FRAUD: False Answer Supervision (FAS)

INTRODUCTION

According to the Global Leaders Forum (2018), fraudulent traffic is estimated to cost the international wholesale carrier industry $17 billion annually.  On the forefront of problems is that the sources of fraud continue to change, making them difficult to remediate. One of the major types of fraud is FAS – False Answer Supervision.

When queried, 12% of respondents indicated an increase over the past year, whereas 65% stated that FAS amounts had remained at constant levels. Carriers who reported stable or increasing volumes of this type of fraud face an unfortunate issue of limited recourse of performing tests or limited ability to test vendors. One carrier noted: “FAS is always an issue because it can happen anywhere on any route and the only thing we can do it to test and use tested vendors.”

FAS is a global industry pandemic with occurrences rapidly increasing within the past few years, with the most significant levels of fraud exhibited in regions with high termination rates and multiple competing suppliers.

WHAT IS FAS?

False Answer Supervision (FAS) refers to VoIP or Telecom fraud, where a caller is incorrectly billed.  This is because the FAS results in the billed duration longer than that of the actual telephone conversation. The FAS is usually performed by VoIP wholesalers in their soft switches for randomly selected calls. Adding a small amount of extra billed seconds for many calls means a big revenue for the VoIP wholesaler. In reality, it is stealing money from the caller.

FALSE ANSWER SUPERVISION FRAUD CALL SCENARIO

Here’s how it works:

1. The subscriber makes a call.
2. The service provider routes the call to its least-cost-routing provider
3. The least-cost routing provider routes the call to a wholesale provider who has been chosen based on its rates to certain high-cost destinations.
4. In most cases, the wholesale provider completes the call, but in some cases, the wholesale provider routes call to the high-cost destination with a false answer — charging for a completed call without ever trying to complete it.

WHY IS IT BAD?

FAS is a fraud perpetrated against consumers, who are then billed for minutes they did not use or calls that were never completed. Fraud has permeated both carriers and enterprises, bleeding billions of dollars annually from the victims. This leads to unhappy customers canceling their service(s) with a carrier, resulting in lost revenue for the carrier due to no fault of their own.  Enterprises feel the sting of the fraud through unexpected, large bills and demands for payment.

Consumer complaints about incorrect billing practices that result in imposed fines on retail carriers, who must allocate money and worker time using customer service resources to resolve billing issues. Additionally, FAS potentially damages brand reputation and overall customer satisfaction, leading to future financial net losses.

WHO USES IT?

The carrier business is extremely competitive: voice products are increasingly commoditized and already thin margins are getting thinner. In an effort to gain an advantage, unscrupulous people attempt to cheat the system through the use of FAS.

Advances in technology enable a greater frequency of attempted attacks, while the average capital loss of each attack has decreased over time. This makes technology a double-edged sword.  It facilitates better data creation, collection, consumption, and speed of response; however, it also creates ever-increasing pathways for new types of fraud, giving fraudsters greater accessibility, scale, and sophistication.

Services also exist to vendors who would exploit false answer supervision to increase their profits. One such service simulates calls to numbers that are out of mobile network coverage and provides false billable airtime to a calling party. This service pretends to be an authentic mobile carrier by playing back real automated mobile carrier service messages while charging the caller.

Example of a FAS Fraud “Business Plan”:

HOW IS IT DONE?

Extra money is stolen by charging the caller a bit more for calls by exploiting the ability to control the “CONNECT” state of the call.  Wholesale transit carriers are able to use FAS to increase profit: exploiting the possibility to mix FAS calls into existing traffic. This tactic slightly degrades the ACD parameter of traffic, while increasing the ASR parameter, allowing the “earning” of extra money from nowhere.

HOW DOES IT WORK?

Fraudsters route the FAS server to your switch. The calls that come to the FAS server will be forwarded to an IVR message, related to the dialed number. The message which is played back will be similar to: “the subscriber you are calling is out of reach, please try to call later”. The fraudulent message is designed to mimic what a caller would receive from the legitimate carrier, to which the dialed number belongs. The call will be billed from initiation, generating billable time, therefore, profit. The overall percentage of fake FAS can be defined either on fraudster’s end, by limiting the number of calls sent to FAS server, or on the server-side, by controlling the number of calls which receive fake FAS and rejecting legitimate calls without forwarding them to the IVR system.

