As Telcos expand and strive to provide more comprehensive service offerings, they are faced with growing challenges to secure the numerous channels fraudsters can target. Some of the most common scams being encountered on a regular basis now include ID fraud during subscription, SIM swap fraud and international revenue sharing fraud (IRSF).
There are many factors driving the rise in fraud attacks including
- Mobile device subsidy model
- Data breaches across various Internet sites
- Increasing use of mobile phone for authentication
The mobile device subsidy model that is widely used by Telcos means that customers receive an expensive device upfront with very little financial outlay. This device can then be resold for a high profit margin for the criminal, making it an attractive target.
Data breaches and identity theft across many different businesses and sites on the Internet give criminals the information they need to steal or fake IDs, making ID fraud even easier. These data breaches make personally identifying information a commodity on the Dark Web and are often sold to criminals to enable an account takeover or to enable sufficient information to steal a genuine ID, resulting in synthetic ID fraud. It is possible, for example, to purchase a fake driving licence on the Dark Web for only $70 or full credit card details for as little as $12 each. These items can then be used to defraud mobile operators.
Many different businesses and services, especially mobile banking, now use a mobile number as a second means of authentication, making theft of SIM numbers even more valuable prospects for fraudsters.
A recent example of smishing fraud that affected the Bank of Ireland saw fraudulent texts dropped into genuine text threads from the bank. These texts appeared as if they were genuine but in reality had nothing to do with the bank. Bank customers were being asked to follow a link to a fake website to order a new bank card and to enter their relevant details, which then allowed the fraudsters to steal from their accounts.
There is a drive towards improved customer onboarding and reduced friction at the subscription stage. This streamlined approach is becoming standard practice in many industries and Telcos are under pressure to provide the same kind of streamlined service that customers expect. This raises a challenge in detecting subscription fraud without impacting the customer journey for the genuine customers.
This type of fraud often involves identity theft or the use of fake ID at point of sale. Once a fake subscription is established, the fraudster not only has access to a valuable device but also has the potential to run up large call debts, for example using the ISRF fraud detailed below. They also have access to a wide range of other services including mobile financial services such as mobile banking and mobile payment.
When a customer walks into a retail store to sign up for a subscription or purchase a bill-pay phone, they are typically asked to provide ID documents along with proof of address. Identity verification is often carried out manually by a sales assistant at the point of sale, but this approach is often ineffective and can be open to abuse. If a fake ID is supplied, it may be some time before the fraud is uncovered, leaving the fraudsters plenty of time to take advantage.
SIM Swap Fraud
In this type of fraud, criminals use fake IDs to gain access to a legitimate subscriber’s SIM card. They can then use this SIM to authenticate transactions with the real subscriber’s bank or even access their email or other secure accounts. This can result in huge cost and major inconvenience for the unfortunate individual who is the victim of this type of attack. They can also use this to take part in ISRF fraud, running up enormous bills.
According to Europol, International Revenue Sharing Fraud is one of the most damaging fraud schemes to date. The key characteristic is a high volume of international calls, often with long duration, to a single high-cost destination- typically countries outside of the EU. As the connection is fraudulent, the originating Telco has to pay and carry that loss.
This is how it works:- a criminal partners with an International Premium Rate Number provider that charges high rates for call termination and agrees to share revenue for any traffic to the number. Some calls are automatically generated by the fraudsters using stolen SIM cards or with a fraudulent account set up using a fake ID. Some of the calls can also be made by genuine consumers who are tricked into making the call using a scam known as the Wangiri fraud.
In the Wangiri scam, a genuine customer gets a phone call, often in the middle of the night, which rings once and then disconnects. The victim of the scam may then ring the number back without realising they are incurring a high charge to the premium number.
Customer confidence and regulations
Along with the need for increased online identity verification, regulatory requirements and customer confidence are also becoming important factors for Telcos to consider. The way personal data is collected, stored and reviewed is under increased scrutiny and Telcos are obliged to keep up with ever-changing policies and regulations.
Although consumers want and expect customer friendly and streamlined services, concerns around data security are also gaining momentum. International standards and regulations such as GDPR and CCPA provide consumers with greater control over how their data is collected and managed. Anti-money laundering regulations also require actions to combat money laundering and terrorist financing, rolling out tougher penalties and liabilities for non-compliance.
In Europe and across the globe, data protection laws are becoming stricter and compliance is an essential part of any business operating under the new regulations. While many of these laws agree on the broad terms of data protection, each implements these protections in its own way. Other notable regulations include Brazils LGPD and CCPA in California. Meanwhile in the US, several states including Nevada, New York, Texas, and Washington, are considering passing their own data protection law. India, Canada and Australia are also considering new data protection regulations.
The DLA Piper site here offers a useful way to compare the data privacy legislation of various countries around the world. It’s clear that although the regulations vary from region to region, the issue of taking data and privacy concerns seriously is a growing concern worldwide.
According to the Irish Data Protection Commission’s Annual Report for 2019, there were 7,215 complaints received in 2019 representing a 75% increase on the total number of complaints received in 2018. Fines for failure to comply with legislation are also increasing across the EU, from €400,000 in June 2018 to a shocking cumulative total of a more than €526 million by Oct 2020. Some notable examples of recent fines include:
- UK fined DSG Retail Limited £500,000 after a ‘point of sale’ computer system was compromised.
- a UK pharmacy, Doorstep Dispensaree, fined £275,000 for “careless” storage of patient data.
- British Airways fined £182m for a large data breach due to a cyber hack.
- H&M in Germany fined €35.3m for breaching GDPR rules in Germany
- Google fined €50m for breaching the General Data Protection Regulation in France.
Cost of fraud
Telcos are subject to significant costs as a result of fraud and this is a cost that keeps growing every year. The activities of fraudulent criminals results in billions in lost revenues every year, with the proceeds being used to finance organised crime and terrorism. According to the 2019 Cyber Telecom Crime report by Europol “The annual cost of telecommunications subscription fraud is estimated by some to reach up to more than US$12 billion, while others foresee the actual losses to be far greater, estimating it to be between 3 percent and 10 percent of the operators’ gross revenues.”
The report, which presents a comprehensive technical guide for stakeholders in the telecoms industry, explains how telecom fraud works, outlines the most common forms such fraud takes and provides suggestions to telecom companies for how they can detect and prevent criminal activity.
Telcos are operating in an ever more complex and changing environment with increasing challenges in the area of both fraud and personal data compliance. At the same time, they must keep a close eye on the level of consumer friction that may be added to cope with these vital issues, so as not to undermine the entire business model they operate within.
This is where PlanetVerify can help. Through their years of experience working with Telcos and the in-depth knowledge of the sector on the board/team, PlanetVerify have developed and tailored their platform solution to optimise that critical balance between minimal friction and fraud reduction.
All of this is accomplished on the foundation of PlanetVerify’s pedigree of data compliance, ensuring through its sophisticated personal data management platform that mobile operators can seamlessly ensure full compliance with the most stringent data laws such as GDPR, CCPA, NY Privacy Act, etc…
If you’d like to know more about how PlanetVerify can cut your fraud costs along with maximum operational efficiency, we’d love to talk to you.
Please book a demo here today: