Recommended fraud mitigation best practices for Bandwidth customers
Customer Obligations/Disclaimer
Bandwidth provides these Recommended Fraud Mitigation Best Practices (“Fraud Best Practices”) to help its customers reduce fraud by taking measures to protect themselves and the networks connected to Bandwidth. Neither Bandwidth's provision of these Fraud Best Practices nor anything included in these Fraud Best Practices alters any customer's contractual obligation to manage its network and its end users.
Overview
This document is intended to help Bandwidth Customers to reduce their fraud attack surface and help them take measures to protect themselves, including their connections to Bandwidth. This document is not all-inclusive and can’t guarantee that the recommended best practices will stop all fraud. The intent is to provide a framework our customers can use toward the prevention and mitigation of fraudulent events and to lessen the risk associated with all types of telecommunications fraud.
Types of Fraudulent Traffic To Be Concerned About
The term “Fraud” typically relates to the practice of illegally extorting money, personal information, financial information, security credentials etc. The term “fraudulent traffic” also describes a wide range of devious telecommunications behaviors that are used to impersonate and mask identities with the intent to steal or harm.
Bandwidth considers the following types of voice calling and text messaging as fraudulent traffic:
- Traffic deemed invalid (per FCC rules)
- Traffic sent with intent to steal or harm
- Traffic sent with the intent to harm through impersonating or masquerading identities
Bandwidth reserves the right to protect itself and its networks by stopping fraudulent traffic from traversing its networks. Bandwidth’s customers who send traffic that the telecommunications industry, government authorities, and Bandwidth consider to be fraudulent, are at risk of having their traffic it blocked - either by Bandwidth or any downstream service provider.
The following specific types of illegal activities also violate Bandwidth’s Acceptable-Use Policies (AUP).
- Unlawful Robocalls (North America)
- Domestic Toll Fraud/Traffic Pumping
- International Toll Fraud/IRSF
- Toll Free Traffic Pumping (North America)
- Phishing Scams (IRS, SSA, Vacations, Student Loans etc.)
- Text messaging SPAM
Unlawful Robocalls (Within North America)
In November 2017, the Federal Communication Commission (FCC) issued a report and order that described a number of specific types of robocalls considered to be unlawful. Further, in May 2019, the FCC released a declaratory ruling that gives service providers leeway to block unlawful robocalls at the network level by default, with the intent of preventing unlawful calls from reaching the general population in the first instance. The types of robocalls the FCC has specifically determined to be unlawful are calls made with:
- Invalid ANI/FROM telephone numbers (TNs)
- Unallocated ANI/FROM TNs
- Blank or alpha-numeric characters in ANI/FROM TNs
- Telephone numbers on the Do Not Originate (DNO) List(s)
Here are the best practices that customers can follow to prevent the flow of unlawful robocalls from their network toward Bandwidth:
BWFBP100 |
|
BWFBP101 |
|
BWFBP102 |
|
BWFBP103 |
|
Domestic Toll Fraud/Traffic Pumping
Delivering phone calls to all areas of North America doesn’t cost the same for each area. Marketplace dynamics dictate that supporting remote or lightly populated markets is generally more expensive than more densely populated cities.
The intercarrier compensation regime that applies to connected carriers that exchange traffic in the higher cost areas allow for the billing of access charges for calls to and from these more rural destinations.Thus, it’s much more expensive to deliver calls to areas like rural Iowa, as opposed to Des Moines or Cedar Rapids, IA. Bad actors know this and will frequently turn-up automated phone-answering systems to generate traffic in these expensive areas.Then, they advertise through social media, websites, texts and emails to generate calls into these automated phone-answering systems.
The fraud schemes that arise in such scenarios are a function of intermediate service providers being billed higher call handling (access) charges, which subsequently contribute to the fraudulent payments to bad actors.Traffic pumping of this sort is typically robotically dialed, lasts over 15-30 minutes and is connected into automated systems that provide little or no value to the caller. Many of these calls complete into systems that return dead-air, barking dogs, ‘press 1 to continue’ loops, chat lines, recorded messages that never end, and in many cases, loud screeching tones.
The most common ways for bad actors to exploit high-cost traffic pumping is to acquire phone numbers from the local exchange phone company, stand-up fraudulent systems in an unknowing service provider’s colocation or cloud data centers, and then launch campaigns on social media to entice people to dial these recently acquired local numbers by the hundreds and asking them to leave the calls up, once connected. A nefarious service provider in the money chain will overcharge reputable carriers exaggerated access charges and give a portion of these charges to bad actors.