ARE THERE ANY LIMITATIONS?

Yes, generally, it is logically and naturally limited to the mobile carriers, especially SIM-based gateways, as mobile subscribers are more often out of reach with the caller being able to receive a service message instead of real connection. Mobile carriers are less likely to be suspicious of mixed fake FAS calls in their real traffic. It is important to note that a fraudster hypothetically can mix FAS into non-mobile traffic; it is the decision of the fraudster what message is played to the caller and on which carrier they deploy the service.

FAS VARIATIONS

FAS fraud has the potential for deployment in a SoftSwitch in many different ways. Here are the main types of them:

False Billing of Party A Without Calling Party B

Generally consists of a fake ring back tone, loopback audio or voicemail message which is played, thus the caller pays for ringing regardless of whether the distant customer answers or not. Another type of case is known as an invalid answer. Typically, invalid numbers should return 4XX, or 5XX errors, instead of with FAS, these numbers will connect to a variety of audio streams and again the customer will be charged for them.

Let’s look at some scenarios:

Scenario 1:

1. Play a ringback tone one time, do not charge the client.
2. Connect the call, start charging.
3. Play a ringback tone for 20 seconds, do charge the client
4. Connect the call to itself, playback received audio.

Scenario 2:

1. 10% of calls set ring time = 8 seconds
2. 90% of calls set ring time = 40 seconds
3. Then connect the call and play an audio file in repeat.

Scenario3:

1. 10% of calls start billing and play a voicemail message.
2. 90% of calls transfer as normal.

Scenario 4:

1. Play a ringback tone early.
2. Answer call and then play a random audio file from the specified path.
3. Use different ASR for various originator trunks.

Start of Billing Before Actual Answer by Party B

During Post Dial Delay (PDD) or ringing time prior to when the call is answered by the second party.  A “200 OK” response is given to an INVITE request; this starts the billing for the call. However, the audio which is returned is not consistent with a legitimate call. A typical example is continued to ringing, or a recorded message in the effect of: “Hello, hello, are you there, I can’t hear you”.

Scenario:

1. Transfer call, thus creating call leg to Party B.
2. For 10% of calls wait for 3 seconds.
3. Start billing even if the call is not connected to Party B.

Extra billing after disconnection of B-party

Known as a Late Hang-up: after the BYE message is sent, confirming the end of the call, it is expected that the call will stop being charged. This is more common with carriers connecting directly to a provider who adds FAS.

Scenario 1:

1. Transfer call, thus creating call leg to Party B.
2. Wait for Party B to disconnect.
3. For ~10% of calls, generally during the night, don’t disconnect call leg A and add 3 extra seconds.

Scenario 2:

1. Permanently add a max of 10 sec extra billed time.

Scenario 3:

1. Limit the connected duration by ~30 seconds.
2. Keep call leg A connected.
3. Play an IVR file after disconnecting call leg B.
   • Conversely, the call could be transferred to call leg C instead.

NON-INTENTIONAL FAS

Why might FAS legitimately occur? FAS does not always occur under malicious content. This can happen when there is no synchronization between VoIP and PSTN legs of a call on a VoIP-to-PSTN gateway. Causes for such an occurrence could be but are not limited to, equipment malfunction or configuration issues. This manifests in a call reaching the gateway from the VoIP network, where the gateway then attempts to establish a connection with the called number, however, due to an error, it cannot determine the states of the call advertised by the PSTN network: “CALLED PARTY RINGING” or “CALLED PARTY CONNECTED”. Thus, the gateway forces and defaults to the “CONNECT” state which would normally happen immediately after the arrival of the call from the VoIP network or a few seconds thereafter. This means that the gateway itself causes a FAS by connecting the call, resulting in billing, due to its own settings, but not according to the actual call state.

