Initial Fraud Trigger Setup

When setting up ClearIP fraud triggers for the first time, we recommend that you initially set up 4 fraud triggers: Targeted Pumping, Fast Traffic Pumping, Slow Traffic Pumping, and Theft of Service.

The trigger Actions should be set to Report Only mode for ClearIP to monitor traffic and potentially send email alerts without automatically blocking any traffic. This allows ClearIP to analyze and learn normal traffic patterns while collecting data for reports.

We recommend that you leave the these fraud triggers in Report Only mode and allow ClearIP to monitor your production traffic for at least one week to monitor for any alerts to look for any false positives. If necessary, the fraud trigger thresholds can be adjusted to eliminate false positives. Once the fraud trigger thresholds are stable and do not create recurring false positives, you can switch the Action to Block mode to allow ClearIP to start automatically blocking any detected toll fraud.

Setup Triggers Based on Calling Number

The following triggers can be implemented if you would like ClearIP to perform fraud analysis based on the calling number. If ClearIP detects excessive calls from a specific calling number, then ClearIP can automatically block that calling number from making additional fraudulent calls.

Initial Trigger List

Note: We are recommending to configure the fraud triggers to apply to the default Service Provider, Group, and User if your account has not provisioned its subscribers as Users within ClearIP. If you have provisioned your subscribers as Users within ClearIP, then you have the option to perform toll fraud analysis based on the User level.

Targeted Pumping by User and Calling Number

To enable this trigger to monitor traffic, a policy must be created by clicking on the green Add button. In the pop-up modal, the following fields can be set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Calling Number field can be left blank which acts as a wildcard
  • Called Number field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Default Fraud Score Threshold can be set to 10. Targeted Pumping in Report Only

These trigger settings allow a subscriber to make 10 calls to the same international number within a 15 minute period before ClearIP marks the calls as fraud.

Fast Traffic Pumping by User and Calling Number

To enable this trigger to monitor traffic, a policy must be created by clicking on the green Add button. In the pop-up modal, the following fields can be set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Calling Number field can be left blank which acts as a wildcard
  • Called Country field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be set to 0.5 if you have lower international traffic volumes. Fast Traffic Pumping in Report Only

The fraud score threshold for this type of trigger is based on the cost of the calls instead of the number of call attempts.

This fraud trigger assigns a fraud score to each call based on the estimated termination rate of the call. The fraud score data is sourced from the Fraud Rates tables. See the Fraud Rates section for additional information.

For a service provider based in the United States, the fraud score threshold of 0.5 for this trigger allows a subscriber to make up to $0.50 per minute worth of call termination per country within a 5 minute period.

For example, if a customer makes a call to Cayman Islands which is area code 345 in the North American Numbering Plan and the Fraud Rates list the estimated terminate rate as $0.10 per minute, then ClearIP assigns a fraud score of 0.10 for this call attempt.

The Fast Traffic Pumping trigger analyzes over rolling 5 minute periods. A Fast Traffic Pumping Threshold of 0.50 for Cayman Islands means that a subscriber can make a limit of 0.50/0.10 = 5 calls to Cayman Islands every 5 minutes. If they go over that, then ClearIP can activate a trigger event to stop further calls to Cayman Islands from that subscriber for the next 60 minutes.

ClearIP only looks at the number of call attempts and the fraud rate to determine the cost of the calls. ClearIP does not consider call duration in its fraud analysis because ClearIP only processes SIP Invites and not Call Detail Records.

Slow Traffic Pumping by User and Calling Number

To enable this trigger to monitor traffic, a policy must be created by clicking on the green Add button. In the pop-up modal, the following fields can be set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Calling Number field can be left blank which acts as a wildcard
  • Called Country field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be set to 1 if you have lower international traffic volumes. For a service provider based in the United States, this threshold allows a subscriber to make up to $1.00 per minute worth of call termination per country within a 60 minute period. Slow Traffic Pumping in Report Only

The only difference between the Slow Traffic Pumping trigger and Fast Traffic Pumping trigger is the analysis period. The Slow Traffic Pumping trigger analyzes over a rolling 60 minute period. A Slow Traffic Pumping Threshold of 1 for Cayman Islands means that a subscriber can make a limit of 1/0.10 = 10 calls to Cayman Islands every 60 minutes. If they go over that, then ClearIP can activate a trigger event to stop further calls to Cayman Islands from that subscriber for the next 60 minutes.

Theft of Service by User and Calling Number

To enable this trigger to monitor traffic, a policy must be created by clicking on the green Add button. In the pop-up modal, the following fields can be set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Calling Number field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be set to 2 if you have lower international traffic volumes. For a service provider based in the United States, this threshold allows a subscriber to make up to $2.00 per minute worth of call termination for combined international calling within a 60 minute period. Theft of Service in Report Only

The Theft of Service trigger monitors traffic to all international and specified high risk domestic areas collectively from a subscriber within a 60 minute period. If the subscriber makes excessive calls to one or many international countries or high risk domestic areas, then ClearIP can activate a trigger event to stop further calls to all international plus specified high risk domestic areas from that subscriber for the next 60 minutes.

