Fraud occurs on phone networks, and when detected, it is closed down and stopped on the phone numbers on which it was detected. But how can the same bad actors / fraudsters be detected if they start up on new fraudulently obtained phone numbers, or have other existing phone numbers on the same network?
Three aspects that can raise the 'suspicion of fraud' against a new, or an existing, phone service:
This column focusses on the third aspect concerning the calls made on a phone service and their similarity to past fraud.
Telecommunication companies use the phone numbers that people dial to drive their billing systems. That is, different prices may be applied for local, mobile and international call destinations, and calls to different service types such as information lines. Thus called number information is readily available, and forms a list of 'who-called-who' that can be examined to detect indications of fraud within the biller's broader subscriber base.
The size of today's telecom companies, and the number of transactions performed per subscriber, means that subscribers cannot be examined for fraud manually. Automated solutions must be applied. The raw data that will be processed in this processing includes all outbound calls made from a service over an extended time period. The data per transaction is relatively 'small' (A-Party, B-Party, Date, Billing Account), though the number of transactions are very large (e.g. 100's millions to billions of calls per month depending on the telecom company's size). The transactions stored would include all phone calls, but can also include transactions that indicate a relationship between phone numbers, such as SMS.
What is important is not the content of the call or SMS, but the relationship between the numbers. This 'metadata' can be used to show the similarity of calling patterns.
When a phone number is found to be part of a fraud, the details of who they called forms a 'signature' of their commonly called numbers. Different people have different called number patterns because the people and organisations in their lives are different. People generally have low overlap in who they call because of the differences in areas such as:
All phone services will call some numbers on a one-off basis, but these will not be important to signalling a possibly fraudulent phone service. It is the regular calling of the same, popular numbers, that generates a signature that shows 'similarity' between what is done on a phone service. The addition of the one-off called numbers does not disguise the underlying 'popular' numbers.
When a phone number's use is found to be fraudulent, then the details of who they have called can be reviewed to find their 'popular' numbers and build a signature used to look for similar calling patterns.
Since the detection of a fraud against a service cannot be predicted, details of all phone calls / transactions performed can be retained (in a secure location) for subsequent use in fraud detection. A biller's fraud system may already contain these details, and so it may just require the implementation of additional processing against this existing data.
Rather than retaining all call details for all time, billers may find that retaining details for a limited period (say 6 or 12 months) provides the bulk of the 'fraud detection' capability without the ever growing storage and processing cost of retaining transaction details 'forever'. As well, phone numbers are reused over time as people and businesses move, and this will reduce the effectiveness of these in 'calling pattern' detection.
The first step is to review the biller's existing customer base looking for phone services that have similar calling patterns. That is, their 'signature' aligns with one recently discovered to contain fraud.
Armed with the signature of a fraudulent phone service, there are two streams of processing that can be performed:
In this processing, the assessment being made is the 'degree of similarity' as indicated by the overlap of 'popular' called phone numbers.
Looking at the existing customer base
The people behind a fraudulent phone service may already have other phone services on the biller's network. The first step is to review the biller's existing customer base looking for other phone services that have the same or similar calling pattern. That is, that their 'signature' aligns with one recently discovered to contain fraud.
This processing will require that the entire repository of saved numbers is processed comparing new fraud signatures to those of the customer base in general. By performing this examination, other services setup earlier by the fraudsters may be detected, or at the least additional phone services 'of interest' may be found and reviewed.
Innocent family members of fraudsters may be identified by this search since their calling patterns will be similar to those seen in the fraud because they make calls and SMS within the same 'family group'.
Looking at future (new) customer
When a fraudster has been disconnected from a biller's network they may try to reconnect a 'new' service using different credentials, or say that they live at a different address, but if they call the same people and businesses, their calling patterns will end up being similar.
For this reason, the calling patterns of prior fraud can be processed periodically against the stored transactions looking for the reappearance of the same fraudsters. If a fraudster establishes a new phone service and calls their closest family and friends then their called number pattern will likely match a called number 'fraud signature' and be detected. This can occur relatively early at low call volumes since the 'numbers called' is the measure being employed.
The periodic reprocessing must allow the phone transactions to be performed, and so might be performed weekly (say over the weekend) generating a fresh list of candidates for review in the following week.
There are a number of refinements that would ideally be included to reduce the 'noise' in the review candidates are generated. The refinements avoid burying new targets for review within lists that include old targets. This allows the list of new fraud candidates to stand out and have less false negatives (not fraud), allowing confidence in the detection process to build, and avoids wasting the time of those performing the reviews.
The refinements selected and effective will be biller-specific, and will depend on the benefit that additional data and / or exclusions brings. Additional data sourcing, processing and the data retention required will also form part of the 'cost' versus 'benefit' trade-off that will need to be evaluated.
Further Reference: Patent WO9423528 'Fraud preventing method for a communication network' - This relates to debt management in a communications network and particularly, but not exclusively, to the detection of customer accounts obtained by fraud.
First published by
Previous column: How Does Payment Allocation Work?
» Processing Disputed Charges - Whilst most bills are accurate and accepted by customers, some customers will want to query or contest the charges appearing on their bills.
» Using Bundling and Differentiated Pricing - Using bundling and applying different pricing by market segments, billers can realise the most for their products and services.
» Business Practices Implemented Through Pricing - The price billers charge for their products can influence customer's consumption behaviour by increasing or decreasing their likelihood to purchase.
» Billing Pricing Models: Explaining Customer Impacts - Biller’s decisions about how they charge for their products and services result in pricing models that influence both a biller’s processing complexity and customers' behaviour.
» Billing Addresses - A billing application uses addresses in a wide variety of roles to describe the source locations of incoming transactions (from the network), details about the customers (and their representatives) who are billed, and the destinations to which the outputs from billing will be sent.
» Using Taxation Details Within Billing - Where governments tax the business domain being billed, the billing system will be a key calculation point since taxes are likely to be calculated on the finalised amounts after all rating / pricing has been performed, and after any discounts have been applied.
» Fraud Detection: Using Called Numbers To Find New Targets - Fraud occurs on phone networks, and when detected, it is closed down and stopped on the phone numbers on which it was detected. But how can the same bad actors / fraudsters be detected if they start up on new fraudulently obtained phone numbers, or have other existing phone numbers on the same network?
» Using Billing Notes and the Contact History - Billing applications make ‘contact’ with the biller’s customers each time a bill or reminder notice is sent, and whenever customers ring or email the biller’s staff with billing-related inquiries and requests. A billing note is one mechanism for capturing the key details of these customer / biller interactions. When a customer contacts the biller subsequently, the biller’s staff can review the customer’s prior contacts by looking at the notes that were recorded.
» How Does Payment Allocation Work? - Payment allocation is the association of credit amounts, such as new payments and adjustments, against a customer's outstanding debts (e.g. unpaid bills / invoices). There are different approaches for allocating credits against the customer's outstanding debt(s).
My introductory book, Billing for Business Networks, describes the end-to-end billing process using vendor-neutral explanations.
Stephen Jones is a consultant who has focused specifically on Billing and related processes for over twenty years. Recent work has included relating a major telco's billing with inbound call centre logs for Call Centre Analytics.
I contributed an essay on testing design assumptions in the O'Reilly book 97 Things Every Software Architect Should Know. This book was written in an 'open source' style with more than four dozen authors. The original essays of the axioms / koans / advice can be viewed on the project's wiki.