ClearIP can analyze calls for various types of toll fraud attacks. The different types of fraud that ClearIP is currently able to manage are listed below. Fraud control is configured in ClearIP by setting fraud triggers. A fraud trigger describes the conditions that should be met for a fraud attack to be detected and dictates what action to take as a result.
Toll fraud types are mainly characterized by the call source or destination. The call source may refer to the specific calling number, user, combined user and calling number, or group. The call destination may refer to the specific called number or called country.
The different types of fraud are defined in more depth below.
NOTE: To block Neighbor Spoofing, please visit the Whitelist/Blacklist documentation. For carriers based in countries that participate in the North American Numbering Plan, Neighbor Spoofing is when a calling party modifies their Asserted Calling Number to match the called party’s NPA-NXX number to seem like a neighbor.
| Fraud Trigger Type | Destination | Time Period | Fraud Score Unit |
|---|---|---|---|
| Targeted Pumping | Specific Number | 15 minutes | Call Count |
| Fast Traffic Pumping | Specific Country | 5 minutes | Called Fraud Score |
| Slow Traffic Pumping | Specific Country | 60 minutes | Called Fraud Score |
| Theft of Service | All | 60 minutes | Called Fraud Score |
| Robocalling | All | 60 minutes | Call Count |
| Wangiri | All | 5 minutes | Calling Fraud Score |
Targeted Pumping
Targeted pumping triggers monitor calls going to a specific called number within a 15-minute period from a specific call source. If too many call attempts are made to the same number within the 15-minute time period based on the configured threshold value, ClearIP can automatically block subsequent call attempts from the call source to the specific called number.
Each call is rated with a fraud score of 1, effectively making this trigger a simple call counter. Only calls from the specific call source to the specific called number will be blocked or diverted when a trigger event occurs.
Below is an example of a targeted pumping trigger event:
- Numerous call attempts are made from the calling number 16153720300 to a Nicaragua number 50582314128 within one minute.
- After the first few call attempts, ClearIP automatically blocked 16153720300 from making any more calls to 50582314128.
- The calling number 16153720300 may still place calls to other called numbers, and other calling numbers may still call 50582314128.
The Fraud Score Threshold of this trigger refers to the number of allowed call attempts between a specific call source and called number. If the Fraud Score Threshold is set to 10, a call source is allowed to make 10 call attempts to the same number within 15 minutes or less. Any call attempts over the 10-call limit can be automatically blocked temporarily.
Fast Traffic Pumping
Fast traffic pumping triggers monitor calls going to different called numbers in a specific called country within a 5-minute period from a specific call source. If too many call attempts are made to a particular country within a 5-minute period, ClearIP can automatically block subsequent call attempts from the call source to the specific called country.
Each call is rated for fraud based on the called number fraud score. Only calls from the specific call source to the specific called country will be blocked or diverted when a trigger event occurs.
Below is an example of a fast traffic pumping trigger event:
- Numerous call attempts are made from the calling number 19072778671 to many different Tanzanian numbers within five minutes.
- After the first few call attempts, ClearIP automatically blocks 19072778671 from making any more calls to Tanzania.
The Fraud Score Threshold of this trigger refers to the allowed financial risk of call attempts between a specific call source and called number. The financial risk of the call is determined by the termination rates uploaded into the Default or Custom Fraud Rates page.
Slow Traffic Pumping
Slow traffic pumping triggers monitor calls going to different called numbers in a specific called country within a 60-minute period from a specific call source. If too many call attempts are made to a particular country within a 60-minute period, ClearIP can automatically block subsequent call attempts from the call source to the specific called country.
Each call is rated for fraud based on the called number fraud score. Only calls from the specific call source to the specific called country will be blocked or diverted when a trigger event occurs.
Below is an example of a slow traffic pumping trigger event:
- 31 call attempts are made from the calling number 33978080455 to a Burkina Faso number 22625497900 spanning over a 90-minute period.
- After the first few call attempts, ClearIP automatically blocked 33978080455 from making any more calls to Burkina Faso.
The Fraud Score Threshold of this trigger refers to the allowed financial risk of call attempts between a specific call source and numbers in a specific international country. The financial risk of the call is determined by the termination rates uploaded into the Default or Custom Fraud Rates page.
