Fraud Trigger Settings

ClearIP monitors fraud activity by reviewing the fraud scores of each phone call and looking for suspicious patterns in the fraud scores as configured by fraud triggers. Although all sharp increases in the fraud score potentially indicate a fraud attack, ClearIP only analyzes calls for a specific type of fraud after a fraud trigger is created for it.

A fraud trigger describes the conditions that should be met for a fraud attack to be detected and dictates what action to take as a result. The fraud trigger feature grants granular control over when and how each type of fraud analysis should be performed. ClearIP can perform fraud analysis for each type of fraud defined in the Types of Fraud section of the documentation.

Whenever a fraud attack is detected by a fraud trigger, a trigger event is activated. A trigger event is ClearIP’s detection of and response to a fraud attack.

The fraud trigger types are listed as different pages under the Fraud dropdown menu. Each trigger type is a combination of a type of fraud and a call source (or destination).

The proper configuration of fraud triggers is vital for enabling ClearIP to protect from fraud. To configure fraud triggers, the fraud trigger process should be understood, and the action and fraud score thresholds defined.

Fraud Trigger Process

Whenever a call is received from the SBC and fraud triggers are configured, ClearIP automatically goes through the following steps:

  1. Check if a fraud attack has already been detected for the type of call. ClearIP checks if there is an activated trigger event related to this call. If so, skip the next 3 steps and perform the fraud action defined in the trigger event. If not, continue to step 2.
  2. Check if there is an existing fraud trigger that affects this call. ClearIP finds the best matching fraud trigger records for the call in each fraud trigger page. A record is a row in the ClearIP table. Each call can only match one record at most in each fraud trigger page, but the call can have many matches across multiple fraud trigger pages. Some calls may not match any fraud trigger records.
  3. Perform fraud analysis on the call for each best matching fraud trigger record.
  4. Check to see if a fraud attack has been detected. If necessary, activate a trigger event and perform the defined fraud action.

Action

When ClearIP detects a fraud attack, ClearIP instantly activates a trigger event and performs an action as defined in the fraud trigger. Possible actions are to block calls, divert calls to the diversion device, or only send an alert. When a trigger event is activated, an alert is sent if an email address, phone number, or HTTP URL is configured regardless of what the defined action is. Setting the action to Report Only effectively tells ClearIP to ignore all fraud calls even after possibly activating a trigger event.

Although ClearIP has options to list an email address, phone number, or HTTP URL to receive alerts, it is not required to give contact information. If desired, the Trigger Events page can be checked regularly to monitor fraud control reporting.

While a trigger event is activated, ClearIP continues to perform the action defined in the trigger event on all relevant fraudulent calls. If the fraud action of a trigger is changed while a corresponding trigger event is activated, the new fraud action is not used until another trigger event is activated. The trigger event is automatically deactivated after a specified length of time called the Action Time.

Fraud Score Thresholds

A fraud attack is detected by ClearIP when the cumulative fraud score in the observed time span exceeds the fraud score threshold. The fraud score threshold acts as a restriction on the maximum financial loss that can be incurred from a fraud attack. Because each fraud score threshold must be greater than zero, a few fraudulent calls might manage to come through, but financial loss is minimized by the threshold.

There are three types of fraud score thresholds that are used by ClearIP:

  • Minimum Fraud Score Threshold — The minimum fraud score that must be exceeded before a trigger event can occur whether historical data is available or not.

  • Default Fraud Score Threshold — The threshold value when no historical data is available.

  • Calculated Fraud Score Threshold — The threshold value when historical data is available. ClearIP can calculate a suitable fraud score threshold by performing a statistical analysis on historical data. This enables ClearIP’s fraud control feature to be self-learning.

Fraud Score Thresholds without Historical Data

The above image represents the true call activity during a business day. Before sufficient historical data has been collected, ClearIP uses the minimum and default fraud score thresholds to detect fraud. The default fraud score threshold is set as the threshold for unusual call activity levels during periods of peak call activity. The minimum fraud score threshold is set as the threshold for unusual call activity levels during periods of low call activity.

Fraud Score Thresholds with Historical Data

After sufficient historical data has been collected, ClearIP uses the minimum and calculated fraud score thresholds to detect fraud. The minimum threshold value is the same as before, but the default threshold is replaced with the calculated threshold. The calculated threshold can help determine what is considered unusual call activity based on historical data. During periods of low call activity, the minimum threshold prevents the calculated threshold value from becoming too small and giving many false positives.

