As anti-fraud company Revector marks 20 years of operating, CEO and Founder Andy Gent believes that telecommunications fraud is still not high enough on the corporate agenda for network operators – this should be a significant concern to shareholders. 

In 2001, Revector was launched to combat specific fraudulent activity against mobile network operators. The company’s management expected the business to have a shelf life of no more than five years – such as the belief that mobile operators would quickly get a grip on network fraud and reduce it to zero. 

Twenty years later frauds continue to persist – costing shareholders, networks, and Governments billions in lost revenue annually. 

Revenue through mobile service

According to Andy Gent, fraudsters are, at heart, business people, exploiting an opportunity for money. Gent explains how this relates to network fraud thus, “Mobile service providers generate revenues in two ways - by having their subscribers that pay the company to access the networks they run and associated services such as voice calls, text messages, and data usage. The second – known as termination revenue – involves transporting calls from other networks.” 

Revenues from termination are shared between all networks that help deliver the call

Revenues from termination are shared between all networks that help deliver the call, as Gent outlines: “Imagine a call from the UK to Australia. This will pass through several service providers that will each take a small percentage of the call revenues for passing on the call.” 

“Telecommunications companies establish relationships with others around predictable calling patterns. For example, BT may know that they need one million minutes of calls to South Africa per month. They, therefore, establish a relationship with a South African telecommunications company to provide this.”   

Trading termination minutes

The issue comes when the unexpected happens, for example, an earthquake in Cape Town. Now UK residents with relatives in Cape Town suddenly demand a lot more telephone time. BT needs more minutes than it has. It is unlikely that its partner in South Africa can provide these – they are facing the same issue due to the increased volume of calls in and out of the country – so it will look to the open market for the minutes it needs. 

Gent continues, “Termination minutes are traded in the same way as other commodities. Exchanges combine minutes from multiple sources, bundle these together and sell them. The issue is where these minutes come from. The bundles may well include “white” routes – premium minutes provided by legitimate telecommunications companies. However, many will include so-called “grey” routes.”   

A simple but effective fraud 

Grey routes are not provided by the telecommunications companies but by third parties or through fraudulent means. Typically, the “grey” routes come at a lower cost than the “white” routes, but some telecommunications service providers may not know this or care about it.

The natural pressure on cost means some telecommunications companies end up using “grey” route minutes. The threats to network providers’ revenues come from these “grey” routes.  A primary risk is SIM Box fraud. 

SIM Box fraud 

SIM Box fraud occurs where there is a differential price between the cost of routing a call in a country and the cost of terminating a call, as Gent outlines below: “Imagine a network is offering a promotion with free calls to others on the same network. At the same time, the value of terminating a call to that network’s customers is $0.05 per call.”

One single SIM card being used in this way can generate $3000 per month and there are hundreds of cards in each SIM box

“If someone can procure SIM cards with the promotion, these can be loaded into a SIM Box – a device that can house hundreds of SIM cards in racks and be connected to the internet - to terminate calls. The owner of the SIM box can then offer to terminate calls for $0.03 per call. The cost to the SIM box owner is close to zero – the local minutes they are using to terminate calls are bundled with the SIM deal.  The $0.03 per call is pure profit after the SIM cards and SIM boxes have been purchased.” 

While this sounds like a complicated scam it can be lucrative. One single SIM card being used in this way can generate $3000 per month and there are hundreds of cards in each SIM box.  

Loss of termination revenues

Service providers can quickly find a large proportion of revenues lost to SIM boxes. Gent has seen “up to 90 percent of termination revenues being lost.”

“The nature of SIM box fraud is transitory: fraudsters will pick the countries with the strongest opportunity to generate revenues quickly, sweep in and terminate calls for a month or two before the operator notices the revenue drop and takes action.”   

Is it illegal? 

If this practice sounds entrepreneurial rather than illegal, it is probably because it seems like a victimless crime. However, mobile network operators have paid millions if not billions for the ability to operate networks and generate termination revenues. A reduction in this revenue will mean less investment into next-generation networks or customer service. 

For the consumer, illegal termination often means poor quality calls with a lack of services such as caller line identification (CLI). But perhaps the most concerning issue is where the proceeds of crime go, as Gent outlines. “Often these SIM box frauds are run by criminal gangs using the process to launder money or finance organised crime or people trafficking.” 

“With widespread restrictions on the number of SIM cards that can be sold to one person, the only way to procure enough SIM cards is via criminal activity. Gangs bribe or coerce network operation staff into supplying SIM cards by the thousand, generating millions in illicit revenues.” 

Other telecommunications fraud 

Threat to operator termination revenues comes from OTT service providers that have an eye on termination revenues

Another threat to operator termination revenues comes from Over-the-Top (OTT) service providers that have an eye on termination revenues as well as competing with telecommunications service providers for a share of the voice and messaging market. 

While most telecommunications companies see Voice over IP (or OTT) as fair competition, in recent years several new OTT service providers have grown extremely quickly. WhatsApp, for example, was incorporated in 2009 and acquired by Facebook just five years later for almost $20 billion. 

The business models of these companies vary. Some focus on the “freemium” approach where the initial service is free but add-ons become chargeable.

OTT app fraud

However, recently some OTT players are looking to terminate revenue to monetise their business models. These operators have been offering competitive termination rates by hijacking a traditional call made from one telephone number to another and terminating it within an OTT app, as Gent explains, “We are seeing OTT apps intercepting traditional telephone calls and delivering them within a user’s app.” 

“The call starts as a dialled telephone call, but the user receives it within an OTT app.  If OTT players can achieve this, they can generate termination revenues at zero cost – other than to the traditional operator.” 

Using an app to make calls

Of course, if the recipient of the call believes the caller has used an app to call them, they are more likely to use this method of communication in the future – and less likely to dial a number directly. For the OTT players, termination acts as a marketing tool as well as a revenue stream.” 

According to Gent, one OTT service provider has gone as far as including a setting within their app that states “receive regular incoming calls within the app when possible”.  This is defaulted to “on” when the app is downloaded.  Only the most technologically savvy users would even know it was there. 

Combatting the fraud against networks 

Networks are less worried about losing revenue to fraud and more about grabbing as many subscribers as possible"

Why do networks not do more to combat fraud?  The reality, according to Gent, is a combination of priorities and ignorance. He comments, “Most mobile network operators are large but still relatively young companies – typically built around customer acquisition.” 

“Networks are less worried about losing revenue to fraud and more about grabbing as many subscribers as possible.  This has led to a mindset where whatever the questions the answer is always more marketing promotions.”  A small number of innovators around the world continue to fight these frauds directly, but the fraudsters simply move on to the next victim and, when the anti-fraud measures are relaxed, the fraudsters return. 

An opportunity for the future 

As mobile networks mature and become more commoditised, Gent believes the issues around combatting fraud will become a wider concern.

If you had told me in 2001 that fraud would still be an issue in 2021, I would have been shocked. Yet operators are still losing significant revenues to criminals. Addressing this needs to remain a priority for the industry, not just to ensure networks have the revenues to build and maintain robust networks but also to ensure that criminal behaviour that this kind of illicit activity funds is reduced. This is not just an issue for network operators but also for wider society.” 

Download PDF version Download PDF version

Author profile

Andy Gent Chairman and CEO, Revector

In case you missed it

What change would you like to see in security in 2022?
What change would you like to see in security in 2022?

Here’s a news flash: 2022 will be a pivotal year for the security industry. As we enter the new year, continuing change is a safe prediction for any fast-moving, technology-driven marketplace. Recent history confirms the ability of the security industry to shift and adapt to changing conditions and to provide an ever-expanding menu of technology solutions to make the world a safer place. Given that the new year will bring change, what will that change encompass? More to the point, what should it encompass? We asked this week’s Expert Panel Roundtable: What is the biggest change you would like to see within the security industry in 2022?

2021’s most popular expert panel roundtable discussions
2021’s most popular expert panel roundtable discussions

