Skip to content

How to Detect if Your Communication Networks are Being Used for Toll Fraud

6.69 billion dollars!

That’s how much Toll Fraud cost enterprises last year[1]. But if you were to ask around, you’d know that this amount is an underestimate! Imagine being responsible for the billing of a large call center – you probably have a telephone bill of a few hundred thousand dollars. If an attacker made it into your network, he could simply start small, with maybe a thousand dollars or so of calls to premium rate numbers and then steadily increase them over time to maybe some tens of thousands of dollars – and if the increase was slow and steady, it might be months before you notice that you have been toll frauded!

Typically, an enterprise has 2 types of SBCs – one used for remote working (agents connect to this to access the company’s systems) and one for trunks (from where calls get routed out). Between the two is the rest of the company’s communications infra (PBX, Session Management, IVR, and so on).

Your VoIP systems could be misused for toll fraud

In a normal communications setup, agents connect to the remote working SBC and request that call be placed to customers, which causes the call to go out via the trunk lines. The remote worker SBC creates a log entry stating that the agent has connected to the remote working SBC and has dialed out via the trunk SBC to the customer’s number. The question you face is: How do you know if someone has figured out a station’s login details and then used it to dial a premium rate number for toll fraud? You have to trawl through millions of logs and interpret the data – looking for a needle in a haystack is easier. Instead, you can get the answer by asking another question: how does one eat an elephant? The answer: piece by piece.

Looking for toll fraud attacks on your systems

Bite 1: Look for all calls made by all agents where they are dialing out via the trunk interface. Look at the remote SBC logs and get a list of all connections made to the remote working SBC with a dial out via the trunk lines.

Bite 2: Check each of the numbers dialed out to and identify which countries are being dialed to.

Some countries allow operations of premium rate numbers, others don’t. In fact, some countries even allow personal numbers to be designated as premium rate numbers – imagine dialing out to someone’s phone and finding out later that you were being billed 5 dollars per minute!

So, identify if the country being called to allows premium rate numbers. If not, drop it – you just saved yourself some time.

Bite 3: Figure out if the number called is indeed a premium rate number

Now is the time for some real work – look at the number and compare it against all known premium rate numbers in the identified country. This can be a biggish operation – typically premium rate operators own entire ranges of numbers – checking against all of them is nontrivial! By our estimates, there are potentially 20 million premium rate numbers present across the world!

If the number that “John” dialed out is indeed a premium rate number, you can immediately draw some conclusions:

  1. John is an attacker who has successfully broken into a station.
  2. John’s IP address should be blacklisted.
  3. The enterprise will be paying higher than normal monthly fees because John successfully completed those calls.
  4. The enterprise needs to tighten its communication perimeter to prevent John and his ilk from making toll fraud attempts again.

Another conclusion: It is practically impossible to physically check if you have been a victim of toll fraud – the sheer number of calls made, along with the sheer number of premium rate numbers means physical checks are impossible. You need an automated mechanism to detect toll fraud threats.

And that is why you need tools likeAssertion® SecureVoice™. It detects calls made from your systems to Premium Rate numbers, identifies who made those calls, and then gives you remediation insights to prevent further attacks. Here’s another thing it does: database updates! There are more than 20 million premium rate numbers, and they are constantly changing – new ones are being added, and old ones are being scrapped.  Tracking them is a difficult task and SBC Security™​ automatically does that for you! Every two weeks, this premium rate numbers database is refreshed, so the next time you scan, new numbers are flagged. Net effect: continuous protection from one of the most significant vectors of toll fraud.

Curious to know how else Assertion® SecureVoice™ can help?
Write to us at sales@assertion.cloud to know more.

[1] www.cfca.org