Sponsored By
Channel Partners

October 1, 1998

11 Min Read
Anti-Fraud Arsenal

Posted: 10/1998

Anti-Fraud Arsenal
Detection and Intervention Systems Combat Subscription Fraudsters

By Mario McCash

Subscription fraudsters come in all types, and each prey upon telecommunications
service providers that eagerly welcome new customers in this highly competitive market. In
subscription fraud, a person establishes telephone service at a business or residence,
runs up a high volume of calls–often international–and abandons the service without
paying the bill. Frequently, subscription fraud also includes large numbers of collect and
billed-to-third-number calls as well. The people committing fraud leave the premises
before the first bill is delivered or service is cut off for nonpayment.

Telephone service providers can improve their effectiveness by implementing a
comprehensive program that encompasses business office practices, front-end tools and
programs and back-end tools and processes. Last month, Part 1 of the series examined
subscription fraud prevention tools and practices; this month the focus is on monitoring,
detection and intervention systems.

Telecommunications service providers should evaluate the feasibility of developing
programs to improve early detection. Call-duration tests, tracking of country codes where
fraudulent calls are frequently directed, for example, can provide the first indications
of a problem. Calling volumes, for example, might be accumulated for new accounts to flag
potentially abusive calling. Further investigation would be necessary to demonstrate
whether fraud has been committed. Moreover, in cases where special billing and collection
contracts exist between local telephone and long distance companies, additional steps can
be developed.

Monitoring & Detection

All telephone service providers can deploy or implement specially targeted algorithms,
thresholds and reporting and performance measurements in their traditional fraud
management programs to help manage subscription fraud. Com-monly known as back-end
detection, it is a key component in the subscription fraud management program when paired
with business office practices and front-end software solutions discussed in last month’s

Carriers can implement new account algorithms, which apply special treatment
to new accounts with little or no calling histories. Also, new account algorithms not only
watch new(er) accounts regardless of credit score, but also apply other special treatment
for those accounts opened with little or no identification, or those with suspicious
circumstances or data.

Dialed-Digit Analysis
Dialed-digit analysis allows carriers to determine if there is a match in the
calling patterns of a newly activated account to the phone numbers listed on the
application. Business or work phone numbers, numbers of relatives and home phone numbers
(if something other than a residential landline application) all can be compared to the
actual calling patterns of the subscriber. Alerts then can be generated if there is an
unusual absence of terminations to the numbers provided on the application. Dialed-digit
analysis also can be used to monitor for multiple account activations, a common symptom of
a subscription fraud case.

Fraud Management Systems
Fraud Management System (FMS) detection systems monitor for unusual calling
activity, such as international or calling to and from "hot" numbers with a
history of fraudulent activity. Any time a newly acquired account begins to call from or
to previously identified fraudulent automatic number identifications (ANIs), the detection
system could put out an alert for further investigation.

High Toll Alerts
New accounts with higher-than-average call volumes can be indicative of
subscription fraud. High toll alerts and/or velocity checks can notify carriers when newly
activated accounts begin to accrue high volumes of calling activity or high-dollar billing
amounts. Also, toll credit limits can detect cases of subscription fraud when new accounts
attempt to exceed the established limits.

Signaling and Call Detail Monitoring
Monitoring of signaling system 7 (SS7) and automatic message accounting (AMA)
records are examples of tools carriers can use to prevent extraordinarily large single-day
losses due to subscription fraud. With alternatively billed services (collect, third-party
and calling card/credit card) or operator-assisted calls, the line information database
(LIDB) should be used to provide velocity checking to prevent large losses.

‘Snitch’ or ‘Hot’ Lines
When an installation technician suspects, while on the subscriber premises,
that the service order may be a case of subscription fraud, the lines are referred to as
"snitch" or "hot" lines. The distinction is that the alert of the
potential subscription fraud case originates from the service technician.

