Recommended voice fraud mitigation best practices


Stephen Thayer


Customer obligations/disclaimer      

Bandwidth provides Recommended Fraud Mitigation Best Practices (“Fraud Best Practices”) to help its customers reduce fraud by taking measures to protect themselves and the networks connected to Bandwidth. Neither Bandwidth's provision of these Fraud Best Practices nor anything included in these Fraud Best Practices alters any customer's contractual obligation to manage its network and its end users.


This article is part of the Recommended Fraud Mitigation Best Practices intended to help Bandwidth Customers to reduce their fraud attack surface and help them take measures to protect themselves, including their connections to Bandwidth. This document is not all-inclusive and can’t guarantee that the recommended best practices will stop all fraud. The intent is to provide a framework our customers can use toward the prevention and mitigation of fraudulent events and to lessen the risk associated with all types of telecommunications fraud.

Types of fraudulent traffic to be concerned about

The term “Fraud” typically relates to the practice of illegally extorting money, personal information, financial information, security credentials etc. The term “fraudulent traffic” also describes a wide range of devious telecommunications behaviors that are used to impersonate and mask identities with the intent to steal or harm.

Bandwidth considers the following types of voice calling and text messaging as fraudulent traffic:

  1. Traffic deemed invalid (per FCC rules) 
  2. Traffic sent with intent to steal or harm 
  3. Traffic sent with the intent to harm through impersonating or masquerading identities 

Bandwidth reserves the right to protect itself and its networks by stopping fraudulent traffic from traversing its networks. Bandwidth’s customers who send traffic that the telecommunications industry, government authorities, and Bandwidth consider to be fraudulent, are at risk of having their traffic it blocked - either by Bandwidth or any downstream service provider.

The following specific types of illegal activities also violate Bandwidth’s Acceptable-Use Policies (AUP).

  • Unlawful Robocalls (North America)
  • Domestic Toll Fraud/Traffic Pumping
  • International Toll Fraud/IRSF
  • Toll Free Traffic Pumping (North America)
  • Phishing Scams (IRS, SSA, Vacations, Student Loans etc.)
  • Text messaging SPAM

Unlawful robocalls (within North America)

In November 2017, the Federal Communication Commission (FCC) issued a report and order that described a number of specific types of robocalls considered to be unlawful. Further, in May 2019, the FCC released a declaratory ruling that gives service providers leeway to block  unlawful robocalls at the network level by default, with the intent of preventing unlawful calls from reaching the general population in the first instance. The types of robocalls the FCC has specifically determined to be unlawful are calls made with:

  • Invalid ANI/FROM telephone numbers (TNs)
  • Unallocated ANI/FROM TNs
  • Blank or alpha-numeric characters in ANI/FROM TNs
  • Telephone numbers on the Do Not Originate (DNO) List(s)

Here are the best practices that customers can follow to prevent the flow of unlawful robocalls from their network toward Bandwidth:


Make sure all of your voice calling traffic contains good/valid telephone numbers in the ANI/FROM fields. See the definitions of the various types of ANI/FROM fields below. Ensure that all of your calls toward Bandwidth meet the following “VALID” criteria.

  • VALID: A valid NPA-NXX-XXXX in the NANP
  • UNALLOCATED: A valid NPA NXX XXXX in the NANP, but NOT assigned either to a carrieror in the LERG 
  • INVALID NUMBER: A complete telephone number (TN) that is NOT VALID, but of the correct format [2-9][0-9][0-9] [2-9][0-9][0-9] [0-9][0-9][0-9][0-9] (i.e. 10 digits in length, 1st and 4th are [2-9] all others are [0-9])
  • INVALID DIGITS: The calling party number is numeric, but doesn’t fit into a category defined above (all 1's, partial entry <10 digits, etc.)
  • 8YY: The calling party number is an 8YY number
  • 911: The calling party number is 911
  • 411: The calling party number is 411
  • N11: The calling party number is any of N11 number besides 911 or 411
  • 555: The NXX is 555
  • ALPHA: The calling party number has 'alpha' characters that are random or the word ANONYMOUS in it
  • EMPTY: There’s no calling party number present


Make sure that calls from your network or from your customer’s never have ANI/FROM phone numbers that fall into the UNALLOCATED, INVALID, N11, Alpha or Empty ANI categories. Please be aware that if any of these types of calls leave your network and are sent toward Bandwidth, you run the risk of these calls being BLOCKED by Bandwidth or another downstream service provider.


