Want to understand Billing better?
Signup for Early Access to my Udemy Training Course on Billing based on my book 'Billing for Business Networks'.

Subscribe to my newsletter


Billing Fraud Detection Using Called Numbers

Fraud occurs on phone networks, and when detected, it is closed down and stopped on the phone numbers on which it was detected. But how can the same bad actors / fraudsters be detected if they start up on new fraudulently obtained phone numbers, or have other existing phone numbers on the same network?

Three aspects that can raise the 'suspicion of fraud' against a new, or an existing, phone service:

  • Who a person says they are, and the similarity to prior frauds.
  • Where a person says they 'live' (their address(es)), and the similarity to other addresses where fraud has taken place.
  • What a person does from that phone service, and the similarity to other services that were identified as fraudulent.

This column focusses on the third aspect concerning the calls made on a phone service and their similarity to past fraud.



Using Called Numbers

Telecommunication companies use the phone numbers that people dial to drive their billing systems. That is, different prices may be applied for local, mobile and international call destinations, and calls to different service types such as information lines. Thus called number information is readily available, and forms a list of 'who-called-who' that can be examined to detect indications of fraud within the biller's broader subscriber base.

The size of today's telecom companies, and the number of transactions performed per subscriber, means that subscribers cannot be examined for fraud manually. Automated solutions must be applied. The raw data that will be processed in this processing includes all outbound calls made from a service over an extended time period. The data per transaction is relatively 'small' (A-Party, B-Party, Date, Billing Account), though the number of transactions are very large (e.g. 100's millions to billions of calls per month depending on the telecom company's size). The transactions stored would include all phone calls, but can also include transactions that indicate a relationship between phone numbers, such as SMS.

What is important is not the content of the call or SMS, but the relationship between the numbers. This 'metadata' can be used to show the similarity of calling patterns.

When a Fraudulent Number is Found

When a phone number is found to be part of a fraud, the details of who they called forms a 'signature' of their commonly called numbers. Different people have different called number patterns because the people and organisations in their lives are different. People generally have low overlap in who they call because of the differences in areas such as:

  • Family contacts
  • Friendship groups
  • Work phone numbers
  • School phone numbers
  • Local businesses such as takeaway food (e.g. pizza), and 'favourite' restaurants'

All phone services will call some numbers on a one-off basis, but these will not be important to signalling a possibly fraudulent phone service. It is the regular calling of the same, popular numbers, that generates a signature that shows 'similarity' between what is done on a phone service. The addition of the one-off called numbers does not disguise the underlying 'popular' numbers.

When a phone number's use is found to be fraudulent, then the details of who they have called can be reviewed to find their 'popular' numbers and build a signature used to look for similar calling patterns.

Since the detection of a fraud against a service cannot be predicted, details of all phone calls / transactions performed can be retained (in a secure location) for subsequent use in fraud detection. A biller's fraud system may already contain these details, and so it may just require the implementation of additional processing against this existing data.

Rather than retaining all call details for all time, billers may find that retaining details for a limited period (say 6 or 12 months) provides the bulk of the 'fraud detection' capability without the ever growing storage and processing cost of retaining transaction details 'forever'. As well, phone numbers are reused over time as people and businesses move, and this will reduce the effectiveness of these in 'calling pattern' detection.


Regular calling of the same numbers generates a signature.

The first step is to review the biller's existing customer base looking for phone services that have similar calling patterns. That is, their 'signature' aligns with one recently discovered to contain fraud.

Finding Numbers To Review For Fraud

Armed with the signature of a fraudulent phone service, there are two streams of processing that can be performed:

  • Looking at the existing customer base
  • Looking at future (new) customers

In this processing, the assessment being made is the 'degree of similarity' as indicated by the overlap of 'popular' called phone numbers.

Looking at the existing customer base

The people behind a fraudulent phone service may already have other phone services on the biller's network. The first step is to review the biller's existing customer base looking for other phone services that have the same or similar calling pattern. That is, that their 'signature' aligns with one recently discovered to contain fraud.

This processing will require that the entire repository of saved numbers is processed comparing new fraud signatures to those of the customer base in general. By performing this examination, other services setup earlier by the fraudsters may be detected, or at the least additional phone services 'of interest' may be found and reviewed.

Innocent family members of fraudsters may be identified by this search since their calling patterns will be similar to those seen in the fraud because they make calls and SMS within the same 'family group'.

Looking at future (new) customer

When a fraudster has been disconnected from a biller's network they may try to reconnect a 'new' service using different credentials, or say that they live at a different address, but if they call the same people and businesses, their calling patterns will end up being similar.

For this reason, the calling patterns of prior fraud can be processed periodically against the stored transactions looking for the reappearance of the same fraudsters. If a fraudster establishes a new phone service and calls their closest family and friends then their called number pattern will likely match a called number 'fraud signature' and be detected. This can occur relatively early at low call volumes since the 'numbers called' is the measure being employed.

The periodic reprocessing must allow the phone transactions to be performed, and so might be performed weekly (say over the weekend) generating a fresh list of candidates for review in the following week.