Management Reports
Carriers should monitor account maintenance or service activity, such as
change of address requests/reports, requests for presubscribed interexchange carrier (PIC)
changes, line number changes, line additions or deletions, additions and deletions of
passwords, feature add-ons or deletions, deposit waivers, toll credit removal or increased
limit, etc. These items should be monitored after account activation and/or after
the initial service order is received. Fraud managers should determine the best method for
obtaining this data, such as links to the FMS, reports sent to fraud operations from the
other servicing departments or online connectivity to the other serving systems.

Carriers should consider operational policy implementations such as
restricting the amount of changes possible within a certain time frame from activation,
e.g. 30 days. This is a particularly useful restriction on address changes for new

Collection systems could aid in subscription fraud detection; all newly
acquired accounts with no payments received, or first-payment defaults, could be flagged
to the fraud operations department for further investigation and review. Also partial
payments, low-usage bill paid in the first month, insufficient funds payments, payment by
credit card that could be stolen, the payment of multiple accounts with one credit card or
the payment of one account by multiple credit cards all could be determinants in
subscription fraud detection.

Investigations & Intervention

Fraud investigations are an integral part of any fraud management program and are not
merely a reactive function–they’re incorporated into prevention and detection processes.
Last month we discussed how investigations begin at the point of application with
appropriate screens. As noted earlier in this segment, suspect accounts then are flagged
to determine whether subscription fraud exists and whether blocking is appropriate. Next
month in our segment on measurement, reporting and analysis, we’ll look at investigating
patterns and trends to determine whether cases can be linked to each other.

Here we will discuss investigating confirmed cases of fraud for prosecution, including
identification, location, apprehension, indictment, conviction and restitution.

Fraud Tariffs
There are local access tariffs (or fraud tariffs) that are state-specific
that outline rules carriers must follow in terms of subscription fraud management. Most of
these tariffs do allow carriers to terminate service due to suspicion or confirmation of
subscription fraud. However, some tariffs may require an effort by the carrier to notify
the customer that termination of service will/may take place. Carriers should check their
local area tariffs to ensure compliance to termination and notification requirements in
subscription fraud cases.

Carriers should provision service in a way that is "investigation friendly."
Carriers should try to avoid tipping off subscription fraud thieves to prevent flight,
particularly if there is any desire to prosecute the offenders. Thus, caution should be
exercised in mailing written warnings of suspension.

Root Cause Analysis
Root cause analysis is a discovery process unique to each carrier, but
generally results in causes, impacts and recommendations for tackling a specific fraud

Losses due to subscription fraud (in single or grouped cases) can be spread
out among multiple carriers (especially long distance carriers). When cases involve long
distance carriers with direct billing arrangements, it is likely that no single loss at a
carrier is sufficient enough to warrant (from a practical standpoint) an investigation
aimed at prosecution. Hence, with many cases of subscription fraud, a coordinated approach
with other carriers may be to effect a prosecution. Due to this dynamic, many carriers’
goal or purpose with subscription fraud investigations is for credit/service denial,
blocking or service termination. Subscription fraud investigations for prosecution are the
exception with many incumbent local exchange carriers (ILECs). However, wireless carriers
may be more proactive in investigating subscription fraud for prosecution (and again for
those who do pursue these types of investigations, it is recommended that the Toll Fraud
Prevention Committee (TFPC) document on coordinated investigations be considered).

Accurate Record-Keeping
Subscription fraud investigations not only include 1+ traffic (wireless or
landline), but also collect, bill-to-third party and card traffic. Because subscription
fraud can involve a variety of service types, carriers should be diligent to ensure proper
coding or labeling of a fraud case so the carrier correctly knows the full scope of the
problem. This means a card investigation also can be a subscription fraud investigation.
This not only will allow better reporting, but also improved practices that reduce the
losses due to subscription fraud. Accurate and complete subscription fraud investigations
also can lead to a reduced risk of improperly tagging a case as bad debt.

