Telecoms Fraud Management

By | May 23, 2010

Fraud Management systems are designed to detect and prevent the fraudulent behaviors of the users which cause revenue losses.

There are multiple types of telecommunication frauds that needs to be addressed by these systems. Different fraud types should be detected and handled by different algorithms.
Below, I list some techniques that are used to detect the common fraud types:

Collision Checks: Collision checks check the time period between the two calls that have been done by the same subscriber. If the two calls belong to a previously specified time window, this is considered as a technical fraud, more specifically, a SIM cloning fraud.

Velocity Checks: Suppose, you received a call record saying that a subscriber had made a call at 10:00 AM from London. After some time, at 10:05, you receive another call record for the same subscriber from Istanbul. Since it is not possible for an individual to travel this distance within 5 minutes, this points to SIM cloning. Velocity checks make use of GIS data to figure out the distance between two locations. The second parameter they look for is the delta time between the calls made.

Blacklists: Blacklist checks are done on the blacklist fields in the CDR data (generally IMEI number) and generate a fraud case immediately. IMSI, MSISDN, B Number, Cell Id data can also be blacklisted.

Threshold Checks: FMS systems enable you to put thresholds on specific fields or accumulations based on these fields. SIM thefts (Total number of calls for this subscriber today, Total minute in the month, total $ amount of the calls etc.)

New Subscriber Checks: Subscription frauds are the frauds that appear when the subscriber gives false information to the service provider. He/she will be able to use the services with this false information without intent to pay. It will be impossible for the provider to find and charge this customer. It has been seen that the fraudulent subscribers use similar false identity information when they are trying to regain network entry. If the fraudulent user gave the name John Doe in his first subscription, in the second attempt, he uses a similar name, such as Johnny Doe. FMS systems have the new subscriber checks which can identify phonetic matches and cross matches to detect subscription frauds.

Pattern checks: Pattern checks look for specific patterns in the user activities. Patterns are series of “if” conditions. They usually have a time window where these conditional checks will be applied. A pattern could be “if the user is using the same phone (same IMEI) and makes calls with more than 3 SIMs (different IMSI) within an hour”.(IMEI should be present in the CDR) This pattern, for example, is written to detect the SIM Stuffing fraud. (SIM Stuffing is spreading the usage among different subscriber accounts to bypass Fraud systems. Fraudsters use different cloned SIMs(IMSIs) from the same terminal(IMEI) and use the service in small units(say 1 minutes per day per imsi). This way it will be hard to figure out if this is a sim stuffing behaviour.) Or I can write a pattern saying that if the same IMSI makes more than X international calls and these are destined to different countries. This pattern will catch a Sim Gateway fraud. Pattern checks are very powerful and can detect multiple fraud types.

Profile checks: FMS system has the usage data of the user thus it can generate a profile for that specific user. The calling patterns of the users are continuously monitored by the system and the corresponding profile is updated. For example, suppose I am a subscriber who has not made any international call in the last 12 months. This month, I started calling international numbers extensively. This is an off-profile behavior and may point to a fraud.

After those checks are done, alarms are generated if necessary. One alarm or multiple alarms may/will trigger case generation. Fraud Management department inspects those cases and take corrective actions to prevent frauds. These actions vary such as notifying the subscriber or suspending the service. Cases are marked as fraud or non fraud along with a detailed description prior to closure.

FMS can do basic rating. Calls can be rated based on the subscriber’s rating plan. Sophisticated rating/discounting scenarios may not be applied by the FMS systems. This is not their core responsibility. The rating function is generally used to accumulate the usage in terms of dollars.

FMS systems deal with lots of information and this makes them database depended. The FMS include usage information, customer information, rate plan information, alarm information, case information etc. Usage information can be fetched directly from the NEs or from a mediation system. Customer information is imported from other systems. HLR, Billing and CRM are the possible external repositories to get synched. (HLR can be the most up-to-date one). FMS also gets cell coordinates from the GIS systems and black-white-grey IMEI lists from the EIR systems.