Voicing concerns: the continuing fight against voice fraud

On 09-01-2024
Reading time : 7 minutes

Voice remains a key communication channel across many industries and for consumers. But it’s increasingly under pressure from OTT apps and other threats – including fraud. Types of voice fraud have never been more sophisticated and wide-ranging. All the more reason to fight back with the most advanced solutions. 

Today, 75% of operators say the volume and impact of fraudulent traffic have either increased or stayed the same as 2022. The three main types of voice fraud today are international revenue share fraud (IRSF), caller line identification (CLI) spoofing, and origin-based rating (OBR) fraud. They impact both operator revenues and put members of the public in harm’s way, financially and emotionally.

In this article, we will investigate the three main types of voice fraud, the impact they have, and what Orange Wholesale is doing to fight back against them and protect end customers.

International revenue share fraud (IRSF)

IRSF is the biggest of the various voice fraud types, both in terms of volume and value. IRSF refers to fraudulent actors exploiting international premium rate numbers (IPRN), and inflating traffic to them to generate revenues that should be going to telecom operators.

Fraudsters set up fake premium rate numbers and then make high volumes of calls or send masses of SMS messages to these numbers, typically using botnets, servers running stolen SIM cards, or Ping calls. They receive a share of the revenue generated from these calls and the telco is left with the financial burden of paying the termination fees for the international calls. According to the GSMA, “IRSF costs the industry billions of dollars every year” and fraudsters are generally difficult to identify.

How to defend against IRSF

Checking valid numbers is no longer enough

Historically, it was thought IRSF fraudsters exploited unallocated numbers, so telcos believed by cross-checking numbers against databases that incoming CLIs were valid, they could detect and block these fraud attempts. However, recent GSMA research shows that  90.99% of attacks in 2023 have been via valid numbers.

Updating numbering plans is clearly not enough; it might slow fraudsters down, but it doesn’t stop them altogether. An effective defense against IRSF attacks requires continuous monitoring, real-time threat intelligence analysis, and reactive countermeasures.

Staying ahead with artificial intelligence and machine learning

Orange Wholesale Hubbing solution is designed to combat the threat of IRSF. It’s built on an innovative and proprietary AI and machine learning (ML) technology - Khiops - that leverages anti-fraud capabilities thanks to powerful CDR data analysis. It drastically reduces IRSF by greatly minimizing the time it takes to analyze information, prepare data, and block fraudulent traffic. And because it is built on AI and ML, it continuously learns and adapts fraud models to new threats all the time, pre-empting the new approaches developed by fraudsters.

CLI spoofing

CLI spoofing, also known as caller ID spoofing, refers to modifying the calling number with a number that isn’t the real originating number to mislead all the value chain actors including the recipient. More simply, it means altering the caller ID to something other than the actual calling number. Through it fraudsters can ‘spoof’ a genuine number and fool the recipient into thinking they’re being contacted by their bank, a government agency, or some other legitimate business.

Ultimately, it’s about tricking people into giving up sensitive personal data, like bank account or login details. So, while CLI spoofing doesn’t directly cannibalize telco revenues, it exploits end customers, and by extension negatively impacts telco brand reputations.

CLI spoofing has increased in the VoIP: VoIP stack vulnerabilities are more exposed to fraudsters because VoIP can be used from numerous and easily accessible devices (computer, SIM card, ...), thus demultiplying the attack surface.  In addition, the arrival of new voice players, less trustworthy and more vulnerable to attack than the historical operators, has caused some security breaches. Even today, some weaker players find it difficult to protect themselves against skilled scammers. According to the Global Leaders' Forum (GLF), in the VoIP era, Scammers can easily manipulate and falsify caller ID information, exploiting the vulnerabilities presented by this technology”, and nearly 50% of carriers say they experience “high” levels of CLI spoofing. If you’re reading this it’s quite likely you know someone who has been a victim of CLI spoofing, perhaps an elderly relative or just someone who was busy, distracted and an ideal target for malicious fraudsters.