Topics that dominated our website’s Expert Panel Roundtable articles in 2021 included the effects of COVID-19, the benefits of mobile access, the upcoming potential of deep learning, and the future of access control cards. Our website’s Expert Panel Roundtable discussions in 2021 reflected some of the most timely and important topics in the industry. The very most clicked-on Expert Panel Roundtable discussion in 2021 considered the positive and negative effects of COVID-19. The second most popular was trends in perimeter security technology. Smart video solutions Here is a roundup of the Top 10 Expert Panel Roundtable discussions posted in 2021, along with a ‘sound bite’ from each discussion and links back to the full articles. Thanks to everyone who contributed to Expert Panel Roundtable in 2021 (including the quotable panelists named and linked below). The pandemic has impacted security in many ways, some we are just now realising" What are the positive and negative effects of COVID-19 to security? “The pandemic has impacted security in many ways, some we are just now realising. On the negative side, integrators were limited in their ability to access customer locations, posing significant challenges to supporting customers. Innovation was also halted in many sectors – such as AI and edge computing in healthcare. However, the pandemic increased awareness regarding the need for smart solutions that can aid in these types of crises. Smart video solutions have been identified repeatedly in the media as a potential pathway to better customer experience and increased safety.” – Alexander Harlass. Reducing false alarms What are the latest trends in perimeter security technology? “What’s really important in perimeter security is the minimisation of false alarms, not simply the potential detection of what might be an unauthorised person or object. In light of that, many systems now include alarm validation that can confirm an alarm event using a camera. The utilisation of AI-based technologies can further validate the accuracy of the alarm, making it as accurate and precise as possible. I anticipate seeing more cross-technological integrations to reduce false alarms, so that personnel in an alarm center spend as little time as possible in validating an alarm.” – Leo Levit. What will be the biggest security trends in 2021? “2021 will see artificial intelligence (AI) become more mainstream. There will be increased deployment in edge devices, including cameras, thermographic cameras, radar and LIDAR sensors, entry point readers, etc. Additional algorithms will be developed, greatly expanding the use and function as video surveillance transitions from a forensic tool to real-time analytics. This increases the value of these systems and helps create ROI cases for their deployment.” – Tim Brooks. Access control solutions Investments in tools and platforms to drive digital interactions have accelerated" What will be the security industry’s biggest challenge in 2021? “The security industry is traditional in the sense that it relies heavily on face-to-face interaction to do business with customers and partners alike. COVID-19 has put a hold on in-person meetings, trade shows, etc., and this trend is likely to extend throughout 2021. Virtually recreating these personal touchpoints, while cultivating and strengthening internal and external relationships, will continue to be both a challenge and opportunity for the security industry. Investments in tools and platforms to drive digital interactions have accelerated.” – Robert Moore. What are the challenges and benefits of mobile access control? “Mobile access control solutions are an exciting innovation in a market where the day-to-day user experience hasn’t changed much in the last 20 years. One area that has clear benefits and challenges is in improving the user experience. On one hand, physical credentials are expensive and a hassle to administer; however, they work reliably, quickly, and predictably. Mobile credentials are convenient in that everyone already has a smartphone, and you don’t have to admin or carry cards; however, when you’re actually standing at the door they need to work as well or better than physical credentials, or the benefits are lost.” – Brian Lohse. Attacking critical infrastructure What are the security challenges of protecting critical infrastructure? “It seems so often we hear about a new threat or cyber-attack in the news. Because of the rapid growth in technology over the last few years, cybercriminals are getting bolder and discovering new ways to attack critical infrastructure. One of the biggest challenges boils down to the capabilities of the operating security system and whether the organisation is aware of the current risks they face. Because there are so many points of entry for cybercriminals to target within critical infrastructure, it is vital that the security solution be prepared for attacks at every level.” – Charles (Chuck) O’Leary. They are more aware when they make physical contact with doors and interfaces" Which security technologies will be useful in a post-pandemic world? “People have become more sensitised to crowds and personal space. They are more aware when they make physical contact with doors and interfaces. As the pandemic subsides, these habits will likely remain for a majority of people." "Utilising AI-based cameras to accurately monitor the number of people in a room or in a queue will enable staff to take action to improve the customer experience. For example, AI-based analytics can quickly notify security or operations when people are waiting at a door and initiate 2-way audio for touchless access.” – Aaron Saks. Central monitoring station What is the potential of deep learning in physical security and surveillance? “Deep learning, a subset of artificial intelligence, enables networks to train themselves to perform speech, voice, and image recognition tasks." In video surveillance, these networks learn to make predictions through highly repetitive exposure" "In video surveillance, these networks learn to make predictions through highly repetitive exposure to images of humans and vehicles from a camera feed. That ability is ideal for use with drones patrolling perimeters seeking anomalies or in software that significantly reduces the number of false alarms reported to central monitoring station operators. Through use, the software continues improving its accuracy.” – Brian Baker. Valuable audit trail How soon will access control cards become extinct and why? “Access control cards will go the way of the dinosaur, but they still have some life left in them. For the short term, they have plenty of utility in minimum security use cases and leave a valuable audit trail. But for companies that are more technology-centric, particularly those with high value assets, we’re seeing demand for next-generation access control, which includes increased integration with video surveillance systems and professional monitoring services.” – Sean Foley. Which security markets are embracing touchless and contactless systems? “Touchless technology is not a new trend, but contactless systems and transactions have surged since the COVID-19 pandemic. Even after the pandemic is over, it is likely public perception of what is hygienic and acceptable in public spaces will have changed. [We are] seeing an uptick in touchless access control systems in the education and flexible office space markets.” – Brooke Grigsby.