Refining the Process

There are a number of refinements that would ideally be included to reduce the 'noise' in the review candidates are generated. The refinements avoid burying new targets for review within lists that include old targets. This allows the list of new fraud candidates to stand out and have less false negatives (not fraud), allowing confidence in the detection process to build, and avoids wasting the time of those performing the reviews.

Refinements include:

  • Exclude previously reviewed candidates: When a phone service has been reviewed and found not to be a fraud risk, then exclude them from future lists. This could be embellished to exclude some people for a (short) period of time before making them eligible once again for 'detection'. An example might be family members of a fraudster, or cases where fraud is suspected but not enough evidence is available. This approach avoids their phone services from being excluded 'forever'.
  • Exclude popular numbers: Some phone numbers are called by a large percentage of the population and don't contribute much of a 'signature signal'. e.g. central freecall numbers for airlines and pizza delivery. By excluding these numbers from signature processing, the focus is more on a person's common 'family and friends' rather than their shared use of airlines and pizza delivery.
  • Consider second degree calling: Review the efficacy of who the called services also call. This further analysis would need to demonstrate that on review it highlighted 'real' fraud candidates, and did not just create a list of false positives (not fraud).

The refinements selected and effective will be biller-specific, and will depend on the benefit that additional data and / or exclusions brings. Additional data sourcing, processing and the data retention required will also form part of the 'cost' versus 'benefit' trade-off that will need to be evaluated.

Further Reference: Patent WO9423528 'Fraud preventing method for a communication network' - This relates to debt management in a communications network and particularly, but not exclusively, to the detection of customer accounts obtained by fraud.

First published by

- 31 March 2014



Other 'purebill' columns

Previous column: How Does Payment Allocation Work?


Want to understand more about Billing?

  • Billing for Business Networks introduces the key concepts of billing without requiring knowledge of a particular billing software vendor or industry-specific experience.
  • This introductory book describes the end-to-end billing process using billing examples familiar from everyday life.
  • Available in PDF (perfect for printing), and the most popular electronic book formats of .epub (iBook on iPhones and iPods) and .mobi (Kindle).
  • Sample Chapters + Book Index: Download a FREE sample of the book's chapters and the detailed Table of Contents.
image of book: Billing for Business Networks


Looking for Online Training?
Signup for Early Access to my Udemy Training Course on Billing based on my book 'Billing for Business Networks'.

Subscribe to my newsletter


Recent Posts on purebill.com

» Processing Disputed Charges - Whilst most bills are accurate and accepted by customers, some customers will want to query or contest the charges appearing on their bills.

» Using Bundling and Differentiated Pricing - Using bundling and applying different pricing by market segments, billers can realise the most for their products and services.

» Business Practices Implemented Through Pricing - The price billers charge for their products can influence customer's consumption behaviour by increasing or decreasing their likelihood to purchase.

» Billing Pricing Models: Explaining Customer Impacts - Biller’s decisions about how they charge for their products and services result in pricing models that influence both a biller’s processing complexity and customers' behaviour.

» Billing Addresses - A billing application uses addresses in a wide variety of roles to describe the source locations of incoming transactions (from the network), details about the customers (and their representatives) who are billed, and the destinations to which the outputs from billing will be sent.

» Using Taxation Details Within Billing - Where governments tax the business domain being billed, the billing system will be a key calculation point since taxes are likely to be calculated on the finalised amounts after all rating / pricing has been performed, and after any discounts have been applied.

» Fraud Detection: Using Called Numbers To Find New Targets - Fraud occurs on phone networks, and when detected, it is closed down and stopped on the phone numbers on which it was detected. But how can the same bad actors / fraudsters be detected if they start up on new fraudulently obtained phone numbers, or have other existing phone numbers on the same network?

» Using Billing Notes and the Contact History - Billing applications make ‘contact’ with the biller’s customers each time a bill or reminder notice is sent, and whenever customers ring or email the biller’s staff with billing-related inquiries and requests. A billing note is one mechanism for capturing the key details of these customer / biller interactions. When a customer contacts the biller subsequently, the biller’s staff can review the customer’s prior contacts by looking at the notes that were recorded.

» How Does Payment Allocation Work? - Payment allocation is the association of credit amounts, such as new payments and adjustments, against a customer's outstanding debts (e.g. unpaid bills / invoices). There are different approaches for allocating credits against the customer's outstanding debt(s).

Book Pic

My Book on Billing

My introductory book, Billing for Business Networks, describes the end-to-end billing process using vendor-neutral explanations.

Details of the Book »


Stephen Jones

Stephen Jones is a consultant who has focused specifically on Billing and related processes for over twenty years. Recent work has included relating a major telco's billing with inbound call centre logs for Call Centre Analytics.

More about Stephen Jones »


Other Publications by Stephen

I contributed an essay on testing design assumptions in the O'Reilly book 97 Things Every Software Architect Should Know. This book was written in an 'open source' style with more than four dozen authors. The original essays of the axioms / koans / advice can be viewed on the project's wiki.


Summary Feed

Full Text Feed


@stepj (Stephen Jones)


Enter your email address to follow changes and receive notifications of new posts by email.

Your Email Address

You will be returned back to this page, and an opt-in confirmation email will be sent.