Testing Fraud Triggers

To test the fraud triggers and experience what happens when ClearIP detects fraud, you can setup an additional policy in the Targeted Pumping by User and Calling Triggers page with the following settings:

  • Operator, if applicable
  • Service Provider can be set to the Default Service Provider or relevant value
  • Group can be set to the Default Group or relevant value
  • User can be set to the Default User or relevant value
  • Calling Number field can be set to your specific test calling number
  • Called Number field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be set to Block
  • Alert Email should be set to your email address to receive a test email
  • Default and Minimum Fraud Score Threshold should be lowered to 2. Targeted Pumping Trigger Test

This trigger monitors calls from your test number. It allows you to make 2 calls to the same called number within a 15 minute period. If you make more than 2 calls within 15 minutes or less, then ClearIP detects that to be fraud and sends an email alert to the configured email address and automatically blocks further calls to the targeted called number for the duration of the Action Time.

Please note that the fraud triggers only monitor the calls where toll fraud monitoring has not been disabled. If you have created a rule in the Whitelist/Blacklist menu to Bypass Fraud Control on domestic calls, then the fraud triggers only monitor international calls.

After the trigger is created, make 3 test calls to any international phone number. The first 2 calls should be accepted, and the third test call should be blocked.

Go to the SIP Messages page under the Analytics menu. Confirm that ClearIP returned a SIP 503, 404, or 302 for the first 2 calls and returned a SIP 603 for the third test call.

SIP Messages

You should receive an email alert from ClearIP, notifying you about the fraud trigger event. You can also review the incident in the Trigger Events page under the Analytics menu. See the Trigger Events section for more information.

Setup Triggers Based on User

The previous triggers can be used if you would like ClearIP to perform fraud analysis based on the calling number. We recommend to start with fraud triggers based on the calling number because it is easier to get started with. You have the option of configuring fraud triggers by User if you have uploaded your subscribers as Users into ClearIP for example by implementing the BroadWorks or netsapiens subscriber provisioning scripts.

The following triggers can be implemented if you would like ClearIP to perform fraud analysis based on the User instead of the calling number. If ClearIP detects excessive calls from a specific User, then ClearIP can automatically block that User from making additional fraudulent calls. This may be useful if your subscriber’s phone system has the ability to modify the calling number. If this type of phone system is hacked, then the fraudster may place calls and constantly change the calling number. ClearIP’s fraud triggers by calling number cannot effectively prevent against fraud where the calling number changes. To prevent this type of fraud, we recommend setting up fraud triggers based on the user and not just the calling number.

We recommend you implement the fraud triggers by user and calling number explained above in conjunction with the triggers by user. All calls matching the default user should be monitored by the user and calling number triggers. Calls from the default user should not be monitored by triggers by user because if fraud is detected, then the entire default user would be blocked from making calls. Only calls matching with a specific, non-default user should be monitored by the triggers by user.

Fraud Menu showing calling number trigger and user trigger

Targeted Pumping by User

To enable this trigger to monitor traffic, 2 policies must be created.

One policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be left blank to act as a wildcard
  • Group can be left blank to act as a wildcard
  • User can be left blank to act as a wildcard
  • Called Number field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Default Fraud Score Threshold can be left as the default value.

Another policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Called Number field can be left blank which acts as a wildcard
  • Status must be changed to Disabled
  • Action can be left to Report Only
  • Default Fraud Score Threshold can be left as the default value.

Targeted Pumping by User

Fast Traffic Pumping by User

To enable this trigger to monitor traffic, 2 policies must be created.

One policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be left blank to act as a wildcard
  • Group can be left blank to act as a wildcard
  • User can be left blank to act as a wildcard
  • Called Country field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be left at the default values.

Another policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Called Country field can be left blank which acts as a wildcard
  • Status must be set to Disabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be left at the default values.

Fast Traffic Pumping by User

Slow Traffic Pumping by User

To enable this trigger to monitor traffic, 2 policies must be created.

One policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be left blank to act as a wildcard
  • Group can be left blank to act as a wildcard
  • User can be left blank to act as a wildcard
  • Called Country field can be left blank which acts as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be left at the default values.

Another policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Called Country field can be left blank which acts as a wildcard
  • Status must be set to Disabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be left at the default values.

Slow Traffic Pumping by User

Theft of Service by User

To enable this trigger to monitor traffic, 2 policies must be created.

One policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be left blank to act as a wildcard
  • Group can be left blank to act as a wildcard
  • User can be left blank to act as a wildcard
  • Status can be left as Enabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be left at the default values.

Another policy should have the following fields set:

  • Operator, if applicable
  • Service Provider can be set to the default Service Provider
  • Group can be set to the default Group
  • User can be set to the default User
  • Status must be set to Disabled
  • Action can be left to Report Only
  • Minimum and Default Fraud Score Threshold can be left at the default values.

Theft of Service by User