Know Thine Enemy

Posted: 11/1998

Know Thine Enemy
Intelligence Techniques Arm Carriers Against Subscription Fraudsters

By Mario McCash

James Bauer, deputy assistant director for the U.S. Secret Service Office of
Investigations, testified in April before a Congressional subcommittee that all kinds of
important personal information stored in computers, including driver’s license and Social
Security numbers, are accessible and for sale to just about anyone.

He said, "In our research, we have not found sources able to accurately define the
volume of identity fraud; however, anecdotal information from all sources indicates that
it is prolific."

Bauers’ concerns are shared by wireless and wireline telecommunications carriers, which
are seeking better means to accurately and completely identify, quantify, measure, analyze
and report on the impacts of subscription fraud. In this variety of telecommunications
fraud, a person establishes telephone service at a business or residence, runs up a high
volume of calls–often international–and abandons the service without paying the bill.

Frequently, subscription fraud also includes large numbers of collect and
billed-to-third-number calls. The persons committing fraud leave the premises before the
first bill is delivered or service is cut off for nonpayment.

This final installment of our three-part series on subscription fraud addresses
measurement, analysis and reporting techniques carriers can use to gather the intelligence
they need to attack and defeat subscription fraud properly.

Measurements

Performance measurements, or "metrics," aid carriers in assessing the quality
of their systems and practices. In many cases policies, procedures and practices need to
be scrutinized as much as any software/hardware solution.

The following is a list of recommended options carriers could consider in developing
their own strategies for measuring their performance. Implementation of any of these
suggestions would depend upon carrier size, history of losses (such as what a company’s
"need" is), and internal business considerations (such as a company’s
willingness to pay for tools or procedural changes). Some options do not require much
expense but rather a change in the way business office practices are done, while others do
require additional capital expenditures (such as data mining).

• Carriers may be able to benefit in improving performance measurements of subscription
  fraud (and other forms of fraud as well) by centralizing or consolidating fraud operations
  into one group. For example, call-sell subscription fraud cases and the final bill loss
  associated with them can be quantified through centralized automatic message accounting
  (AMA) and automation via the fraud management system (FMS).
• Carriers could look to existing resources such as accounting codes, post-billing
  adjustment reason codes, disconnect reason codes (such as "abandonment" or
  "nonpay"), tariff violation codes, disconnect orders and so forth as a means to
  track subscription fraud losses.
• Losses could be "journalized" so the carrier can isolate the extent of losses
  due to fraud and by fraud type. This will allow tracking and trending so appropriate
  adjustments can be made in the fraud strategy and fraud reduction program.
• By taking a sampling of uncollectibles, carriers can research the impacts of
  subscription fraud in the overall uncollectibles rate the carrier experiences. Sampling
  techniques are fairly accurate statistical measurements and should be considered as
  another tool in subscription fraud analysis.
• A valuable exercise in measuring performance of a subscription fraud management program
  is to identify and track the common thread in subscription fraud cases. In other words,
  what are the common traits or denominators that exist among those verifiable subscription
  fraud cases? Are there any recognizable patterns in the verified subscription fraud cases?

From the common traits, adjustments in the FMS and/or the front-end processes can be
made to improve the prevention and detection of this kind of fraud. Such adjustments in
the FMS become possible from the use of reports that provide this type of measuring of the
system. The fraud engine and/or the database(s) contained within an FMS could mine data to
populate reports that give the necessary intelligence to draw conclusions about patterns.

These "pattern recognition reports" can indicate the health of the FMS system
in measuring its ability and performance in bringing down averages of the subscription
fraud type over time. The production of strategic reports within the FMS system can aid in
prevention and detection as much as the detection algorithms and thresholds themselves.

Analysis

"Measurements/metrics" offer system (hardware/software) health checks and a
report/scorecard of a company’s policies/practices and procedures. It provides the
intelligence or information needed to make decisions to improve system and operational
performance.

On the other hand, "analysis" is finding and representing trends, patterns
and anomalies hidden in the data. Analytical exercises include the selection of data, the
transformation of data and the evaluation of data mining results. Analytical manipulation
of data is the discovery of knowledge, knowledge that is the crucial business intelligence
needed by carriers to maintain their edge.

The following is a list of 25 questions to which carriers should seek answers in
analyzing subscription fraud:

1. What is the average loss per subscription fraud case?

2. What is the total number of subscription fraud cases?

3. What is the average time in service for a subscription fraud case?

4. What is the volume of subscription fraud cases compared to the total number of
lines?

5. What is the percentage of subscription fraud losses to total revenue?

6. Of the number of new orders received within a given time frame, what percentage of
those orders turned out to be subscription fraud?

7. What is the percentage of bad debt to revenue?

8. What percentage of the bad debt was fraud?

9. What percentage of the overall fraud was due to subscription fraud?

10. How much money is being written off as subscription fraud?

11. What is the projected amount of subscription fraud buried in bad debt or
uncollectibles?

12. What are the gross activations (or subscriptions) per year? Per month?

13. What are the gross disconnects/deactivations per year? Per month?

14. What number of disconnects/ deactivations are attributable to fraud and to what
type of fraud?

15. What is the cost of acquisition of a customer?

16. How many customers are denied service due to being unable to verify their
information or suspected fraud?

17. What percent of customers are denied service due to bad credit?

18. What is the cost of fraud, the acceptable cost of fraud (i.e., what the carrier is
willing to bear as opposed to the actual cost) and how do these figures compare to the
uncollectible rate and cost?

19. Does the company establish an acceptable level of loss due to fraud, and if so, how
does that compare to the total cost of its fraud?