Review your customer use cases and discourage short-duration (<15 seconds) calling. Short duration calls raise flags on most service provider networks and may lead to Call Blocking per the FCC guidelines.


If you receive voice traffic that falls into the FCC’s ‘unlawful’ categories, please take measures to detect, mitigate, block, and educate your customers to cease sending these types of calls.

Domestic toll fraud/traffic pumping

Delivering phone calls to all areas of North America doesn’t cost the same for each area. Marketplace dynamics dictate that supporting remote or lightly populated markets is generally more expensive  than more densely populated cities.

The intercarrier compensation regime that applies to connected carriers that exchange traffic in the higher cost areas allow for the billing of access charges for calls to and from these more rural destinations.Thus, it’s much more expensive to deliver calls to areas like rural Iowa, as opposed to Des Moines or Cedar Rapids, IA. Bad actors know this and will frequently turn-up automated phone-answering systems to generate traffic in these expensive areas.Then, they advertise through social media, websites, texts and emails to generate calls into these automated phone-answering systems.

The fraud schemes that arise in such scenarios are a function of intermediate service providers being billed higher call handling (access) charges, which subsequently contribute to the fraudulent payments to bad actors.Traffic pumping of this sort is typically robotically dialed, lasts over 15-30 minutes and is connected into automated systems that provide little or no value to the caller. Many of these calls complete into systems that return dead-air, barking dogs, ‘press 1 to continue’ loops, chat lines, recorded messages that never end, and in many cases, loud screeching tones. 

The most common ways for bad actors to exploit high-cost traffic pumping is to acquire phone numbers from the local exchange phone company, stand-up fraudulent systems in an unknowing service provider’s colocation or cloud data centers, and then launch campaigns on social media to entice people to dial these recently acquired local numbers by the hundreds and asking them to leave the calls up, once connected. A nefarious service provider in the money chain will overcharge reputable carriers exaggerated access charges and give a portion of these charges to bad actors.

Here are the best practices that customers can follow to prevent the flow of Domestic Toll Fraud/Traffic Pumping from their network toward Bandwidth:


Set up detection alarms on yours and your customer’s traffic to alert you on numerous, robotically dialed calls made to known high-cost areas of North America. These areas include but aren’t limited to rural Iowa, rural South Dakota, and rural Massachusetts. Look at the NPAs, compare the rates within your typical rate decks, and either convince your customers to stop sending this kind of traffic to you, or block this kind of traffic from terversing your network. Bandwidth may also be monitoring for this type of traffic and typically alerts its customers upon detection.


Educate your customers on this type of fraud and encourage them to prevent, detect, and mitigate such fraudulent Domestic Toll Fraud traffic before it reaches your network.

International toll fraud/International Revenue Share Fraud (IRSF)

Similar to domestic toll fraud, international toll fraud is perpetrated by bad actors exploiting parts of the world that are extremely expensive to deliver phone calls to. This type of fraud is called International Revenue Share Fraud (IRSF) because oftentimes, nefarious/fraudulent companies acquire expensive international phone numbers and sell them to anyone who’ll pay money for them. 

These phone dealers are often referred to as International Premium Rate Number Providers (IPRN), who often buy cheap, low-cost circuit connections to reputable carriers, so they can get paid for calls that terminate on the phone numbers that they have acquired. Bad actors buy expensive international phone numbers from the IPRNs and have their people (lieutenants) robo-dial calls to these phone numbers. 

The payment chain begins when the calls are placed from a location in the U.S. The remainder of the money chain includes all intermediate service providers that have to pay their upstream provider partners to handle these international calls. Eventually, the IPRN companies get a ‘cut’ of the charges to complete these calls, because they’re the “holders” of the fraudulent phone numbers in the first place. The diagram below shows the typical money flow and how IRSF can be perpetrated.