Trickle Down

A telephone service provider that protects its own network, such as by blocking calls
from a problem telephone line/account, can help protect the industry as well. Telephone
service providers can work cooperatively with each other through their respective security
departments. In that way, efforts to investigate accounts, document any abuse and shut
down the fraud will help prevent its migration to another company.

Mario McCash is the Business Development Manager for Fraud Services at Illuminet and
co-chair of the Subscription Fraud Task Force for the Toll Fraud Prevention Committee. He
can be reached at [email protected].

Editor’s Note: This is the second in a three-part series on
subscription fraud. Last month’s installment covered prevention tools and practices. This
month, Part 2 covers monitoring, detection and intervention. In November’s issue, Part 3
will discuss measurement, analysis and reporting.

Inside Job
Finding Fraudsters Within

Although most managers are loathe to follow it, sometimes the fraud trail leads to its
own company’s payrolls. The high turnover of retail, customer service and activations
personnel, combined with the increased use of temporary and contract personnel and the
planting of fraud accomplices in carrier and agent operations, all point to an increase of
internally perpetrated subscription fraud.

Possible motives include increased commissions, job preservation, financial need,
revenge and coercion. Other contributing factors are an organizational focus on market
share and gross revenue; a failure to establish and enforce controls; an insufficient
supervisor training program; a lack of timely and consistent corrective actions; and poor
screening of potential employees and agents.

Vulnerable areas in a carrier’s organization include sales, customer support,
activations and network/switching departments.

In the Sales Department

Many subscription fraud schemes originate in the sales department. A chief tactic is
commission fraud perpetrated by sales reps who establish fictitious accounts, add
unauthorized lines to existing accounts, force churn and offer unauthorized free
giveaways. Regular management reports can tip off carriers to commission fraud. In
particular, run and read these logs: no air-time or no traffic reports to detect
fictitious accounts, suspended/vacation service reports to spot unauthorized added lines
and change of address reports for churn. Sending welcome packets can cut down on the
unauthorized freebies.

In sales operations, there is a second type of fraud called collusion, wherein the
sales rep knowingly activates fraudulent accounts, waives deposits, sells customer name
and credit information, steals inventory for use in fraudulent activations or, in the case
of wireless, compromises dealer/agent codes/PINS.

Among the detection options for collusive fraud are routine reports for multiple
same-name activations, new service change-of-address and deposit waivers. In addition,
carriers can adopt appropriate controls such as prohibiting new service change of address,
restricting authority to approve deposit waivers and, in the case of wireless services,
instituting agent commission and airtime loss change-back agreements.

In the Switch Department

Internal fraud originating from the network/switch department usually involves
activation/reactivation of accounts without billing or activation of vertical services
without billing. To control this sort of fraud, carriers frequently should compare
switching and billing system data, analyze discrepancies, implement unique logon IDs and
passwords for all personnel and establish comprehensive audit trails.

In the Activations Department

Fraud originating in the activations department typically includes activating
fraudulent accounts, overriding credit-check requirements, selling customer name and
credit information, changing billing address information, adding unauthorized lines to
existing accounts and, in the case of wireless services, compromising dealer codes/PINs.

Countermeasures include assigning individual logon ID/passwords, restricting
credit-check override capability, auditing all activities and running credit-check
override and address-change reports.

In the Customer Service Department

Internal fraud generated by the customer service department includes changing new
service billing addresses or adjusting credit without authorization as well as selling
customer name and credit information.

Controls include prohibiting new service billing address changes and running the
appropriate reports. It also is wise for a carrier to establish, monitor and enforce
credit adjustment authorizations.

In order for carriers to effectively and successfully combat internal fraud, policies,
processes and procedures should be aimed at the following:

  • Reducing the opportunity for all employees to commit fraud.

  • Increase organizational focus and commitment to the problem.

  • Establish and enforce appropriate controls and countermeasures.

  • Train management and supervisory personnel to identify and respond to internal fraud indicators.

  • Educate all personnel on the personal cost of committing fraud against their employer.

  • Ensure timely and consistent corrective actions.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like