IRSF Attack – A Case Study


This case study carries a simple message that IRSF attack is real and action should be taken now. IRSF accounts for about $10.7 billion in fraud losses, up by 497% from previous year (CFCA Global Fraud Loss Survey). Whether you are small, big, MNO, an MVNO, a fixed or VoIP operator, lack of a sound Fraud Management Strategy and a Fraud Monitoring System that supports a hotlist of IPR Test Numbers, will be an easy target for fraudsters. And like this MVNO, the consequences could be devastating.

The Victim

The Mobile Virtual Network Operator (MVNO) in this case study has been in business for nearly a decade, offering various mobile services to both consumers and businesses. Their core strategy revolves around procuring airtime at the most competitive rates possible and then passing these preferential rates on to their customers. Airtime procurement is managed through multiple aggregators. Historically, they have not encountered any significant fraud issues and have allocated minimal resources to the responsibilities of Fraud Management or Revenue Risk.

The Fraud

One of the MVNO’s lines of business involves supplying post-paid SIM cards to international partners, who, in turn, offer them to tourists visiting the MVNO’s home country. These SIM cards are activated upon the tourists’ arrival in the country and are used as local SIM cards.

The MVNO received a request from a registered European company (Company A) for 70 post-paid SIM cards to be provided to a group of tourists traveling to the MVNO’s country. After conducting due diligence on Company A’s request, it was agreed that the 70 SIM cards would be dispatched. Subsequently, these SIM cards were sent to and received by Company A, initially in an inactive state (refer to Figure 1).



Several weeks after Company A received these SIM cards, the MVNO learned, through information provided by their Network Provider, that some of these SIM cards were being used in the European Country where Company A was located to make calls to known IRSF destinations. The MVNO had no prior knowledge that these SIM cards had been activated, with roaming enabled, and the initial reports indicated that some had incurred IRSF costs amounting to several thousand US dollars. In response, the MVNO promptly blocked all 70 SIM cards. The exact method by which these SIMs were activated remains unclear, but there is suspicion that the provisioning system used to activate the 70 SIMs was accessed by an unauthorized individual before the IRSF attack (refer to Figure 2).



The Investigation

Once all call records were made available to the MVNO, it was found that a carefully planned IRSF attack commenced at around 9.00pm on a Friday night and continued for 77 hours (until all SIM cards were blocked). All 70 SIMs were used simultaneously utilising the phones multi-party calling function, potentially permitting 420 calls to be active at any one time.

During the 77 hour period, a total of 51,900 calls were made to 605 unique IRSF numbers across 41 different countries. The total loss attributed to these calls was $US 2.130 million with an average hourly loss of $US 27,662.00.

Lessons Learnt

The MVNO was not expecting these SIM cards to be used until they arrived in his home country, so there was no monitoring in place for high usage. He had no direct relationship with his Network Provider, purchasing capacity through Aggregators, so there was no timely delivery of NRTRDE records.

Had the MVNO completed a full fraud risk review across the business, it would have ensured that monitoring was in place to identify high usage of any SIM cards allocated to him which were in an activated state, whether or not this activation was completed lawfully, or unlawfully.

Could an IRSF Database have prevented this?

Without a shadow of doubt; although it should be clarified that this would have been dependent on the timely delivery of NRTRDE records, something that should have been contractually agreed between the MVNO and/or the MNO (Mobile Network Operator) and Aggregators. This is an improvement opportunity that would have been identified by an independent fraud management review.

These Test Numbers advertised by IPRN providers are generally called prior to an IRSF attack to confirm for the fraudster that a number range can be called from the location and device he is using. IRSF databases such as Rombus are now used by a number of Communication Service Providers (Mobile, Fixed, MVNO and VOIP) worldwide and is now a key defence against IRSF. It can populate a hot list within an established Fraud Management System (FMS).

All call records in the attack were tested against the Advertised Test Number database. Of the 605 unique numbers called, 168 of them were in the most recent Advertised list. Calls to these Test Numbers, some of which were repeated several times over different handsets, would have generated 289 Fraud alerts during that 77 hour period had the NRTRDE records been tested through the IRSF number hotlist as they arrived. Within 30 minutes of this fraud starting, 36 calls were made to Test Numbers, and 24 of these Test Numbers were in Advertised List, so would have generated fraud alerts.

Hindsight is wonderful, however a basic Fraud Risk Management review would have identified the risks associated with this transaction, and the implementation of an inexpensive Fraud Management System utilising the IRSF database could have avoided losses in this instance of over $US2 million.

The Outcome

The MVNO is now considering voluntary liquidation of the company, which not only impacts the founder’s future, but also that of the loyal staff. This incident re-iterates the message that irrespective of how big or small a company is, a lack of a sound Fraud Management Strategy and a Fraud Monitoring System that supports a hotlist of IPR Test Numbers, will be an easy target for fraudsters. And like this MVNO, the consequences could be devastating.

For further information on controlling IRSF Fraud, please write to

You Might Also Like
Battle tested technology.
Use it just the way you want it.

Whether you are just starting out or you are miles ahead and want to optimise your customer experience, you can use our technology just the way you imagine it. In multiple ways for multiple use cases.

Native Mobile SDKs

Offline Android and iOS components for identity capture. Works without internet connection. Quick integration into your native Apps. Tested in over 1000+ mobile devices.

View SDK Documentation video kyc
Cloud APIs

Restful APIs that can be integrated instantly without worrying about infrastructure or auto scaling. Our battle tested AWS environment is ISO 27001:2013 certified and monitored 24x7.

View API Documentation video kyc

Use our technology deployed as Docker containers in your own servers. In this set up there are no external calls outside your servers giving you total control over your data.

Contact Sales video kyc
Cloud Dashboard (no-code)

Get started instantly and begin your identity verification projects. The dashboard provides you with everything you need to onboard your customers as per prevailing regulations.

Book a demo video kyc

Trusted technology platform.

Trust is hard to earn. We certainly do not earn them through paid advertising. Instead, we earn your trust by providing a high-quality product and reliable service that you can count on. Every single day.

Award winning technology
Patent pending technologies matured over ten years with proven accuracy, quality and scale.
Support that truly supports
Whatever it takes, we are here to help you succeed with our tools and services.
Secure enterprise platform
Use our cloud platform to get started now. Or deploy this within your own premises.
Pricing that makes sense
Pay per transaction with discounts as you scale. Or annual subscription with unlimited usage.

Trusted by 150+ customers worldwide

Book a free demo

Built for flexibility, compliance and reliability to serve multiple industry segments.

Gig Economy