Telecom Cook Islands uses XINTEC FMSevolution as a cost effective solution to manage their fraud and revenue risk.

“FMSevolution enables us to respond quickly to potential fraud alerts, protecting our revenue stream. This means we can safely expand our products and services to benefit customers.” – Jules Maher, CEO, TCI

The Challenge

Telecom Cook Islands Ltd (TCI) are the sole provider of fixed-line, mobile and broadband services to the Cook Islands. Although a small telecom provider, TCI are regarded in the Pacific as innovative, and are constantly investing in state-of-the-art infrastructure to ensure their customers are receiving world class services. To protect their revenues against high risk fraud such as IRSF, Roaming and others to enable this continued investment, TCI decided to identify a suitable Fraud Management System to suit their budget and provide them with the protection they required.

The Solution

As part of their search for a suitable revenue protection tool, TCI evaluated the XINTEC FMSevolution product, then known as FMSlite. This was perfect for them. It was quick to deploy, low-cost and a solution that was already proven in CSP’s of a similar and larger size to TCI. XINTEC were able to offer a managed service which involved XINTEC analysing TCI’s NRTRDE and other call records for any fraud or high usage indicators. This service was funded from Opex, allowing TCI to retain their Capex for other important network investment that would benefit their customers.

The Result

Once this decision was made by TCI, the XINTEC solution was deployed within days. TCI opted for XINTEC’s Cloud-based solution monitored by XINTEC. Each hour, XINTEC emails usage and hotlist reports to the TCI staff member responsible for fraud management. FMSevolution generates high usage and hot-listed number alarms on receipt of TCI NRTRDE files significantly minimizing their exposure to fraud. With limited resources available, TCI can now be assured that fraud management is one function that will not be overlooked by busy staff with a range of different accountabilities.


Virgin Mobile (France) chooses XINTEC to implement a solution to detect and prevent any irregular or fraudulent activity that could potentially result in a loss of service quality or financial losses to the company.

“Having immediate visibility of our customer data to rapidly identify and eliminate any fraudulent usage in near-real time is essential to the quality of service on our network as we strive to consistently exceed customer expectations.”  – Telecoms Manager, Virgin Mobile France

The Challenge

Virgin Mobile is the largest MVNO in France, providing services to almost 2 million subscribers. Virgin Mobile prides itself on a host of innovative, differentiated and attractive no-strings-attached offerings in a drive to offer more freedom and flexibility to its subscribers. To ensure that customers enjoy an optimal experience when connecting to and using their network, it was necessary for Virgin Mobile to deploy a tool to automatically process and monitor call activity to detect the likes of SMS Spam, Sim Gateways and other network frauds.

The Solution

Virgin Mobile (France), aware that to ensure their customers continued to enjoy an optimal experience of their services end-to-end, they would have to identify a Fraud Management System supplier with a suite of products that would allow them to continue their rapid growth without any reduction in the customer experience they were famous for. Early discussions with XINTEC confirmed that XINTEC’s FMSevolution, along with the Sim Box Detector and SMS Anti-Spamming modules would be a perfect fit for their requirements.

The Result

Once the decision to use XINTEC was confirmed, XINTEC engineers ensured that the solutions provided were a perfect fit for a fast growing and innovative MVNO like Virgin Mobile. Within weeks of receiving this confirmation from Virgin Mobile, FMSevolution and the additional modules were implemented, tested and operational. Virgin Mobile are now proceeding with their strategic priorities in the knowledge that any financial risk associated with their rapid growth is being managed.


Operator-X is an operator in Asia who provides services to both Post-pay and Pre-pay customers, predominantly Pre-pay. During the previous 9 months, constant complaints have been received from Pre-Pay customers that their credit balances have been reduced to $0 following the return of 1 missed call, or by responding to a number sent to them via a text message. Investigation in to these complaints identified large numbers of Wangiri Fraud attacks, typically hundreds of simultaneous attacks occurring 7 days a week. This activity had been ongoing for about 9 months, with over 2000 unique numbers being used by the fraudsters as ‘call back’ numbers.

The volume of customer complaints has been such that a special team have been established within Customer Operations to manage these. Operator-X has taken the stance that most other Operators would also take in respect of Wangiri Fraud. Each customer who has become a victim of this fraud has originated a call to a number they are not familiar with, so under the customer terms and conditions, they are responsible for the cost of that call, and no credit would be given. While Operator-X has suffered no direct financial loss as a result of these ongoing fraud attacks, there are considerable intangible costs associated with increased customer operations costs, an increase in churn by disgruntled customers, and negative brand implications associated with the poor media attention this issue is attracting.

The Fraud team at Operator-X were tasked with finding a solution that would help the business with early warnings of future Wangiri fraud attacks. There is very little budget available to help fund a solution. The Fraud Team were aware of the success PRISM was having in identifying IRSF, so turned to the PRISM developers for help. The 2,000 plus Wangiri Fraud numbers involved in the Operator-X fraud incidents were provided to the PRISM developers, however only a small number of these were identical to numbers within the PRISM database as it was at that time. (At this time the PRISM database contained around 20,000 IPR Test Numbers).

The PRISM developers recognised that the International Premium Rate numbers used by number resellers were generally held in number blocks of up to 100 sequential numbers. They then developed a second database, using the existing PRISM numbers as a baseline, and replaced the last 2 digits of each number with wildcards. The 2000 plus Wangiri numbers from Operator-X were again analysed using the Wangiri Wildcard database, which now contained over 1 million numbers. This Wildcard database successfully identified 53% of the numbers used during these Wangiri attacks.

