About Fraud Detection Rules

The metrics described in this section are based on the fraud scenarios above. Multiple rules may be combined to detect a single fraud scenario. Throughout this section the term subscriber relates to either a single IP address or a single phone number.

Traffic Profile

Once a few days of call data for a single subscriber is available a graph with the time of the day on the x-axis may be generated. The y-axis shows the number of calls or call minutes conducted. Once a fraud attack happens the shape of the graph will change.

Blacklist and Whitelist Entries

A list of specifically allowed and disallowed phone numbers or phone number prefixes can be used to identify fraudulent calls. In case international entries are disallowed by a company policy, an international entry may be an indicator of fraud. The customer may add individual entries to a customer-specific blacklist.

Depending on whether the system observed an exact entry hit or a prefix match the scores assigned may differ. A prefix match on its own may not directly trigger a critical alarm but when combined with other metrics (for example, the amount of traffic to the suspicious entry) it may generate a critical alarm.

Destination-Based Traffic Spikes

Fraud Monitor can raise an incident if a given destination user receives unusually high traffic, as in an IRSF scenario. If a configurable threshold is exceeded, both the source and destination users accumulate points. This rule can be used to identify possible candidates for blacklisting destination numbers.