Combatting CLI spoofing

Updated numbering plans

Challenges around CLI spoofing relate to numbers themselves and their availability and legitimacy. In Europe, the US, and most major Asian countries, numbering plans are typically published on regulators’ websites, making it easy to check if a number is valid or not. But elsewhere, numbering plans aren’t updated often enough to be reliable. An i3F working group has an initiative underway to facilitate accurate, up-to-date information on numbering plans for international voice and other services.

Artificial intelligence

It’s difficult to identify CLI spoofing attempts, because fraudsters are clever and disguise themselves using real numbers. The challenge is working out whether the use of that number is fraudulent or legitimate. Obviously, operators don’t want to block legitimate traffic, and risk revenues and poor customer experience. Protecting end customers from CLI spoofing needs a proactive strategy and advanced technology. AI can help here and be used to study traffic and identify abnormal behavior patterns. 


The STIR/SHAKEN protocol is an interesting development: it’s a framework of technical protocols and procedures providers can use to authenticate an originating caller ID. STIR stands for Secure Telephone Identity Revisited and SHAKEN stands for Signature-based Handling of Asserted Information Using Tokens. It ensures that calls transported over networks have their caller ID “signed” as legitimate by the originating carrier, and then validated by other carriers in the chain before the call reaches the recipient. STIR/SHAKEN helps verify the number displayed on caller ID and makes it harder for fraudsters to spoof numbers.

STIR/SHAKEN began life in the US, and other regulators around the world are working to develop their own versions of it. However, as things stand there is no worldwide harmonization of the approach, though the i3F and MEF are working towards common standards and rules. Until there’s a more global approach, it would mean an international carrier like Orange Wholesale would need to comply with each national version of STIR/SHAKEN. Today, we comply with the US version, the only fully operational version to date. And we are monitoring the progress of the different countries to be ready when another one goes live.

Origin-based routing fraud (OBR)

OBR fraud, also known as A-number billing fraud, refers to a call’s origin being manipulated or misrepresented to avoid higher charges that can occur in certain geographic locations or networks. It is a variant of CLI spoofing. It’s typically carried out using SIM-boxes, a technology that routes connections back into the network as local calls, altering the signaling information using hundreds of low-cost or free SIM cards, themselves obtained using fake or legit IDs (A numbers).

OBR can cause significant revenue loss for operators. Operators only receive revenues for the national part of the call and the fraudsters steal the international revenue. On top of the financial side, OBR also undermines the integrity of the telecoms industry and can create poor call quality and service disruptions.

Fighting OBR fraud

This variation of CLI spoofing is most often perpetrated using a;SIM box”. Orange Wholesale has anti-fraud tools designed to identify fraudulent traffic and the SIM cards being used to carry out the fraud. When we’ve identified a threat, we notify the destination operator in question so they can deactivate SIM cards in their network, or if they're on another local operator, start the process with regulators to disable them.

We’re proactive when it comes to identifying malicious SIM-boxes too. Not only our solution runs simulated calls designed to nail fraud and identify where traffic is going but we change simulated traffic parameters on a regular basis to avoid attracting attention from fraudsters. It's a game of cat and mouse: if fraudsters feel we are on to them, they are able to adapt too and change up. We have to always stay one step ahead.

A continuing fight to keep consumers and revenues safe

Combatting voice fraud is something all operators should take seriously. Businesses and end customers still rely on voice for lots of reasons, and fraud impacts telco brand image as well as revenues.

Orange Wholesale is committed to the issue, and we design our solutions with security features embedded in them to minimize or prevent the impact of voice fraud. We work closely with international bodies like i3F and MEF to help define standards and collaborative approaches that drive the industry towards truly global protection. We’re also investing heavily in new detection techniques, leveraging AI, to stay ahead of fraudsters. 

We have proof points too: Orange Wholesale is one of the few operators attested as compliant with the GLF Code of Conduct this year and we won the Global Carrier Awards 2022 Best Anti-Fraud Innovation prize. Research has shown that telecommunications fraud increased 12% in 2023 from its level in 2021, making an estimated $39 billion lost to fraud. a continuing fight but one we intend to keep winning.

You may also be interested in these articles: