International Revenue Share Fraud: The Carrier's Playbook
It is 2:47am. Your fraud management system is quiet. Your NOC dashboard shows nothing unusual across your wholesale routes.
By 9am, your billing reconciliation desk is staring at $38,000 in unexplained termination charges to West African premium rate prefixes. The calls started at 3am, averaged four minutes each, and your switch routed every one of them cleanly. Nobody triggered an alert, because the traffic profile looked entirely legitimate.
This is International Revenue Share Fraud, and it is one of the most financially damaging threats a Wholesale VoIP Carrier faces. It does not arrive with obvious anomalies. It slips through routing logic that was never designed to catch it.
This article explains how IRSF works at the switch level, what your CDRs will reveal, and which controls reduce your exposure before the billing cycle does.
How does IRSF Work?
IRSF exploits the revenue-sharing agreements that exist when calls terminate to specific high-cost international destinations. A fraudster secures a premium rate number in a jurisdiction with a generous revenue-share arrangement.
These are typically Pacific Island, West African, or Caribbean ranges. They then drive high call volumes to that number and collect a portion of the termination revenue.
The traffic is generated programmatically through several attack vectors. Each has a different risk profile for the carriers in the chain.
Attack Vector Profile
Compromised PBX
Unauthorised outbound dialling from enterprise systems
SIM Box
Bypasses international rates, then forwards to premium destinations
Automated Dialer
Programmatic high-volume calls to premium rate prefixes
Hijacked VoIP Account
Stolen credentials used to place calls at scale
False Answer Supervision
Network falsely signals an answered call, triggering billing
According to the CFCA 2023 Global Fraud Loss Survey, IRSF costs the telecom industry approximately $3.84 billion annually. That figure has persisted for over a decade, partly because IRSF traffic is structurally indistinguishable from legitimate international calling.
Unlike Wangiri, which needs a curious subscriber to return a missed call, IRSF requires no human cooperation at all. It just needs an open route, a permissive network, and enough time before anyone notices.
What Does IRSF Look Like In Your CDRs?
IRSF does not announce itself in real time. It announces itself in retrospect, when your CDR analysis desk begins reconciling the previous night's traffic.
The signature pattern is consistent across events once you know what to look for. A cluster of calls to the same destination prefix, all answered, all running to unusual lengths for that country, all originating from accounts that had been quiet beforehand.
Here is what to watch for in your CDR data:
CDR Signal Analysis
| Signal Indicator | Baseline Pattern | Fraud Anomaly |
|---|---|---|
| Call Duration | Typically under 3 minutes | Sustained 4 to 8 minute calls at volume |
| Answer Rate | 30 to 60% for international | Above 85% to one prefix |
| Account Traffic Volume | Stable daily baseline | Sharp spike (2am - 6am) |
| Destination Concentration | Spread across countries | Heavy focus on one/two prefixes |
| Rev-Share Destination % | Below 5% of total | Sudden jump above 15% |
The early-morning window is not coincidental. Fraudsters target off-peak hours because monitoring is lighter, human review is slower, and automated alerts are less likely to escalate to anyone. By the time a network engineer notices, the event is over and the charges have accrued.
The CDR data tells the story accurately, but only if someone is watching the right columns at the right time. For any carrier handling meaningful international wholesale traffic, automated threshold alerting is not optional, it is the baseline.
Why Interconnect Liability Is The Real Pain?
Most IRSF discussions focus on the direct loss: the termination charges generated by fraudulent traffic. For wholesale operators running Class 4 softswitches, the problem is far more complex.
You Are Caught In The Middle
When fraudulent traffic passes through your network, liability does not stop at your edge.
A typical scenario looks like this:
- A downstream customer generates fraudulent traffic.
- Your upstream carrier receives termination charges.
- Those charges are passed back to you.
You are then caught between two competing claims. Your customer disputes the charges, while your upstream carrier expects payment.
Why Does Recovery Take So Long
The dispute process often follows a lengthy chain:
- Your customer disputes the charges with you.
- You dispute them with your upstream carrier.
- Your upstream carrier disputes them with the terminating network.
By the time the investigation reaches the end of the chain, revenue-share payments have often already been distributed. The fraudsters have usually moved on to a different number range.
The Interconnect Challenge
Revenue-share destinations involve multiple parties, including:
- The originating carrier
- The transit carrier
- The terminating network
- The number range holder
Each participant has a financial incentive to minimise its own exposure. As a result, liability frequently becomes a debate over who should absorb the loss.
Your Best Defence
Your CDR infrastructure is your primary defence in this scenario. Your platform needs to produce complete, timestamped records of exactly when traffic arrived, which customer account sent it, and which destination it terminated to. Without that audit trail, your dispute position is considerably weaker than it should be.
