International Revenue Share Fraud (IRSF) attack on an MVNO – Case Study

This case study carries a simple message that International Revenue Share Fraud (IRSF) is real and action should be taken now. IRSF accounts for about $10.7 billion in fraud losses, up by 497% from previous year (CFCA Global Fraud Loss Survey 2015). Whether you are small, big, MNO, an MVNO, a fixed or VoIP operator, lack of a sound Fraud Management Strategy and a Fraud Monitoring System that supports a hotlist of IPR Test Numbers, will be an easy target for fraudsters. And like this MVNO, the consequences could be devastating.

The Victim

The Mobile Virtual Network Operator (MVNO) in this case study has been in business for almost a decade and provides a number of mobile services to both consumers and businesses. They focus on buying airtime at the best rates they can and passing these special rates on to their customers. Airtime is purchased through a number of aggregators. They have not experienced any significant fraud in the past and have very limited resources assigned with the responsibility for Fraud Management or Revenue Risk.

The Fraud

One of the lines of business for this MVNO is providing post-paid SIM cards to international partners, who then provide them to tourists who are traveling to the MVNO’s home country. The SIM cards will be activated once the tourist arrives in that country and then used as a local SIM.

The MVNO was approached by a registered company in Europe (Company A), who requested 70 post-paid SIM cards, so they could be provided to a group of tourists heading to the MVNO’s country. After some due diligence of ‘Company A’ requesting the SIM cards, it was agreed that the 70 SIM cards would be sent. These were dispatched and subsequently received by Company A. The SIM cards were sent in an inactive state (refer Figure 1).


Some weeks after these SIM cards had been received, the MVNO became aware from information received from their Network Provider, that some of these SIM cards were being used in the European Country where Company A was located to call known IRSF destinations. The MVNO was unaware that these SIM cards had been activated (with roaming enabled) and the initial information indicated that some had been used to incur IRSF costs of several thousand US dollars. The MVNO immediately blocked all 70 SIM cards. It is still unclear how these SIMs were activated, but it is suspected that the provisioning system through which the 70 SIMs were activated was accessed by someone not authorised to do so (refer Figure 2).


The Investigation

Once all call records were made available to the MVNO, it was found that a carefully planned IRSF attack commenced at around 9.00pm on a Friday night and continued for 77 hours (until all SIM cards were blocked). All 70 SIMs were used simultaneously utilising the phones multi-party calling function, potentially permitting 420 calls to be active at any one time.

During the 77 hour period, a total of 51,900 calls were made to 605 unique IRSF numbers across 41 different countries. The total loss attributed to these calls was $US 2.130 million with an average hourly loss of $US 27,662.00.

Lessons Learnt

The MVNO was not expecting these SIM cards to be used until they arrived in his home country, so there was no monitoring in place for high usage. He had no direct relationship with his Network Provider, purchasing capacity through Aggregators, so there was no timely delivery of NRTRDE records.

Had the MVNO completed a full fraud risk review across the business, it would have ensured that monitoring was in place to identify high usage of any SIM cards allocated to him which were in an activated state, whether or not this activation was completed lawfully, or unlawfully.

Could an IRSF Database have prevented this?

Without a shadow of doubt; although it should be clarified that this would have been dependant on the timely delivery of NRTRDE records, something that should have been contractually agreed between the MVNO and/or the MNO (Mobile Network Operator) and Aggregators. This is an improvement opportunity that would have been identified by an independent fraud management review.

These Test Numbers are generally called prior to an IRSF attack to confirm for the fraudster that a number range can be called from the location and device he is using. IRSF databases are now used by a number of Communication Service Providers (Mobile, Fixed, MVNO and VOIP) worldwide and is now a key defence against IRSF. It can populate a hot list within an established Fraud Management System (FMS).

All call records in the attack were tested against the Advertised Test Number database. Of the 605 unique numbers called, 168 of them were in the most recent Advertised list. Calls to these Test Numbers, some of which were repeated several times over different handsets, would have generated 289 Fraud alerts during that 77 hour period had the NRTRDE records been tested through the IRSF number hotlist as they arrived.

Within 30 minutes of this fraud starting, 36 calls were made to Test Numbers, and 24 of these Test Numbers were in Advertised List, so would have generated fraud alerts. Had these NRTRDE records been delivered to the MVNO within the 4 hour time period recommended for delivery, losses would have been limited to under $US 65,000.00.

Hindsight is wonderful, however a basic Fraud Risk Management review would have identified the risks associated with this transaction, and the implementation of an inexpensive Fraud Management System utilising the IRSF database could have avoided losses in this instance of over $US2 million.

The Outcome

The MNO (and Aggregators) are now insisting that the MVNO is responsible for payment of the full $US 2.130 million and have made it clear that they will pursue this debt through the courts if necessary. The MVNO is now considering voluntary liquidation of the company, which not only impacts the founder’s future, but also that of the loyal staff.

This incident re-iterates the message that irrespective of how big or small a company is, be it an MNO, an MVNO, a fixed or VoIP operator, lack of a sound Fraud Management Strategy and a Fraud Monitoring System that supports a hotlist of IPR Test Numbers, will be an easy target for fraudsters. And like this MVNO, the consequences could be devastating.

— This case study was authored by Colin Yates – Director at Yates Fraud Consulting. Reprinted with permission. —

For further information on controlling IRSF Fraud, please write to

You Might Also Like
Book a free demo

Built for flexibility, compliance and reliability to serve multiple industry segments.

Gig Economy