By Arnd Baranowski
October 31, 2018
The numbers describing the financial damage caused by telecoms fraud are staggering.
Earlier this month, the ITW Global Leaders Forum estimated that wholesale carriers alone are losing $17 billion per year to fraudulent traffic, mostly caused by organised crime groups.
Last year, the Communications Fraud Control Association, published a report with figures showing that telecoms fraud caused over $29 billion in fraudulent charges in 2017 of which nearly $4 billion in financial losses was connected to PBX hacking on enterprise communications networks.
For better or worse, telecoms fraud is an attractive business and can be lucrative for skilled cybercriminals.
Every enterprise is exposed to telecoms fraud and there are a number of important baseline understandings about telecoms fraud that each business needs to be aware of to better manage its approach to protecting its communications networks.
Telecoms fraud has evolved
There was a time when telecommunications networks were based on physical infrastructure. Telecommunications switches and other core devices and equipment were interconnected by wired connections. Back then, telecoms fraud required physical access to the network infrastructure to manipulate and redirect traffic.
Over the past ten plus years, IP-based technologies have turned telecommunications networks into virtual environments that are less dependent on physical infrastructure. As a result, telecoms fraud can now be executed remotely by fraudsters using the similar attack methods used by cybercriminals.
Telecoms fraud is a cybersecurity issue
Given the evolution of telecommunications networks, telecoms fraud is no longer a problem that is unique to the networks of telecommunications service providers. Telecoms fraud is clearly now a cybersecurity issue and should be addressed by both service providers and their enterprise customers in the same capacity as other cybersecurity threats. The same vulnerabilities that put IT networks at risk are now threats to telecommunications networks.
Who is responsible for telecoms fraud – the service provider or customer?
This is a highly contentious point and there is no clear answer.
To begin with, most times a business only finds about fraudulent charges when it receives its periodic invoice. From here, the burden is often on the customer to prove to that the charges in question were indeed fraudulent. The internet is full of horror stories of businesses that were forced to waste hours after hours of valuable time getting fraudulent charges reserved.
What telecoms service providers are doing – or not doing – to protect against fraud
From my experience, service providers are simply not doing enough to fight telecoms fraud and protect their customers. Most are stuck in an outdated mind set that was appropriate for telecommunications networks from ten plus years. Many still rely on practices and tools based on slow moving interactions among staff in different departments.
I am regularly told by revenue assurance and fraud management teams at service providers that four to six hours is an acceptable timeframe to identify fraudulent traffic. This is always amazing to hear and can easily explain why the overall damage of telecoms fraud is so high.
Today’s fraudsters are highly skilled cybercriminals using the most advanced technologies and techniques to execute telecoms fraud. Four hours is enough time to complete an attack that inflicts hundreds to thousands of dollars of financial damage before the business or service provider is even aware that an attack has taken place.
Understandings going forward
Businesses must understand that they are highly exposed to telecoms fraud. Their communications networks are vulnerable to attacks and service providers are not able to protect them against telecoms fraud as they are not able to control their enterprise communications networks
The conclusion is that a business must be proactive and take direct responsibility for protecting its own communications network against telecoms fraud. Relying only on the service provider is too risky and can lead to problems that can be avoided.