Knowing what you can prove, what you can dispute, and what your switch should have caught before the event is the difference between absorbing a loss and actually recovering from one.
Switch-Level Controls That Actually Work
The good news is that IRSF is largely preventable at the switch level, provided the right controls are in place before an event begins. The challenge is that most carrier platforms are configured for connectivity and cost efficiency first, with fraud resistance added reactively, if at all.
Effective IRSF prevention operates across three control layers: prefix blocking, traffic velocity thresholds, and real-time CDR alerting. Each layer catches a different class of attack.
Prefix and Destination Blocking
High-risk revenue-share destinations are well-documented. The GSMA and CFCA both publish regularly updated lists of known high-risk international number ranges. Blocking outright, or requiring manual approval for new traffic to these prefixes, is the single highest-impact control a Class 4 carrier can implement.
The practical challenge is that some legitimate wholesale traffic terminates to adjacent prefixes. A tiered approach works best: block confirmed fraud ranges outright and apply heightened monitoring to neighbouring prefixes. Review any new customer traffic to high-risk regions manually before granting full routing permissions.
Traffic Velocity Thresholds
IRSF events are characterised by sudden, sustained volume spikes to specific destinations. Setting per-customer and per-route velocity thresholds with automated circuit breakers can halt a fraud event mid-flow rather than after the damage is done.
A reasonable starting point is 150 to 200 simultaneous calls from one account to any single country prefix. That threshold catches most automated dialer attacks without disrupting legitimate wholesale traffic.
The right number depends on each customer's established baseline, so profiling normal traffic patterns before you need these controls is the prerequisite, not the afterthought.
Real-Time CDR Alerting
Threshold controls catch volume spikes. Real-time CDR alerting catches the subtler pattern shifts that stay deliberately below those thresholds. Configure your platform to flag any account showing a sudden concentration of traffic to revenue-share destinations, combined with an answer rate above 80 percent.
Used together, these three control layers eliminate most IRSF exposure at the switch level. They work best when configured before your first fraud event, not in response to it.
Building A Response Framework Before You Need One
Prevention and detection are only two thirds of the equation. The remaining piece is knowing exactly what to do during the first fifteen minutes of a confirmed IRSF event. Many carriers invest heavily in monitoring and detection but delay building a response process until they are already facing an incident.
A practical first response framework consists of three immediate actions:
1. Isolate the Affected Account or Route
- Suspend the compromised account, customer, trunk, or route immediately.
- Stop additional fraudulent traffic before losses continue to accumulate.
- Focus on containment first. Investigation can follow once the attack has been halted.
2. Export and Preserve CDR Data
- Capture all CDRs covering the incident window.
- Include full destination level detail and any supporting metadata.
- Preserve the records before any configuration changes affect the evidence trail.
3. Notify All Affected Parties in Writing
- Inform both your upstream carrier and downstream customer as soon as possible.
- Include precise timestamps and a summary of the suspicious activity.
- Written notification creates a documented record that can strengthen your position if charges are later disputed.
The Communications Fraud Control Association has noted that operators with structured fraud response procedures recover disputed charges more successfully than those without them.
The objective is not to build a complicated process. It is to have a documented and rehearsed framework that can be executed immediately when an incident occurs.
Understanding how charges move through the wholesale ecosystem is equally important during a dispute. Carriers that understand the billing chain can present stronger evidence. It also enables them to respond more effectively when fraudulent traffic generates unexpected costs.
Our guide on how wholesale VoIP termination works explains these settlement mechanics in detail and provides useful context for fraud-related charge disputes.
Many operators also face exposure to multiple fraud types simultaneously. IRSF and Wangiri both rely on revenue sharing models, but their network behaviour differs significantly. Detection methods that work for one may not identify the other.
Our guide to Wangiri fraud examines the two phase attack model and highlights the CDR patterns commonly associated with missed call scams.
Fraud prevention should also be considered during route planning. Decisions made purely around cost can sometimes increase exposure to higher risk destinations or lower quality suppliers.
As discussed in least cost routing strategy, routing optimization and fraud management are closely connected. The most effective operators evaluate both factors together rather than treating them as separate disciplines.
Conclusion
The IRSF problem is unlikely to disappear anytime soon. Revenue share agreements remain a legitimate part of international telecommunications settlements, and they continue to serve valid commercial purposes across many markets.
Unfortunately, the same mechanisms that support legitimate revenue generation also create opportunities for fraudsters.
As long as carriers allow unmonitored or poorly controlled traffic to reach high risk destinations, attackers will continue to exploit those routes. Fraudsters do not need sophisticated vulnerabilities. They simply need enough time to generate traffic before someone notices the spike.
Ultimately, the most important question is not whether the IRSF still exists. It does. The question is whether your switch can identify the problem while it is happening, or whether your finance team will be the first to discover it when the billing cycle closes.