  1. Encourage customers to change their password or PIN to a complex password not easily guessed by hackers. This helps, but it only takes one subscriber with an easy-to-crack password to open the door to fraudsters.

  2. Use call forward blacklisting, a flexible, highly-effective fraud prevention method available in ClearIP.

A call forwarding attack case study

Last week, a new ClearIP customer began using call forward blacklisting. Call forwarding telecom fraud had been a problem for their customers in the past. This telecom service provider had reluctantly removed the feature from their customer web portal. Encouraged by the call forwarding blacklist capability in ClearIP, they decided to offer call forwarding again, which some customers wanted.

Over the weekend, hackers broke into several customer accounts on the web portal. Weak passwords again. The carrier had not done anything wrong. They had even decreased the number of failed login attempts allowed before locking the account to thwart hackers.

Once the fraudster gained access to a few accounts, he launched a call forwarding fraud attack, including 1,700 call attempts with unconditional forwarding to 17 high-cost destination countries within the North American numbering plan. (Most softswitches do not classify such calls as international.) But because call forward blacklisting was in place, not one fraudulent call was forwarded. And because blacklists are checked at the beginning of SIP Analytics, ClearIP didn’t process any more services on these calls.

Here is a list of call forwarding attempts made:

call forwarding fraudulent calls attempted

Most all calls forwarded to numbers in Canada and the U.S. were legitimate. The call forwarding attempts to the other countries were from the call forwarding attack.


None of their customers were victims of fraudulent call forwarding. None of their legitimate calls were disrupted. Fraud losses were zero.

Contact us today to learn how to quickly and easily eliminate telecom fraud attacks from your network.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.

More on TransNexus.com

October 22, 2018

FCC proposal to curb domestic telecom fraud

October 11, 2018

Google Voice call screening as robocall prevention

September 27, 2018

Robocaller hit with large fine

September 10, 2018

Prevent telecom fraud with blacklist call forwarding

ClearIP blocks telecom fraud attacks