Here are the best practices that customers can follow to prevent the flow of Domestic Toll Fraud/Traffic Pumping from their network toward Bandwidth:
BWFBP104 |
|
BWFBP105 |
|
International Toll Fraud/International Revenue Share Fraud (IRSF)
Similar to domestic toll fraud, international toll fraud is perpetrated by bad actors exploiting parts of the world that are extremely expensive to deliver phone calls to. This type of fraud is called International Revenue Share Fraud (IRSF) because oftentimes, nefarious/fraudulent companies acquire expensive international phone numbers and sell them to anyone who’ll pay money for them.
These phone dealers are often referred to as International Premium Rate Number Providers (IPRN), who often buy cheap, low-cost circuit connections to reputable carriers, so they can get paid for calls that terminate on the phone numbers that they have acquired. Bad actors buy expensive international phone numbers from the IPRNs and have their people (lieutenants) robo-dial calls to these phone numbers.
The payment chain begins when the calls are placed from a location in the U.S. The remainder of the money chain includes all intermediate service providers that have to pay their upstream provider partners to handle these international calls. Eventually, the IPRN companies get a ‘cut’ of the charges to complete these calls, because they’re the “holders” of the fraudulent phone numbers in the first place. The diagram below shows the typical money flow and how IRSF can be perpetrated.
Typical Money Flow of IRSF
IRSF Fraud can take on many forms and cost innocent, unknowing victims a lot of money. Many times bad actors “hack” into PBXs, IP-PBXs, Cloud-phone systems and enterprise phone systems, and enable outbound international calling. Once this hack occurs and outbound international calling is fraudulently enabled, the bad actors proceed to dial-out to extremely expensive international phone numbers in countries all over the globe. This, in turn, costs all intermediate service providers, as well as the innocent victim, who'll most likely receive an expensive bill in the next 30 days.
Here are the best practices that customers can follow to prevent the flow of International Toll Fraud/IRSF from their network toward Bandwidth:
BWFBP106 |
|
BWFBP107 |
|
BWFBP108 |
|
BWFBP109 |
|
BWFBP110 |
|
BWFBP111 |
|
Toll-Free Traffic Pumping (Within North America)
In North America, businesses, individuals, and non-profits often buy the right to use a toll-free (8XX) telephone number to allow legitimate customers call them free of charge. They instead agree to pay their long-distance service provider to receive these “wanted” incoming calls. Unfortunately, bad actors have found ways to exploit the intercarrier compensation regime that applies to these toll-free phone numbers and use robotically dialed fraudulent calls with the intent to harm legitimate businesses, individuals, or non-profits by making them pay inflated charges for unwanted/illegitimate toll-free inbound calls.
Here are the best practices that customers can follow to prevent the flow of toll-free Traffic Pumping from their network toward Bandwidth:
BWFBP112 |
|
BWFBP113 |
|
BWFBP114 |
|
BWFBP115 |
|
BWFBP116 |
|
BWFBP117 |
|
Phishing Scams (IRS, SSA, Vacations, Student Loans etc.)
There are companies out there that have product teams, engineering teams, and even billing teams that exist solely for the purpose of defrauding innocent victims of money, information, and credentials. These companies are involved in some of the most widespread phishing and extortion scams across the world. Some of the more commonly known scams include the IRS scam, the Social Security scam, the computer/PC repair scam, the student loan and vacation scams. Most of these scams involve victims paying the bad actors with Apple iTunes cards, Bitcoin and various other gift cards that are very difficult to track or recoup the value of..
Here are the best practices, that customers can follow to prevent the flow of Phishing Scam calls from their network toward Bandwidth:
BWFBP118 |
|
BWFBP119 |
|
BWFBP120 |
|
BWFBP121 |
|
BWFBP122 |
|
Text Messaging SPAM
Text messaging is a very convenient mode of simple and fast communication. Messages sent out via public networks to end users are required to comply with all relevant laws and regulations, including but not limited to the Telephone Consumer Protection Act (TCPA).
Unfortunately, bad actors can also leverage these technological capabilities to commit crimes by defrauding, impersonating, and extorting innocent victims. The text messaging industry generally operates in a more lightly regulated environment than voice calling does, so text messaging service providers must be that much more vigilant on fraud prevention and mitigation best practices.
At the outset, it’s important to understand the differences between Person-to-Person text messaging (P2P) and Application-to-Person text messaging (A2P).
