PRISM FAQ – International Revenue Share Fraud (IRSF)

What is PRISM and what can it do?

A. PRISM is a database of over 3 million International Revenue Share test numbers (IRSF), as at 30 April 2020, which are provided by IPRN resellers to test that a revenue share destination and number range can be called from a given location. These test numbers, used as a hotlist, can be a valuable tool to alert CSP’s of a pending or live IRSF attack.PRISM is a database of over 100,000 International Revenue Share test numbers, which are provided by IPRN resellers to test that a revenue share destination and number range can be connected to from a given location. These test numbers, if used correctly in a hotlist, are an extremely useful tool to alert CSP’s of a pending or live IRSF attack.

How are these IRS Test Numbers kept up to date?

New IPRN Resellers are being identified regularly, and existing number Resellers are updating and changing their numbers frequently, certainly on a monthly basis. To ensure that PRISM numbers are current, the database is updated every 4 weeks to include any new numbers identified since the last update. PRISM users are notified each time a new update is available so that this new version of PRISM can be downloaded.

How do I use PRISM?

The PRISM database should be used as a hotlist on all called numbers from a Fraud Management System or through switching elements on the domestic network, and also on all roaming traffic, (inbound and outbound). Once an alert is generated the originating device and subscriber should be investigated to see if they are fraudulent and this may also lead to the identification of other fraudulent connections.

Why would I utilise PRISM on inbound roaming traffic?

This is an opportunity to provide some added value to your roaming partners. IRSF losses through the use of a Simcard roaming in a visited network can increase at a rate of $10,000 per hour. A visited network is required to provide a home network with details of roaming calls within 4 hours. Alerting your roaming partner of likely IRSF activity an hour or two before they receive NRTRDE files could help them avoid significant fraud losses. This is likely to be seen as a differentiator of service from other in Country networks, and could result in your organisation being considered a preferred roaming partner, consequently increasing your roaming revenues.

I don’t have an FMS. Can I still use PRISM?

Yes you can still use PRISM by integrating it into your manual or semi-automatic hotlist checking processes. Alternatively there are some low cost FMS offerings available, such as the PRISM Client, which can automate this function for you.  Obviously the key to maximising the value from using PRISM is the reaction time between the time any alert is generated and the time a fraudulent device is identified and taken down.

What is PRISM Client?

PRISM Client is a purpose built IRSF detection tool that complements the PRISM database. PRISM Client has an auto synchronisation function that downloads the PRISM numbers automatically every time the Test Numbers are updated. A lightweight tool that can be installed on a PC and needs just the CDR feeds to get started. If you don’t have a dedicated fraud team, we can provide a 24/7 team to monitor the IRSF alerts through PRISM Client.

How does PRISM differ from other commercial number databases on the market?

PRISM contains IRS test numbers that we know are currently being offered for use in the market. This includes the many ITU numbers that are allocated to operators and are then leased on to IPRN resellers. Many of these numbers technically comply with ITU recommendations, and consequently will not generally be offered in other databases, but can still be used in IRSF attacks.

How does PRISM differ from the GSMA hotlist number range database?

The GSMA hotlist number database is compiled using operator fraud reports of actual IRSF incidents and therefore relies on the goodwill of operators to share such information with the GSMA. It also relies on the GSMA publishing updates to these numbers and actively managing the database. PRISM is an actively managed database with updates, providing new IPR Test Numbers gained from analysing the content of new and known IPRN Reseller websites, every 4 weeks. Typical updates will contain any new numbers identified, plus retain previous numbers not published by the IPRN Resellers during this period, as it has been found that often these numbers will re-appear, or have been traded with another Reseller. In this way the latest version of the PRISM database is always up to date with all known test numbers that may be used. Also, the GSMA Hotlist Number Database contains numbers that have been used to terminate fraud calls. PRISM contains test numbers, which will alert you to a likely IRSF attack, before fraud losses escalate.

