Business Mobile scams

Mobile operator fraud case study

A Mobile Operator Fraud case study but it could apply to any type of network

In this article this week’s guest editor Manuel  Basilavecchia of Netaxis describes a mobile operator fraud – in other words a telecom fraud that impacted a mobile operator. He describes the type of traffic pattern (destinations) and fraudster behaviour. For obvious reasons we are keeping the name of the operator out of it. It could happen to anyone dropping their guard.

The mobile operator in question underwent some planned maintenance work on its network.  Few details are available on the nature of the planned work but from a security point of view the activity was a total failure as the following day their switch was accessed from outside their network. We may assume that the planned work cleared the access list on the SBC/firewall.

Once the fraudster had access to the switch, he initiated some test calls. The goal was to check if it was possible to terminate traffic to specific destinations. To avoid detection the tests calls were kept to a low volume.

It is important to note that the hijack and the test phase took place on weekdays. On the Friday evening, fraudster rolled up his sleeves and got on with the real work of sending volume traffic to several destinations.  

The traffic pattern was as follows:

  • Fake CLI’s used like 1001111,1000001,123456; etc
  • Massive calls to Latvia, Lithuania, Moldova, Gambia etc….
  • Big volumes generated per CLI

The fraud was detected the next day in the morning by a service provider of the mobile operator. The time elapsed between the beginning of the fraud and the detection allowed the fraudster to generate quite high volumes.

As it was a week-end it was difficult for the SP to get in touch with the mobile operator to inform him about the ongoing fraud and to align on measure that needs to be taken. Again here, few hours lost which benefits the fraudster……

Once the decision to block fraudulent traffic has been taken a game of cat and mouse started. Indeed,  when the fraudster identified that a destination was not generating revenues due to barring implemented, he immediately and simply switched to targeting another country. The same principle applied for CLI’s. Any time he noticed that a CLI was blocked he just moved on to another. This game lasted the entire day.

On day two, a major change in the destinations targeted was seen: Nauru, Senegal, Maldives Zimbabwe was now part of the fraud scheme.

Again, barring had to be implemented on the targeted destinations. It is important to note that the barring had to be implemented so as to stop fraudulent traffic but without impacting the legitimate traffic

In parallel, the mobile operator attempted to solve the security breach which took some time.  Once the issue solved on the SBC, fraudulent traffic finally stopped.

Lessons learnt:

Security is key to protect  a network and in the case where a modification is made to a SBC, a cross check needs to take place after the intervention

Based on the short time between the planned work and the hacking it is clear that networks are scanned by fraudster to find an open door.

Fraud monitoring needs to be made live or near real time to minimize the impact and this 24 x 7

Barring solution must be available to stop fraud. This barring solution needs to be flexible (A number, B number, range, destination).

This is telecom fraud week on, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s

Business scams

Missing Trader VAT Fraud

Missing Trader VAT Fraud

Fraud is for telecommunication companies a wide problem. Several fraud scenarios are well know like IRSF, PBX hacking, Bypass, and could be managed using a Fraud Management System (FMS).

Nevertheless, there is a fraud mechanism that could severely affect the business of a company even if this company is using an FMS. This fraud mechanism is called Missing Trader VAT fraud and is a significant problem for both business and tax authorities.

This type of fraud becomes possible because of the way the VAT system works within the European Union. This article aims to describe the Missing Trader VAT fraud mechanism at least at the top level.

How it works?

As a first step, fraudsters create a company (telecom reseller in this case). As a second step, traffic is purchased and resold.  Following the normal VAT mechanism, VAT is charged to and recovered from the end customer by the fraudster.

Up to this point, everything is ok. However the fraudster then disappears before having handed over the cash to the VAT authorities.

This in turn can cause a problem for the innocent party who has handed over the VAT to the crooks because the taxmen believe that they can recover it from said innocent party. This is a major risk for the business, especially as tax authorities can apply penalties. 

They get you with the “should have known” clause. They repeated say that you must know your customer and your suppliers and you have to prove to them that you’re innocent – a reversal of natural justice.

It is important that you read the leaflet linked to below. If you do not take due care and HMRC can demonstrate that you knew or should have known that your trading was linked to fraudulent tax losses then you will lose your entitlement to claim the input tax linked to those transactions.

missing trader vat fraud

In reality of course, when a MTIC is established, it is made is a more complex way than the basic principle described above.

Indeed, the fraud can be perpetrated on genuine traffic, meaning that no alarm will be triggered by the FMS. Also, a “clean” supplier with which a customer has business relations since years can suddenly enter in this bad game

Last but not least, in many cases several companies involved in the supply chain are complicit (buffers). This help to hide the full picture if the fraud and enable carousel mechanism.

How to detect Missing Trader VAT Fraud?

We have seen that this fraud can occur on legitimate traffic which makes detection more complicated. For that reason, a number of different checks must be made on various aspects of the workings of a business: legal, financial, and traffic analysis.

This is especially although not uniquely for new interconnections. Existing interconnections also should also be regularly checked.

Market intelligence is also a great added-value in order to avoid to connecting with suspect companies or companies managed by people who have had issues with tax authorities in the past

Considering the nature of this fraud it is important to set up alert processes across your finance, legal and fraud management departments.


MTIC (VAT fraud) in VoIP- B.U school of law/Boston University, School of law Working Paper No10_03. Richard T.Ainsworth

ETNO/ Missing Trader Fraud. Telecommunications Industry Standard Risk Management Process

HM Revenue & customs/ Missing Trader Intra Community (MTIC). VAT Fraud presentation. Joanne Cheetam MTIC National Co-Ordination Unit . 2012