Consumer (P2P) Messaging
P2P (Person-to-Person) is defined as two-way messaging. Typically, this is the conventional conversational two-way SMS or MMS messaging between individuals. From CTIA best practices: "Consumer (P2P) messaging is sent by a Consumer to one or more Consumers and is consistent with typical Consumer operation (i.e., message exchanges are consistent with conversational messaging among Consumers)."
Attributes of Typical Consumer Operation
- Throughput: 15 to 60 messages per minute. A Consumer is typically not able to originate or receive more than about one message per second.
- Volume: 1,000 per day. Only in unusual cases do Consumers send or receive more than a few hundred messages a day. A Consumer can't typically send or receive messages continuously over a long period of time.
- Unique Sender: 1 telephone number assigned to or utilized by a single Consumer. A single Consumer typically originates messages from a single telephone number.
- Unique Recipients: 100 distinct recipients/telephone numbers per message. A Consumer typically sends messages to a limited number of recipients (e.g., 10 unique recipients).
- Balance: 1:1 ratio of outgoing to incoming messages per telephone number with some latitude in either direction. Consumer messages are typically conversational. An incoming message typically generates a response from the recipient.
- Repetition: 25 Repetitive Messages. Consumer messages are uniquely originated or chosenat the direction of the Consumer to unique recipients. Typical Consumer behavior is not to send essentially or substantially repetitive messages.
Consumer (P2P) Messaging Automation
Some Consumers utilize automation to assist in responding to communications. For example, a Consumer may direct their messaging service to auto-reply to a phone call in order to inform the caller about the Consumer’s status (e.g., “I’m busy” or “Driving now, can’t talk”). Such use of automation to assist Consumers in their composition and sending of messages falls within the attributes of typical Consumer operation. In contrast, the use of automation, in whole or in part, by Non-Consumers to facilitate messaging is not a typical Consumer operation.
Non-Consumer (A2P) Messaging
A2P (Application-to-Person) is one-way SMS to which recipients aren’t expected to reply. Typically this represents high-volume messaging between businesses and individuals. Some common examples are a logistics company sending delivery statuses and notifications, a dentist’s office sending one-way alerts and reminders, or a financial institution sending PIN codes to individuals either using short codes or long codes.
Non-Consumer (A2P) message traffic includes, but isn't limited to, messaging to and from large-to-small businesses, entities, and organizations. For example, Non-Consumer (A2P) messages may include messages sent to multiple Consumers from businesses or their agents, messages exchanged with customer service response centers, service alerts and notifications (e.g., fraud, airline), and machine-to-machine communications. Non-Consumer (A2P) Message Senders may also include financial service providers, schools, medical practices, customer service entities, non-profit organizations, and political campaigns. Specifically, such Message Senders should adhere to the Non-Consumer (A2P) Best Practices, described in the CTIA Messaging Best Practices.
Non-Consumer (A2P) message traffic includes all messaging traffic that is automated, in whole or in part, but isn’t described as Consumer (P2P) messaging automation. If Consumer (P2P) messaging traffic is operating in a manner inconsistent with typical Consumer operation, such traffic may be filtered or subject to a Service Provider’s Unwanted Messaging threat mitigation efforts consistent with a Service Provider’s individual messaging service terms and conditions.
The one SMS/number/second message limits imposed in the guidelines for P2P messaging don’t apply to A2P messaging services. The use of an A2P text messaging service requires formal approval by Bandwidth (and potentially carriers, depending on the use case and the company generating outbound traffic).
The major difference between the current P2P service that Bandwidth offers today on U.S. and Canadian local 10-digit phone numbers, and the A2P Messaging service using toll-free numbers is that A2P formally allows TCPA compliant and opted-in use cases for many application-to-person use cases, such as alerts, PIN codes, requested marketing, and automated high-volume interactions between business/government and consumers.
Unwanted Messages
Protecting consumers from unwanted messages, particularly from high-volume messaging traffic, is a key consensus-based goal among messaging ecosystem stakeholders.
Unwanted Messages (or Unwanted Messaging) may include:
- Unsolicited bulk commercial messages (i.e., spam)
- “Phishing” messages intended to access private or confidential information through deception
- Messages that required an opt-in but didn’t obtain it (or had it revoked)
- Unwanted content, including other forms of abusive, harmful, malicious, unlawful or otherwise inappropriate messages
We recommend customers to follow best practices for Toll-Free (A2P) messaging and the CTIA messaging principles and best practices, as well as check out the CTIA Short Code Monitoring Handbook. Though this handbook is about text messaging short codes, the same basic principles and rules apply. We also recommend customers follow these additional industry sanctioned Short Code guidelines.