Operator-X (and other PRISM customers) are now using the PRISM Wildcard database as a key defence against Wangiri Fraud. Now that the PRISM database contains over 44,000 IRSF Test Numbers, the Wildcard database has now increased to over 2 million numbers. The simple rules that are applied in the FMS in respect of the Wildcard Database are related to both inbound and outbound calls. Inbound call alerts are generated when >10 incoming calls are identified from PRISM wildcard numbers to one or more customers within a 5 minute period. Or, for outbound calls, alerts are generated when 5 or more calls from 1 or more customers are identified to PRISM Wildcard numbers within a 15 minute period. Either of these alerts will warn Operator-X to a likely Wangiri Fraud attack, and if confirmed, allows them to block the Wangiri numbers or take other action to protect their customers.

Access to both the PRISM and the PRISM Wildcard database has proven to be an effective, inexpensive and easily accessible early warning tool for both IRSF and Wangiri Fraud. With updates every 6 to 8 weeks to the database numbers, users can be assured that the contents are current and up to date with new numbers added by the IPRN Resellers.



International Revenue Share Fraud (IRSF) has been responsible for hundreds of millions of dollars’ worth of fraud losses to the telecommunications industry over many years. Despite a lot of work by Carriers and supporting organisations over the past 8 or 9 years, the problem remains, and is likely to remain for at least a few more years before there is some agreement within the industry to take what actions are required to prevent a carriers revenue from finding its way into fraudsters pockets.

There have been a number of initiatives which have been successful at reducing the impact (value) of individual incidents of IRSF, such as NRTRDE and ‘Hot number range databases’, however the incidents of IRSF continue to grow, mainly with a shorter timeframe but still with significant fraud losses. The number of International Revenue Share number resellers also continues to grow, and we are aware of over 115 of these currently, which is a +500% increase since 2009. It is important to state that not all number resellers are fraudsters. Some are legitimate businesses offering numbers for content services, tele-voting etc, and these provide a reasonably safe revenue stream. However there are many others who openly encourage fraud and will provide their numbers to anyone with little concern about how these callers are going to pump traffic into them.

Most International Revenue Share number resellers will provide a schedule of ‘Test Numbers’ on their websites, some available for a visitor to their website to access, and others requiring a visitor to complete a registration process before these test numbers can be viewed. Typically, if a potential customer (or fraudster) wishes to do business with a number reseller, he must first confirm that the country and number range he wishes to call is accessible from the country he is calling from, and from the device he intends to use. This may for example be a stolen GSM handset with a UK Simcard roaming in Spain and wanting to call Somalia, or a compromised PBX in the Philippines through which he wishes to transfer calls to Gambia.

This potential customer (or fraudster) will use one of the number providers test numbers to confirm the routing he requires is possible. Once confirmed, the customer (or fraudster) will then make application to the number provider for 1 or more revenue share numbers at that location which he can use on a revenue share basis. Generally, this will not be the test number, as this goes back to the number providers Test or Rate Card for use by the next person looking for access to that country. Many number providers will change these test numbers frequently, often at least every few months. The numbers may not be discarded, but handed back to the number providers ‘wholesaler’ who may re-issue the test numbers to another of their resellers.

There is often a time lapse of 15 minutes to 3 hours between the time the first call to a test number is made and the IRSF actually commences. This allows the fraudster to make contact with the Number Reseller, obtain revenue share numbers at that location, check that this number works, set up call diverts or international call forwarding etc. He may also want to allow time for other members of his criminal gang to get to different parts of the city so that their use of multiple SIMs may not be obvious from one cell site.

The time lapse between these test numbers being called and a full scale IRSF attack commencing provides a great opportunity for fraud detection, assuming that these test numbers are known.

These test calls are generally easy to identify when analysing call records from an IRSF attack. They will be short calls, between 1 and 10 to the same or similar numbers, before the traffic inflation starts. Often there will be further test calls during an IRSF attack, and these will be terminated to test that a new number range the fraudster wishes to use is also available from their location and calling device.


Mobile Phone Theft Cap – a new opportunity for Fraudsters?

“A cap on mobile phone bills run up by thieves after handsets are stolen will bring relief to millions of consumers, campaigners say.

Five service providers – EE, O2, Three, Virgin Media and Vodafone – say the £100 cap will be activated providing the phone is reported lost or stolen within 24 hours of it going missing.”

Following a certain amount of pressure from Government and Community Groups such as Citizens Advice and others, five UK Service Providers have now agreed to a £100 cap on charges customers are responsible for if their phones are stolen and used fraudulently, providing the phone is reported stolen within 24 hours of the theft being discovered.

This announcement was made through the UK media on Sunday 22 March 2015, but what seems unclear, is when the ‘clock starts ticking’ in respect of the 24 hour period a customer has to report their mobile stolen to their home network. Many hours can pass between the time a first fraudulent call is made from stolen handset, and the customer actually becoming aware that the phone has been stolen. There is no doubt that Government and Consumer Protection groups will insist that this 24 hour period starts from when the customer discovers that the phone has been stolen. Even assuming that all customers who are victims of theft will be honest when providing the date and time a theft was discovered, it is reasonable to assume that the time between a handset theft occurring, and the theft being reported, could increase to 36 hours or more.

What is clear from the announcement is that this provides yet another opportunity for the fraudsters. We are already well aware that some tourists in Barcelona are being offered up to €500.00 for their mobile phones on the condition that they report them stolen when they get back to their home country. Obviously there was a certain amount of risk associated with this for the tourist, who may find their mobile provider expects them to pay for any fraudulent charges incurred after the phone was ‘stolen’. Now they know that provided they are with a CSP who is a signatory to this agreement, their liability will not be capped at £100.00.