Identity and access management in 2022 - what will the future look like?
Identity and access management in 2022 - what will the future look like?

As we enter into 2022, there is still a level of uncertainty in place. It’s unclear what the future holds, as companies around the world still contend with the COVID-19 pandemic. Remote working has been encouraged by most organisations and the move to a hybrid working system has become ‘business as usual’, for the majority of businesses. Some have reduced their office space or done away with their locations altogether. Following best security practices With all this change in place, there are problems to deal with. According to research, 32.7% of IT admins say they are concerned about employees using unsecured networks to carry out that work. Alongside this, 74% of IT admins thought that remote work makes it harder for employees to follow best security practices. This need to manage security around remote work is no longer temporary. Instead, companies have to build permanent strategies around remote work and security. The coming year will also create a different landscape for small and mid-sized businesses (SMBs). Here are some key predictions for next year and what to start preparing for in 2022: The reality of SMB spending around security will hit home SMBs had to undertake significant investments to adapt to remote working SMBs had to undertake significant investments to adapt to remote working, especially in comparison to their size. They had to undertake significant digital transformation projects that made it possible to deliver services remotely, during the COVID-19 pandemic. We’ve seen a shift in mindset for these companies, which are now more tech-focused in their approach to problem solving. According to our research, 45% of SMBs plan to increase their spending towards IT services in 2022. Around half of all organisations think their IT budgets are adequate for their needs, while 14.5% of those surveyed believe they will need more, to cover all that needs to be done. Identity management spending to support remote work For others, the COVID-19 pandemic led to over-spending, just to get ahead of things and they will spend in 2022, looking at what they should keep and what they can reduce their spending on. Areas like identity management will stay in place, as companies struggle to support remote work and security, without this in place. However, on-premise IT spending will be reduced or cut, as those solutions are not relevant for the new work model. Services that rely on on-premise IT will be cut or replaced. The device will lead the way for security We rely on our phones to work and to communicate. In 2022, they will become central to how we manage access, to all our assets and locations, IT and physical. When employees can use company devices and their own phones for work, security is more difficult. IT teams have to ensure that they’re prepared for this, by making sure that these devices can be trusted. Wide use of digital certificates and strong MFA factors Rather than requiring a separate smart card or fingerprint reader, devices can be used for access using push authentication There are multiple ways that companies can achieve this, for example - By using digital certificates to identify company devices as trusted, an agent, or strong MFA factors, like a FIDO security key or mobile push authentication. Whichever approach you choose, this can prevent unauthorised access to IT assets and applications, and these same devices can be used for authentication into physical locations too. Rather than requiring a separate smart card or fingerprint reader, devices can be used for access using push authentication. Understanding human behaviour Alongside this, it is important to understand human behaviour. Anything that introduces an extra step for authentication can lead to employees taking workarounds. To stop this, it is important to put an employee education process in place, in order to emphasize on the importance of security. The next step is to think about adopting passwordless security, to further reduce friction and increase adoption. Lastly, as devices become the starting point for security and trust, remote device management will be needed too. More companies will need to manage devices remotely, from wiping an asset remotely if it gets lost or stolen, through to de-provisioning users easily and removing their access rights, when they leave the company. Identity will be a layer cake Zero Trust approaches to security Identity management relies on being able to trust that someone is who they say they are. Zero Trust approaches to security can support this effectively, particularly when aligned with least privilege access models. In order to turn theory into practical easy-to-deploy steps, companies need to use contextual access, as part of their identity management strategy. This involves looking at the context that employees will work in and putting together the right management approach for those circumstances. For typical employee behaviour, using two factor authentication might be enough to help them work, without security getting in the way. How enterprises manage, access and store identity data There will also be a shift in how enterprises manage, access, and store that identity data over time For areas where security is more important, additional security policies can be put over the top, to ensure that only the right people have access. A step-up in authentication can be added, based on the sensitivity of resources or risk-based adaptive authentication policies might be needed. There will also be a shift in how enterprises manage, access, and store that identity data over time, so that it aligns more closely with those use cases. Identity management critical to secure assets in 2022 There are bigger conversations taking place around digital identity for citizenship, as more services move online as well. Any moves that take place in this arena will affect how businesses think about their identity management processes too, encouraging them to look at their requirements in more detail. Overall, 2022 will be the year when identity will be critical to how companies keep their assets secure and their employees productive. With employees working remotely and businesses becoming decentralised, identity strategies will have to take the same approach. This will put the emphasis on strong identity management as the starting point for all security planning.