Typical money flow of IRSF 

IRSF Fraud can take on many forms and cost innocent, unknowing victims a lot of money. Many times bad actors “hack” into PBXs, IP-PBXs, Cloud-phone systems and enterprise phone systems, and enable outbound international calling. Once this hack occurs and outbound international calling is fraudulently enabled, the bad actors proceed to dial-out to extremely expensive international phone numbers in countries all over the globe. This, in turn, costs all intermediate service providers, as well as the innocent victim, who'll most likely receive an expensive bill in the next 30 days.

Here are the best practices that customers can follow to prevent the flow of International Toll Fraud/IRSF from their network toward Bandwidth:


Consider MANDATING the use of an authorization code, or PIN, that must be used by customers, employees, and end-users before placing international calls. 


As end-users attempt to make international calls through your network, ensure that their account code, authorization code, or PIN is accurately and securely VERIFIED before they are allowed to make international calls.


Determine which countries, your platform specifically supports calling to, and then restrict calling to all the remaining countries. Limit international dialing to only authorized customers, employees, and end-users who require it. Restrict all others.


Consider blocking the following frequently “Fraudulent” countries in your systems, your network and in your customer’s systems:

  • AC Ascension Islands 247
  • AG Antigua/Barbuda 268
  • AI Anguilla 264
  • AS American Samoa 684
  • BB Barbados 246
  • BM Bermuda 441
  • BS Bahamas 242
  • CD Democratic Republic of the Congo 243
  • CF Central African Republic 236
  • CG Congo 242
  • CZ Czech Republic 240
  • DM Dominica 767
  • DO Dominican Republic 809 829 849
  • GD Grenada 473
  • GQ Equatorial Guinea 240
  • GU Guam 671
  • HT Haiti 509
  • JM Jamaica 876
  • KN St. Kitts & Nevis 869
  • KY Cayman Islands 345
  • LC St. Lucia 758
  • LT Lithuania 370
  • MA Morocco 212
  • MF St Martin 590
  • MP Northern Mariana Islands 670
  • MS Montserrat 664
  • MV Maldives 960
  • PK Pakistan 92
  • PW Palau 680
  • SC Seychelles 248
  • SX Sint Maarten 721
  • TC Turks and Caicos Islands 649
  • TD Chad 235
  • TN Tunisia 216
  • TT Trinidad and Tobago 868
  • UG Uganda 256
  • VC Saint Vincent and the Grenadines 784
  • VG British Virgin Islands 284
  • VI U.S. Virgin Islands 340
  • SL Sierra Leone 232
  • SD Sudan   249
  • LR Liberia 231
  • LV Latvia 371


Look for large volumes of SIP 487 response codes in short periods of time on your network. Using something known as “Hyper-duration robocalls”, bad actors typically “probe” networks looking for cracks in the network that will allow completed international calls. During these “hyper-duration” storms, bad actors typically launch large volumes of SIP INVITE messages in a short period of time (thousands of INVITE messages within 5 mins or less), followed very rapidly by SIP HANGUP (487) messages. 

It’s important to note that call attempts that don’t complete, don’t necessarily equal unsuccessful calls. All rapid-fire attempts/hangups in a short period of time should be considered a red flag for possible fraudulent activities in the near future.

When you see more than an average of about 60 SIP 487 messages per hour, look at your traffic for fraudulent activity and calls to fraudulent destinations. If you discover suspicious/fraudulent behaviors, take measures to block/prevent future attempts of these types of international calls from reaching Bandwidth.


Ensure that passwords to your company’s network equipment are unique to each unit of equipment, contain random characters, made random in length, and are NOT the passwords that were pre-configured at the time of purchase/installation. These passwords must be changed often and only shared with personnel authorized to make changes to your network equipment. Zero-knowledge password managers are highly recommended.

