Skip to main content

Everything You Need to Know About Toll Fraud

If you are building a voice application, then you could be the target of toll fraud. Learn about toll fraud and how it can affect your business.

Get Started

Everything You Need to Know About Toll Fraud

If you are building a voice application, then you could be the target of toll fraud. Learn everything you need to know about this type of fraud and how it can affect your business.

What is toll fraud?

International revenue sharing fraud (IRSF), also known as toll fraud, is a scheme where fraudsters artificially generate a high volume of international calls on expensive routes. Fraudsters make calls to what are known as premium rate numbers and take a cut of the revenue generated from these calls. Though there are many other schemes in telecom fraud, IRSF is the most prevalent and has grown six-fold since 2013. Throughout the telecom industry, the total losses from toll fraud are estimated to be $10 billion dollars annually. This number has only increased in recent years with the adoption of VOIP and communications APIs that make it easy to place international calls.

How does toll fraud affect Twilio developers?

Any application that can make a call to the public telephone network (PSTN) is vulnerable to IRSF. We most commonly see IRSF in three ways:

  1. PBX Hacking: Prior to the introduction of communications APIs, IRSF fraudsters would prey primarily on PBXs by scanning IP ranges for an open 5060 port. Fraudsters would then brute force the server authentication, gain access, then create toll fraud traffic. This technique is still very commonly seen. If you are a SIP Trunking customer, be sure to follow best practices to secure your PBX.
  2. Account Abuse: Twilio customers that offer their own international voice calling experience are targets for IRSF fraudsters. Any service you build and offer to your users, particularly if you offer some kind of free trial experience, is at risk of toll fraud. These fraudsters will create a large number of fake accounts in order to generate call traffic to premium rate numbers.
  3. Voice Verification Code Spamming: When implementing SMS 2FA, it is best practice to provide the option to send a code via a phone call in case your user is on a landline or is having trouble receiving SMS. IRSF fraudsters are actively looking for these flows, which often allow calling to anywhere in the world. The fraudsters launch scripted attacks in order to generate a high volume of calls through this voice verification function.

How do fraudsters make money from toll fraud?

Much like fraud schemes in other industries, toll fraud involves three ingredients: a long and opaque value chain, the exploitation of a service that is paid for by another party, and kickbacks from the party receiving payments to the party exploiting the service.

In toll fraud, fraudsters share revenue with international premium rate number (IPRN) providers who do business by purchasing and reselling number ranges from carrier aggregators (i.e., carriers that connect to many other carriers) or directly from locale regulators. IPRN providers sell these numbers along with high termination rates to buyers who plan to use them for content services, e.g. adult chat lines, tech support, voting, weather forecasts. Buyers of these numbers then drive traffic to them and get paid directly by the IPRN providers after they take their share the fees.

The diagram below depicts this fraud scheme and how Twilio developers can be caught in the middle.Toll Fraud Diagram

How does a fraudster find an IPRN provider? Easy. Simply search “premium rate numbers” on Google. You will find many companies in the search results that offer numbers all over the world with guaranteed payouts within 7 days. Today, there are over 100 of these IPRN providers worldwide selling IPRN numbers in over 200 locales and territories.

When do fraudsters typically commit toll fraud?

Fraudsters are smart and know they have the best chance of success attacking when you’re not watching. Thus, approximately 90% of toll fraud occurs on weekends. During these attacks, fraudsters exploit their window of opportunity to the greatest degree possible by generating many concurrent calls. Fraudsters generate concurrent calls to fly under the radar of detection systems that rely on call detail records, which are only created upon completion of the call. As a result, the attack will not be detected until calls complete, and by then, the damage will already be done.

What are the top destinations for toll fraud?

Any locale that has expensive calling rates is a likely destination for toll fraud pumping. Some of the top destinations for toll fraud currently are listed below:

  1. Cuba
  2. Latvia
  3. Somalia
  4. Lithuania
  5. Guinea
  6. Gambia
  7. Maldives
  8. Estonia
  9. Zimbabwe
  10. Tunisia

What is short-stopping or number hijacking?