Here are the best practices that customers can follow to prevent the flow of Text Messaging SPAM from their network toward Bandwidth. This type of SPAM traffic runs the risk of being BLOCKED by either Bandwidth or by a downstream provider:
BWFBP123 |
Never send text messaging content that is related to S.H.A.F.T.:
Text messages with content that’s directly or remotely related to these categories will most likely be blocked as SPAM by either Bandwidth and/or one or more Tier 1 Mobile Network/Handset operators in the U.S. |
BWFBP124 |
GET CONSENT FROM YOUR USERS Make sure users explicitly say they want messages from you.
|
BWFBP125 |
DON’T USE PUBLICLY AVAILABLE URL SHORTENERS.
|
BWFBP126 |
|
BWFBP127 |
PROCESSING STOP KEYWORDS Be sure your users can opt out of receiving messages.
|
BWFBP128 |
PROCESSING UNSTOP AND START KEYWORDS Allowing users to opt back in after opting out at the network level (Note: this is available on toll-free numbers only).
|
BWFBP129 |
ONLY USE A SINGLE NUMBER FOR CAMPAIGNS Don’t spread your campaigns over several numbers.
|
BWFBP130 |
IDENTIFY YOUR BRAND Include your company name in the messages you send.
|
BWFBP131 |
USE A SINGLE DOMAIN FOR URLS IN YOUR MESSAGES Any campaign URLs should be from a single, specific domain.
|
Good Cyber Hygiene
In today’s telecom environment, the same servers and computing hardware used for websites and databases are also used for IP-PBXs, voicemail systems, call-center platforms and Interactive Voice Response (IVR). These servers typically operate with Windows and/or Linux (CentOS, RHEL) operating systems, which continue to be exploited by hackers and fraudsters everyday. For this reason, it’s extremely important to exercise good cyber hygiene (i.e., good cybersecurity best practices,) in order to protect your systems from being hacked, breached, or exploited for fraudulent phone calling all over the world.
Customer Premise Equipment (CPE)
The following suggested best practices are drawn from industry-wide sanctioned practices, as well as Bandwidth-approved actions that can help secure your communications systems.
Often referred to as Customer Premise Equipment (CPE), servers and their connection to IP networks and the internet represent your single most vulnerable point of fraudulent entry. It’s critical for you to take all necessary and practical measures to secure these customer-owned systems, so you can reduce your attack surface and slow/prevent the perpetration of telecom fraud.
It’s important to keep in mind that there are no guarantees to preventing all telecom fraud. The criminals who perpetrate telecommunications fraud, in its numerous forms, are always working to circumvent countermeasures and security features that enterprises may deploy.
Implementing some and/or all of the listed suggested best practices to secure your CPE can dramatically reduce your exposure to several types of telecom fraud.
Best Practices for Securing Your CPE
Since most local VoIP systems (PBX, IP PBX, Call Managers), voicemail systems, and enterprise grade Session Border Controllers (SBCs) are built on off-the-shelf computing platforms (i.e., Linux servers), we recommend that you exercise Linux and IP network cybersecurity best practices. Implement a company-wide security plan that includes instituting policies on call restrictions, leveraging call blocking, creating processes around closing customer accounts or unused services, utilizing password best practices, actively managing voicemails, and reporting anomalies. Educate all of your employees on the established security plans.