Toll-free traffic pumping (within North America)

In North America, businesses, individuals, and non-profits often buy the right to use a toll-free (8XX) telephone number to allow legitimate customers call them free of charge. They instead agree to pay their long-distance service provider to receive these “wanted” incoming calls.  Unfortunately, bad actors have found ways to exploit the intercarrier compensation regime that applies to these toll-free phone numbers and use robotically dialed fraudulent calls with the intent to harm legitimate businesses, individuals, or non-profits by making them pay inflated charges for unwanted/illegitimate toll-free inbound calls.

Here are the best practices that customers can follow to prevent the flow of toll-free Traffic Pumping from their network toward Bandwidth:


When acquiring toll-free (TF) phone numbers from Bandwidth, put them in an “aging” database and don’t place them into service until you need to assign them to your customer(s). If these TF phone numbers aren’t in service, they can’t and “should not” receive fraudulent/unwanted inbound calls from bad actors.


When holding/aging TF phone numbers from Bandwidth, monitor inbound call attempts to this TF phone number as a way of verifying if a TF number is "clean" while it’s out of service. If you receive many unwanted/unsolicited inbound calls to this TF phone number while it’s not in service, notify the Bandwidth Fraud Mitigation Team immediately at and alert them of the suspicious traffic.


If you need to offer a toll-free phone number for your services, use a pool of toll-free numbers and cycle through them when placing them into use. An example of this use case would be to use a different toll-free number from a pool of numbers for every new conference call, in a conference calling service. This prevents bad actors from focusing on and exploiting a single toll-free number .


Alert Bandwidth’s Fraud Mitigation Team and SOMOS of any new Toll-Free Fraudulent calls/events and we’ll engage an industry Toll-Free Fraud Traceback Group that will conduct tracebacks to discover the source(s) and provide information directly to law enforcement.


Refrain from advertising TF numbers publicly via websites/email/social media. This type of communication can be seen by bad actors and lead to unwanted inbound traffic to TF phone numbers. This type of toll-free fraud is often seen in instances where TF phone numbers are used and publicly advertised to access conference bridges.


If a toll-free phone number must be used to access your services, implement a “pool” of many TF phone numbers and rotate/cycle through it to keep bad actors guessing.

Phishing scams (IRS, SSA, vacations, student loans etc.)

There are companies out there that have product teams, engineering teams, and even billing teams that exist solely for the purpose of defrauding innocent victims of money, information, and credentials. These companies are involved in some of the most widespread phishing and extortion scams across the world. Some of the more commonly known scams include the IRS scam, the Social Security scam, the computer/PC repair scam, the student loan and vacation scams. Most of these scams involve victims paying the bad actors with Apple iTunes cards, Bitcoin and various other gift cards that are very difficult to track or recoup the value of..

Here are the best practices, that customers can follow to prevent the flow of Phishing Scam calls from their network toward Bandwidth:


Use data analytics to map customers’ sign-up information with valid/legitimate addresses, credit card accounts, email addresses, and phone numbers. Keep track of suspicious sign-ups and immediately disable/disconnect fraudulent accounts as they become known.


If phone numbers are disconnected because they were found to be used in a fraudulent manner to perpetrate a phishing scam, DON’T auto-provision phone numbers to the same account.


Sometimes bad actors use “call-forwarding” to evade detection. Oftentimes, they use multiple call forwarding layers to evade detection. If your network or service offering includes a call-forwarding function, be aware of customers who enter large numbers of entries in your call forwarding tables, especially through web page interfaces. Please send all call-forwarding tables/forwarding information that contain Bandwidth phone numbers to


Keep an eye out for accounts that use numerous phone numbers across a large geographic area. Please report all accounts, and account information, that have numerous phone numbers across large geographic areas to


Monitor for and be aware of end users who cycle through phone numbers at higher than normal rates, volumes, and frequencies. This rapid phone number swapping behavior could indicate that they're trying to avoid detection by carriers, law enforcement, and government agencies. The perpetrators of the IRS and Social Security scam calls will typically swap phone numbers at unusual rates to cover their tracks after initial calls are placed and received.

Article is closed for comments.