Theft of Service
Theft of service triggers monitor all calls within a 60-minute period coming from a specific call source, going to potentially a variety of international countries. If too many expensive international calls are made within a 60-minute period, ClearIP can automatically block subsequent call attempts from the call source to any international destination.
Each call is rated for fraud based on the called number fraud score. All calls from the specific call source will be blocked or diverted when a trigger event occurs.
Below is an example of a theft of service trigger event:
- Numerous call attempts from the calling number 13855014545 to many different international countries within ten minutes.
- After the several suspicious call attempts, ClearIP automatically blocked 13855014545 from making any more international calls.
The Fraud Score Threshold of this trigger refers to the allowed financial risk of call attempts between a specific call source and numbers in various international countries. The financial risk of the call is determined by the termination rates uploaded into the Default or Custom Fraud Rates page.
Robocalling
Robocalling triggers monitor all calls within a 60-minute period, coming from a specific call source. If a high-volume of outbound calls are made or excessive inbound calls from the same calling number are received, ClearIP can automatically block either type of traffic.
Each call is rated for fraud with a fraud score of 1, effectively making this trigger a simple call counter. All calls from the specific call source will be blocked or diverted when a trigger event occurs.
Below is an example of a robocalling rigger event:
- Numerous calls form the calling number 14357547714 are made to many different called numbers in the United States.
- After the several suspicious call attempts, ClearIP automatically blocked 14357547714 from making any more calls, regardless of called number, country, or any other factor.
The Fraud Score Threshold of this trigger refers to the number of allowed call attempts from a specific called source. If the Fraud Score Threshold is set to 30, a call source is allowed to make 30 call attempts (to anywhere) within 60 minutes or less. Any call attempts over the 30-call limit can be automatically blocked temporarily.
NOTE: Robocalling triggers focus on the volume of calls whereas Theft of Service triggers focus on the potential financial cost of calls.
It is suggested to use Reputation lookup services and Inbound Shield services to prevent robocalls on inbound calls.
Wangiri
Wangiri triggers monitor all calls within a 5-minute period, coming from a specific call source, to prevent fraudsters that bait potential fraud victims by calling from high termination rate destinations and then expect to be called back.
Each call is rated for fraud based on the calling fraud score. All calls from the specific call source will be blocked or diverted when a trigger event occurs.
Fraud Trigger Call Sources
In explaining all the above types of fraud, “a specific call source” is referenced. In ClearIP, call sources are grouped into categories for which each type of fraud can be monitored.
The Fraud dropdown menu in ClearIP shows each type of fraud trigger and groups them by the call sources they can be configured for. Each category of call sources directs ClearIP on exactly which calls to monitor:
- Fraud triggers by User and Calling Number ’ Setting up fraud triggers by User and Calling Number allows the specification of Users and optionally Calling Numbers for which fraud can be monitored. If Calling Number is left blank when configuring any of the fraud triggers by User and Calling Number, ClearIP will monitor traffic from all calling numbers associated with the User to see if any individual calling number associated with the User sets off the trigger. If Calling Number is specified in the fraud trigger, ClearIP will monitor traffic specifically from that User and Calling Number. Once configured, trigger events for these types of triggers by User and Calling Number will take the specified Action only on the particular User and Calling Number pair that caused the trigger to go off.
- Fraud triggers by Calling Number - Setting up fraud triggers by Calling Number allows the specification of Calling Numbers for which fraud can be monitored. Triggers in this category do not consider User, so ClearIP will only monitor traffic from the Calling Number specified in each trigger. Once configured, trigger events for these types of triggers by Calling Number will take the specified Action only on the Calling Number that caused the trigger to go off.
- Fraud triggers by User - Setting up fraud triggers by User allows the specification of Users for which fraud can be monitored. ClearIP will monitor all traffic from the specified User in each trigger; this means that any traffic from the specified User could cause a trigger event, since these types of triggers are only concerned with the User and not specific calling numbers for example. Once configured, trigger events for these types of triggers by User will take the specified Action on the User that caused the trigger to go off.
- Fraud triggers by Group - Setting up fraud triggers by Group allows the specification of Groups for which fraud can be monitored. ClearIP will monitor all traffic from the specified Group in each trigger. This means that all traffic from within a Group could cause a trigger event; these types of triggers are only concerned with the Group, and not specific Users and Calling Numbers even if they are associated with the specified Group. Once configured, trigger events for these types of triggers by Group will take the specified Action on the Group that caused the trigger to go off.