Can we just block the numbers in the PRISM database?

PRISM contains numbers that are being advertised as International Revenue Share test numbers. We do not recommend that these numbers are blocked, but rather kept in the hotlist so you can be alerted to any activity on the network that could be construed to be a potential IRSF attack. If you block these numbers, which are not typically used in the actual IRSF attack itself, then you will lose the intelligence that these numbers can provide as an early warning system. Fraudsters often have access to more than one device and an early warning of a likely IRSF attack does provide the opportunity to investigate, and identify any other devices that should also be blocked. Some IPRN Resellers do also provide numbers for legitimate purposes, such as content services, Psychic lines etc. Blocking these numbers could prevent customers accessing a legitimate service, and revenue would be lost.

I have heard that some PRISM users have occasionally located an assigned customer number within the database. How can that happen?

If a number is entered in the PRISM database, then it has been advertised by an IPRN Reseller on their rate card or test number schedule. Some IPRN Resellers are heavily involved in number misappropriation (number hijacking), and will often hijack a small operators complete number range during a period when they intend carrying out an IRSF attack. In this case, they will often publish assigned customer numbers which will only generate revenue for them during the period of the number hijack. This is another very good reason why PRISM numbers should not be blocked. In this case, a very quick investigation could reveal that the call is placed by a legitimate customer to the genuine user of the PRISM advertised number.

Can PRISM numbers be uploaded directly to an Operators FMS as a hot list without any rejections?

Yes. All new numbers are subjected to a rigorous ‘cleansing, de-duping and standardisation process for a smooth upload into your FMS.

What does a typical IRS test call look like?

A typical test call will consist of very short calls (sometimes as short as 2 or 3 seconds) to these test numbers. If you have suffered an IRSF attack at any time, look through the fraud calling schedule, and the test calls will be obvious. These will generally be between 1 and 5 short calls to the same numbers followed by multiple calls to different numbers within the same ranges. If the called country is changed midway through the IRSF attack, you will generally see more short duration calls to that Country Code, again checking to ensure that this new Country can still be connected from the device being used.

Other than IRSF what else can PRISM be used for?

Since PRISM contains a list of active IRS test numbers it can be used for a number of purposes other than detecting IRSF attacks. Once example is using the PRISM database for Wangiri fraud detection. By replacing the last 2 digits of the IRS test numbers with wildcards we have a premium number database consisting of over 3.5 million numbers. Monitoring calls from these numbers onto your network, especially where these numbers are dialing more than a certain number of unique domestic numbers, has been shown to be effective in detecting Wangiri fraud attacks. Similarly this also works as an outgoing hot list if a rule is set at say >5 calls to a specific PRISM range from different subscribers in xx minutes.

Does it really work?

Yes. Our user experience has shown that PRISM does work. It is actively managed and updated on a regular basis and while we don’t claim that it contains every single IRS test number it does provide very good protection. Existing PRISM users now regard this database as the key defensive tool in their IRSF detection strategy. Only one alert from a test number dialled is necessary to identify a possible IRSF attack. A recent analysis of calls made during an IRSF attack on a network which was not a PRISM customer found that from 18,000 calls to 745 unique numbers, 260 of these numbers were recorded in PRISM. Had this operator been using PRISM, 260 IRS Fraud Alerts would have been raised.

Can I get support once I get access to PRISM?

Yes of course. Once you get access to the PRISM database, you will get complete support from FRS Labs engineers (no call center and no waiting to get a response).

How do I get access to PRISM?

Drop us a line to for an application. Rest assured that it will be the simplest process to get on board.

Note: This FAQ was prepared by Colin Yates, a veteran in the industry and helping fight fraud for over four decades. The PRISM database is a collaboration between Yates Fraud Consulting and FRS Labs.

You Might Also Like
Book a free demo

Built for flexibility, compliance and reliability to serve multiple industry segments.