20. Out of the cases of subscription fraud, how many (volumes) and what percentages are
due to each specific type of subscription fraud? In other words, categorize subscription
fraud cases by titles such as call-sell, private party/residence, calling card or feature
takeover.

21. Of the cases of subscription fraud, what is the volume and percentage that involve
calling cards where the account was stolen prior to receipt by the authorized party? Note:
This would include scenarios of mail theft via postal workers or other mailbox tampering.

22. What is the volume and percentages of subscription fraud where the fraudster
ordered calling cards, new features or service established at the fraudster’s address by
theft of the legitimate account holder’s information?

23. How many subscription fraud cases resulted from calling cards mailed to incorrect
addresses and accepted by another party without the intent to pay?

24. What volume of fraud cases are initiated by false applications? What is the
percentage of cases detected prior to activation vs. the volume of cases that did get
activated?

25. What volume and percentages of subscription fraud are due to true-name applications
(correct info on the subscription application)? How many true-name applications were
detected prior to activation and how many true-name applications were detected after
activation?

Many of these metrics assume that the reporting can be done both historically,
currently and by the projected trend. Data mining or data warehousing, online analytical
processing (OLAP), artificial intelligence (AI) and knowledge discovery in databases (KDD)
all are technologies that can be used to make this kind of measuring and reporting
possible.

Reporting

Canned or ad-hoc reporting options generally are available within the relevant risk
management, billing and network/operation systems such as FMS, customer service,
accounting, "master" files, operations/network reports and billing/clearing. If
the existing databases do not have adequate reporting in and of themselves, generally the
data contained within the various databases can be extrapolated to form the needed
reports.

Here is a sampling of possible requirements for a subscription fraud report. (Note that
to create this sample report on subscription fraud, the originating sources of the data
come from divergent systems, thus requiring careful planning in culling all the necessary
inputs to create such a report.)

A subscription fraud report can be generated via the FMS system or other database that
would contain fields to total the volume and percentages of the following:

• Identity theft fraud
• Takeover fraud by illegitimate acceptance of preapproved offer letters
• Fraud by mail interception
• Fraud by deception via the use of illegally acquired account information
• Fraud by submitting applications with incorrect or false information.

The report should include statistics on repeat cases involving accounts and account
names, listing of locations involved, dealers/agents, dates and fields for total number of
calls/minutes in the cases. Additionally, it should include percentages of each type of
subscription fraud and compare against the total of all other types of fraud.

Furthermore, a correlation to address changes can be made with verified subscription
fraud cases. How many address changes occurred in each fraud case? How many requests were
there to mail calling cards to prior addresses?

Questions the report could answer include:

• Of all the applications received within a specified time frame, how many were
  fraudulent? (This includes both fraud applications not approved and those who received
  service).
• How does the rate of subscription fraud applications detected prior to activation
  compare with the overall volume of applications received? Tracked over time, this report
  allows for comparison of the fluctuations of fraud applications to total applications.
• Is there a pattern of fraud applications to specific geographic locations?
• Are there any unique calling patterns associated with subscription fraud cases, or can
  subcription fraud cases be linked through the calling patterns?

These are just samples of the metrics, analysis criteria and reporting options carriers
can use to manage their subscription fraud. No doubt there are many other possible
combinations and scenarios that can be examined. Carriers are encouraged to be diligent in
exploring and discovering new ways to use information to combat frauds of all types.

Industry Cooperation and Coordination

As mentioned last month, in the series’ second part on detection, intervention and
investigations, a telecommunications service provider that protects its own network (such
as by blocking calls from a problem telephone line/account) can help protect the industry
as well. Carriers can cooperate with one other through their respective security
departments. In this way, efforts to investigate accounts, document any abuse and shut
down the fraud will help prevent its migration to another company.

In cases which a contract for billing exists between the telephone service providers,
the companies should arrange to accelerate delivery of billing tapes. Delivery at long
intervals (such as every 30 days) virtually eliminates the value of a high-toll notifier
system. Rather, such delays make it more likely that certain telephone service providers
will be victimized by defrauders. Carriers should implement online billing record
transfers. The exchange of billing information should be as automated as possible, daily
and online.

Regulators need to recognize and support the industry’s growing need to reduce
telecommunications fraud. Losses are not always easily quantified and may not appear to
impact state residents (international calls are under interstate jurisdiction).
Nevertheless, losses are enormous in the aggregate, and carriers are forced to recover
these losses from legitimate callers.

Telcos and wireless carriers also must recover their administrative expenses
(negotiation, install- ation, investigation, disconnection, adjustments, etc.) as well as
hard-dollar losses.

Regulators’ concerns about nondiscrimination and privacy are shared by all. However,
regulators need to permit telephone service providers sufficient flexibility–when
negotiating new service–to take legitimate precautions to protect themselves, their rate
payers and even the industry.

This may include requiring positive identification from applications. Some greater
latitude also is appropriate when the telephone company suspects that fraud likely will
generate large uncollectibles, as with subscription fraud.

Subscription fraud–and all telecommunications fraud–penalizes each consumer, the
industry and the whole economy. No one segment of the industry can combat fraud
effectively, but concerted action can change the trend line of mushrooming losses. Above
all, flexibility and speedy cooperation are needed.

You must remember fraud is big business, and the returns are dramatic. You can expect
the defrauders will be as imaginative and resilient in the future as they have been in the
past. Those who battle subscription fraud must rise to the occasion.

Mario McCash
is the business development manager for Fraud Services at Illuminet and co-chair of the
Subscription Fraud Task Force for the Toll Fraud Prevention Committee. He can be reached
at mmccash@illuminetss7.com.