Calculated Fraud Score Threshold

Calculate a New Threshold Every Minute

When there is sufficient historical data, the calculated fraud score threshold for each fraud trigger record is updated by the minute. This enables ClearIP to stop fraud faster. To calculate the threshold for the current time, ClearIP looks at the historical fraud scores of the previous weeks at the same time as the current time and analyzes the data.

For example, imagine that it is 2:30 PM on Friday and a targeted pumping trigger is set up. Targeted pumping triggers monitor fraud scores for the last 15 minutes. ClearIP looks at the fraud scores from 2:15 - 2:30 PM today and compares that to the fraud scores from 2:15 - 2:30 PM during the last 12 Fridays where data is available. At 2:31 PM, ClearIP looks at the fraud scores from 2:16 - 2:31 PM today and the last 12 weeks.

Adjustment Factor

How sensitive or tolerant the calculated threshold is can be chosen. To calculate a fraud score threshold based on historical data, ClearIP uses a special parameter called the adjustment factor. The adjustment factor is used to optimize fraud detection while minimizing false positives. A smaller adjustment factor creates a smaller calculated threshold that is closer to the historical fraud score. This provides more sensitive fraud detection but also increases false positives. A larger adjustment factor creates a larger calculated threshold and reduces false positives.

When creating a trigger, the adjustment factor has a pre-filled value of 5.6. This does not need to be changed. If there are more than 4 weeks of historical data, this value tells ClearIP that any cumulative fraud score that is greater than 5.6 standard deviations above the average fraud score level should be considered a fraud attack. If the cumulative fraud score grows to more than 5.6 standard deviations above average, then that means there is at least a 99.999999% probability that there is a fraud attack happening!

Formulas for Calculated Threshold

ClearIP stores call history for 12 weeks to compare against current call rates. Depending on the amount of historical data available, one of the following formulas is used to determine the fraud threshold:

  • If there is no historical data:
    • Fraud Threshold = MAXIMUM(Minimum Fraud Score Threshold, Default Fraud Score Threshold)
  • If there is more than 1 week but less than 4 weeks of historical data:
    • Fraud Threshold = MAXIMUM(Minimum Fraud Score Threshold, AVERAGE(historical fraud scores) + AVERAGE(historical fraud scores) * Adjustment Factor)
  • If there are 4 or more weeks of historical data:
    • Fraud Threshold = MAXIMUM(Minimum Fraud Score Threshold, AVERAGE(historical fraud scores) + STANDARD_DEVIATION(historical fraud scores) * Adjustment Factor)

If the cumulative fraud score during the observed time period is greater than the calculated fraud threshold, a trigger event is activated. The action defined for the trigger applies for the duration of the trigger event.

Create Wildcard Triggers

For each type of fraud that might be of interest, a wildcard trigger should be created. When creating a fraud trigger, there is an option to specify what calls the trigger should affect. A wildcard trigger is a trigger that applies to any call. A wildcard trigger can be created by leaving a field blank when creating the trigger. If there are multiple fraud trigger records configured in a table, then a wildcard trigger is the last priority trigger due to best matching. ClearIP checks if a call matches any other fraud trigger record before looking at the wildcard trigger.

More specific triggers should be created after a wildcard trigger is created if they are needed. These take priority over the wildcard trigger.

Set New Triggers to Report Only

Whenever a new fraud trigger record is created, it has no historical data associated with it, so ClearIP does not calculate a fraud score threshold based on historical data. Instead, ClearIP uses the minimum and default fraud score thresholds when there is not sufficient historical data available. After data is collected for a week, ClearIP can compare current fraud scores to historical data to detect fraud better.

The recommended best practice when creating any trigger is to initially create the trigger with the Reports Only action and then change to the Block or Divert action after 1 week of using the new trigger and after figuring out what the minimum and default fraud score thresholds should be.

Make Fraud Triggers as Specific as Possible

It is recommended that fraud triggers are made as specific as possible, so that any unnecessary calls are not blocked. The fraud trigger thresholds should be setup so that more specific trigger types are triggered before less specific trigger types. The fraud trigger types are listed by most specific destination to least specific destination as follows:

  • Targeted Pumping
  • Fast and Slow Traffic Pumping
  • Theft of Service, Robocalling, and Wangiri

To understand why this is important, consider a potential fraud scenario where multiple calls are being routed to a single called number in Cuba in the span of a few minutes. If the calls are fraudulent, the calls should set off a fraud trigger that blocks all calls to that specific called number while still being able to route non-fraudulent calls to other phone numbers in Cuba. A Targeted Pumping Trigger would then be set that monitors calls to Cuba to have a Fraud Score Threshold lower than the threshold of a Fast or Slow Pumping Trigger that also monitors calls to Cuba.