Here are the best practices you and your employees can follow to secure your CPE:
BWFBP132 |
Back-up your systems fully and often
|
BWFBP133 |
Review and utilize traffic data
|
BWFBP134 |
Secure your Voicemail (VM) Systems
|
BWFBP135 |
PBX management
|
BWFBP136 |
Consider adding time of day/day of week call handling
|
BWFBP137 |
Set-up a SIP-based firewall within your IP/PBX systems
|
BWFBP138 |
Disable DISA (Direct Inward System Access)
|
BWFBP139 |
Disable ALL IP ports not currently in use
|
BWFBP140 |
Utilize enterprise-grade Session Border Controllers (SBCs)
|
User Management Tips for Securing Your Users (UAs, Handsets, Remote Users)
BWFBP141 |
Improve security through rate limiting login attempts
|
BWFBP142 |
Monitor for and block account scanners
|
BWFBP143 |
Block/filter traffic from suspicious IP addresses
|
BWFBP144 |
Monitor for and disable or remove fake accounts and account sign-ups
|
BWFBP145 |
Install security software applications on all of your voice processing systems
|
General Best Practices for Working with Bandwidth
BWFBP147 |
Develop a Fraud-Contact distribution email address list. This will allow Bandwidth to contact more than one person at your company about fraudulent events or behaviors. You’ll need to manage the distro list, as your staff changes. |
BWFBP148 |
Update all “fraud” contacts every 6 months within your account and reach out to your Bandwidth Support Team to alert them that you made edits/changes. |
BWFBP149 |
Any/All Fraud-Contact distribution email address lists provided to Bandwidth must reach people that are on-duty or on-call, in a way that allows Bandwidth to communicate with someone regarding fraud events 24 hours a day, 7 days a week, 365 days a year (24X7X365). |
BWFBP150 |
Any/All Fraud-Contact distribution phone number lists provided to Bandwidth must reach people that are on-duty or on-call, in a way that allows Bandwidth to communicate with someone regarding fraud events 24 hours a day, 7 days a week, 365 days a year (24X7X365). |
BWFBP151 |
Any/All Fraud-Contact distribution lists provided to Bandwidth must reach people that are technically capable of mitigating fraudulent events on your network. |
BWFBP152 |
Any/All Fraud-Contact distribution lists provided to Bandwidth must reach people that are authorized to make network decisions, such as blocking fraudulent traffic, disabling fraudulent international calling, and/or accepting “Fraud” charges, as spelled out in your Bandwidth Master Service Agreement - Contract. |
BWFBP153 |
If you need to reach the Bandwidth Fraud Mitigation Team, you can contact us in any of the following ways:
|
Recommended Fraud Mitigation Best Practices FAQ
We’re building internal fraud policies for fraud mitigation. Can Bandwidth provide area codes for known high-cost areas in North America?
Unfortunately, Bandwidth can’t provide a list of high-cost areas in North America for several reasons:
- The cost to deliver traffic to various parts of the U.S. changes every day. Therefore, what may be considered “high-cost” today, may not be high-cost tomorrow.
- Federal regulations require carriers to deliver valid traffic to every part of the U.S, and specifically to rural calling areas. Although Bandwidth periodically detects fraudulent traffic to various NPA-NXXs in the U.S., that doesn’t mean that the whole NPA-NXX is fraudulent or that all calls to “high cost” areas are fraudulent. Bandwidth can’t provide you with legal advice, so it’s incumbent upon you to seek your own legal guidance and develop your own specific fraud mitigation policies and traffic blocking rules in keeping with such guidance.
How did [this fraudulent event] happen?
Generally speaking, Bandwidth doesn’t have visibility to the end points in your network. Therefore, we can’t definitively say how fraudulent traffic was generated. However, there are several common methods used to “hack” into vulnerable systems and services, which are outlined in our Recommended Fraud Mitigation Best Practices. While this list of methods isn’t exhaustive, it does indicate several ways in which toll fraud can be attempted against your network. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.
How do I stop fraudulent traffic coming from my network from reaching Bandwidth?
The first step is to secure your systems (#SYS). Take all practical measures to prevent unauthorized external and internal access to your systems, by managing your system passwords and changing them often. Limit who can access your systems, and implement as many of the Recommended Fraud Mitigation Best Practices as possible. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.
Please keep in mind that Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and its customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth.
Can Bandwidth protect me from all fraudulent traffic?
Unfortunately not. Since Bandwidth doesn’t manage your customers’ communications, nor has a direct visibility into your affected customers’ networks, equipment, and systems, Bandwidth isn’t in a position to stop fraudulent traffic that may emanate from your network through compromised systems and end-users. Please keep in mind that Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.
How did Bandwidth let [this fraudulent event] happen?
Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and its customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly. We also ask that you cooperate with us, so we can help identify instances of fraud and be able to better assist you with your fraud prevention objectives in the future.
Bandwidth alerts its customers of suspicious traffic behaviors as a courtesy, in order to allow you time to secure any vulnerabilities, block fraudulent traffic, and mitigate possible hacks or unauthorized access to your, or your customers' systems.
Can Bandwidth secure my customers?
No. Since Bandwidth doesn’t manage your customers’ communications, nor has a direct visibility into your affected customers’ networks, equipment, and systems, Bandwidth isn’t in a position to stop fraudulent traffic that may emanate from your network through compromised systems and end-users. Please keep in mind that Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and its customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.
Article is closed for comments.