HOW TO RECOGNIZE FAS

FAS is dynamic and inconsistent. One call can be sent perfectly, this can be true for 1000′s of calls. Then, if the same 1000 numbers were dialed again, they could exhibit FAS. This can also be the case for timeframes and/or call volumes. Some FAS occurs when calls are sent over 10 or 50 channels, so it is then only noticeable when production traffic is directed.  It can be even harder to detect proactively, due to the fact that some route vendors only apply fraud-based false answer supervision to a small percentage of traffic or calls. It is possible to detect FAS by placing calls to fake numbers that should not connect and seeing if the calls are billed as connected calls, but this is a reactive form of detection because it is in response to customers complaining about a problem.

Key indicators of FAS are:

1. Short phone calls.
2. A caller which hangs up nearly 100% of the time.
3. High answer seizure ratio.
4. Lower ACD.

ASR/ACD Impact

FAS creates a high volume of short duration calls which lowers the ACD/ALOC (average call duration/average length of call) ratio and raises the ASR (average success rate) due to a bigger than the usual number of connected calls.

Complaints From Customers

Customer noticing abnormalities like those given below is a good indication that a FAS problem exists.

1. Billing times are longer than actual call time.
2. Calls billed even when the called party is out of the coverage area.
3. Calls are billed when the called party is unavailable and the call is directed to a voice mail system.

Testing Over Premium Provider

If any of the above symptoms are encountered while placing international calls, the first diagnostic step is to try placing the call over a Premium route to verify that the issue is present in both routes.

Detecting in the Soft Switch

Customer complaints are wholly inadequate indicators of FAS simply because not every customer complains. Furthermore, this type of fraud tends to occur transiently, often disappearing before fraud prevention can react to the problem, only to reappear at a later date or location in a system operator’s network.  A more proactive form of FAS detection is in a soft switch where it can be blocked.

Common methods are:

1. Manual verification of Call Detail Records.
2. Listening to voice recordings.
3. Use of algorithms which automatically detect FAS.
4. RTP audio signal processing: detection of voice, silence or ring-back tone.

Fraudsters are constantly attempting to stay one step ahead of detection methods.  For example, blended FAS which is perpetrated intelligently by fraudulent suppliers in the network to avoid detection by switching it on and off.  For a probe’s synthetic calls to detect blended FAS, the carrier needs to place several test calls to the same destination from several locations, daily. When blended FAS is occurring in the initial destinations, the OPex rises, making the solution more expensive than the testing.

HOW TO FIGHT IT

While most carriers can identify and remove fraudulent traffic from their networks within six hours, contractual service agreements and fear of mistakenly blocking legitimate traffic add complexities to removing fraudulent traffic. Combating FAS is also significantly hampered by the vast multitude of carriers reselling routes from suppliers, making it nearly impossible to trace the source of the fraud.

Some best practices are to:

1. Inform your upstream carrier.
   1. Some carriers actually can rectify it, however, usually, about 70% of them say they are working on it when in reality, they aren’t.
2. Directly measure FAS levels.
   1. Measure your FAS levels, if you have repeatable FAS of 30% then you know that you will pay a premium on 30% of your calls, then calculate this and take it away from your profit line if you wish to continue using this Supplier.
3. When FAS can be proven, then the CDRs of fraudulent calls can be shown which provides irrefutable evidence that a supplier was performing FAS.
   1. This can be used to dispute billing with suppliers, negotiate a better rate, troubleshooting the issue, and insisting on better quality.

A Note About Destinations Where There Is No Premium Route

For so many third-world destinations, there is little to no distinction between reliable wholesale routes and retail routes. A supplier uses the best they can to carry traffic, which creates a concern for retail customers. Big companies such as Vodafone, Orange and BT don’t tolerate occurrences of FAS, and those who carry their traffic are by default contractually obligated to absorb any losses where cases can be proven. One case, for a route that carries 200K minutes/day, will bankrupt a small or medium carrier, even if they are legally in the right.

CONCLUSION

FAS is a global industry pandemic with occurrences rapidly increasing within the past few years, with the most significant levels of fraud exhibited in regions with high termination rates and multiple competing suppliers.  It is dynamic and inconsistent, making proactive detection extremely difficult.  Many carriers rely on reactive measures based on customer complaints, however, this proves to be ineffective as not every customer complains or even knows what to look for. While no model is perfect, due diligence and constant monitoring are currently the best methods for combating FAS attacks.