A common pattern in toll fraud is “short-stopping,” also known as “short-transit” or “number hijacking.” In this scheme, call traffic does not reach the terminating locale and the fraudster is working directly with a dishonest carrier that sits along the call transit path. The dishonest carrier that receives the traffic short stops it before it continues to the destination locale, and then shares revenue directly with the fraudster. These dishonest carriers advertise and terminate numbers without authority or knowledge of the actual number range owner.

What are premium rate numbers? Why can’t we just block calling to all premium rate numbers?

A premium rate number is a telephone number that charges rates higher-than-normal rates and is designated for specific content services like adult chat lines, tech support, voting, or weather forecasts. In every locale, the phone number regulatory authority allocates ranges for premium rate numbers, in addition to other number types like emergency, mobile, and shared cost ranges. Locale number authorities are responsible for maintaining these allocations and reporting them to the ITU, the international regulator for phone numbers. For example, 900 is the prefix for premium rate numbers based on the North American Numbering Plan in the United States.

Though there are specific number ranges in each locale allocated for premium rate services, the “premium rate numbers” sold by IPRN providers are very often not part of a locale-defined premium rate number range. These numbers are often mobile numbers with prefixes deeply nested within legitimate number ranges. Because of this, it is not as easy as blocking ITU-defined premium rate number ranges within each locale to mitigate the risk of toll fraud. Fraudsters use all different types of numbers from all different locales in order to making preemptive blocking of numbers very difficult. Moreover, fraudsters regularly vary the ranges that they use.

Why can’t law enforcement do something about toll fraud?

A toll fraud case often resembles a scenario that looks like this: a voice application in the United States abused by a telecom hackers in the Middle East pumping traffic to phone numbers in Latvia with proceeds going to a criminal organization in Eastern Europe. Though Twilio works with law enforcement agencies to investigate and prosecute toll fraud cases, cooperation across international borders is complex and protracted. Moreover, enforcement standards and the rule of law vary by locale. These challenges make toll fraud an attractive endeavor for fraudsters while also making it difficult for carriers and operators to get assistance from law enforcement.

Why can’t Twilio refuse payment to its carrier partners for toll fraud?

Historically, carriers have been bound by bilateral agreements that govern roaming and interconnect payments. These agreements dictate the origination operator must pay for all calls regardless of whether or not they are fraudulent. The terms in these agreements were in place long before IRSF was the big issue it is now. In addition to the existing agreements, a major challenge with withholding payments is that it requires cooperation from every carrier in the call transit path. In this path, a call can go through 7 carriers before terminating in its final destination. Gaining this cooperation is very difficult as many carriers prefer to do business simply by passing the call off to the next carrier and not asking any questions.

What can I do to prevent toll fraud?

As you can imagine, there is no silver bullet for toll fraud. The best prevention strategy is a combination of measures to limit a fraudster’s access to your calling capability, in addition to setting limits and restrictions. Ensure you have considered each of the following aspects of your application:

  • Account Security: Use a phone number and email verification process to gain confidence that they are a real person. In addition, any other fraud assessments or third-party anti-fraud service integrations can be greatly beneficial in ensuring bad actors do not get through your front door.
  • Geo Permissions: Restrict calling to international destinations as much as possible. Since toll fraud terminates in locales with expensive calling rates, you can limit your exposure by only allowing calling to major locales. If there is no legitimate reason that you or one of your end users needs to call a locale, then turn off that destination.
  • Rate Limits: Fraudsters like to attack hard and fast on newly created accounts. By limiting calls per minute, calls per 60 minutes, and calls per 24 hours, call duration, and concurrent calls, you reduce the fraudsters ability to create a high volume of traffic over a short period of time. The exact limits depend on the risk that you are willing to take relative to providing a low-friction experience for legitimate customers. We recommend that you only open up your services once you’ve sufficiently verified your customer.

In addition to the measures above, please also check out our Anti-Fraud Developers Guide an overview of other types of fraud you may face.