Cybersecurity threats are evolving daily, and a particularly dangerous scam is on the rise: SIM swapping fraud.

In 2023, the Internet Crime Complaint Center (IC3) reported more than $48 million in losses from SIM swapping fraud affecting both individuals and businesses. This type of fraud allows criminals to take control of your phone number, granting them access to sensitive information. A single SIM-swapping fraud attack can result in unauthorized access to personal data, significant financial loss, and long-term damage to your company’s reputation.

SIM swapping fraud targets businesses that rely on SMS-based authentication to secure accounts. In 2024, authentication use cases will account for over 50% of all SMS traffic. The growing reliance on SMS-based user verification increases the risk of SIM swapping correspondingly. However, solutions with built-in fraud protection, such as Plivo’s Verify API, make it possible to mitigate fraud risk with little effort. Here’s how to prevent SIM swapping fraud by following a few best practices to protect personal and organizational data. 

What is SIM swapping?

SIM swapping, also known as SIM jacking or the port-out scam, is a type of fraud where cyberattackers transfer a victim's phone number to a new SIM card.

Mobile networks rely on unique IDs embedded in each SIM card to route calls and text messages to the correct device. When a SIM swap occurs, all incoming network traffic, including calls, text messages, and verification codes, is redirected to the fraudster’s SIM card. The fraudster can then access any and all messaging traffic intended for the victim’s inbox. 

The main aim of SIM card swapping fraud is to exploit two-factor authentication (2FA) and gain access to valuable information, such as bank accounts, email, and social media platforms. SIM jacking intercepts one-time passwords (OTPs) and security codes, compromising all accounts that use 2FA.

How does SIM swapping work?

SIM swapping commonly occurs by tricking a mobile carrier into transferring a victim’s phone number.

Fraudsters first gather personal details about their target, such as their name, address, or answers to security questions, often through phishing attacks, data breaches, or purchases on the dark web.

The attacker uses this information to contact the victim's mobile carrier, impersonating them and claiming that their SIM card was lost or damaged. The fraudster then requests to port the number to a new SIM card. If the carrier fails to properly verify the fraud, the phone number is successfully transferred.

Once this happens, the fraudster receives all calls, texts, and verification messages meant for the victim.

SIM swapping can also occur through other methods, such as directly hacking a victim’s carrier account and updating their contact information. In some cases, insider threats come into play, where rogue employees at mobile carrier companies facilitate the swap for the attacker.

What is a SIM farm?

A SIM farm is a setup consisting of special hardware and software that manage multiple SIM cards simultaneously.

While SIM farms may be used for lawful objectives, such as testing mobile services or sending bulk marketing messages, fraudsters often utilize them to simplify illegal operations, such as:

• Sending fraudulent texts en masse
• Making fraudulent calls
• Conducting other fraudulent operations across several phone lines

SIM farms enable large-scale fraud by regularly switching between SIM cards and distributing activities across multiple numbers. This makes it challenging for cell carriers and law enforcement to detect suspicious patterns or ban offending numbers. Additionally, they allow attackers to bypass international phone charges and take advantage of weaknesses in SMS-based authentication systems.

A SIM farm typically operates using two key devices: a SIM box and a SIM bank. Here’s how each functions:

SIM box vs. SIM bank

How does a SIM farm work?

Here’s how SIM farms operate to conduct large-scale SIM swapping fraud:

1. Acquiring prepaid SIM cards from various carriers to avoid detection by a single telecom provider.
2. Integrating a SIM bank to centralize management for countless SIM cards, enabling remote access and automatic SIM switching based on usage patterns or network thresholds.
3. Connecting to SIM boxes to handle call routing, send bulk SMS messages, or make large volumes of calls from different numbers without physically handling the SIM cards.
4. Switching SIM cards dynamically to avoid detection and prevent any single SIM from exceeding traffic limits or drawing attention.
5. Automating international call/SMS routing to bypass local restrictions, preventing the likelihood of detection by telecom providers.
6. Monitoring and managing blocked SIM cards or those with connectivity issues to maintain a steady flow of fraudulent activity.

How does SIM swapping fraud affect businesses?

SIM swapping fraud poses serious risks for businesses, causing operational and reputational harm. Some key effects include:

• Security breaches: SIM swapping can bypass SMS-based 2FA, making businesses vulnerable to unauthorized access.
• Compromise customer data: Hackers can obtain sensitive customer information, leading to identity theft and data breaches.
• Reputation damage: A single SIM swap attack can erode customer trust, leading to bad publicity and loss of credibility.
• Financial loss: Fraud-related costs include direct financial theft and indirect expenses, such as customer compensation and legal fees.
• Network infiltration: Attackers can use SIM swapping to breach internal systems, exposing critical business data and intellectual property.

How to detect a SIM swap attack

Detecting a SIM swap attack early is crucial to mitigating its impact. Here are some key signs to watch for.

• Sudden loss of phone service: This could indicate that your SIM card has been deactivated and transferred to another device.
• Unusual account activity: Unauthorized logins or notifications from banks, social media, or email accounts could mean your phone number has been compromised.
• Inability to access accounts: If you can’t access services that use SMS-based authentication, such as online banking, it’s a strong indicator that your phone number has been hijacked.
• Unrecognized alerts from your mobile carrier: Notifications about changes to your SIM card or account, such as a new device activation you didn’t initiate, are red flags of a potential SIM swap.

How to prevent SIM swapping

Protecting your business from SIM swapping fraud requires vigilance and strong security measures. Here are some best practices to safeguard your accounts and data:

1. Set a PIN or passcode with your carrier: Most carriers offer the option to add an extra layer of security. Use a strong, unique code that makes it difficult to guess, as this will be required for any changes, including SIM swaps.
2. Monitor your accounts regularly: Watch out for anything unusual with your bank accounts, email addresses, and social media accounts. Ensure notifications are set up for logins from new devices or changes to account information.
3. Be cautious with public information: Fraudsters often exploit personal data from social media to answer security questions. Limit the amount of personal information you share publicly.
4. Review and secure account recovery options: Ensure backup emails, phone numbers, or security questions are robust enough to prevent attackers from easily exploiting them.

Prevent SIM swapping with Plivo

A strategic combination of technology and proven methodology can deduct SIM-swapping attacks and protect your business from becoming more vulnerable. 

With Plivo, you can validate phone numbers without interrupting the user flow. So, even when a SIM swap has occurred, the perpetrator doesn't have an opportunity to capitalize on it.

{{cta-style-1}}

Use Plivo’s Lookup API

The Plivo Lookup API, with its phone number validation and real-time analytics features, provides companies with the means to detect SIM swaps. You can improve your risk management with a reliable API call that will assess the phone number and return critical information about:

• Current network and original network details
• Roaming status and network changes
• Risk scores and unusual patterns that may indicate fraud

Checking these analytics can indicate any suspicious activity that occurred recently for a particular number, raising red flags.

Plivo’s pattern-based alerts

Even if the phone number is verified, there is a chance of fraudulent and illegal activities. Lookup includes built-in Fraud Shield, an AI-driven algorithm that helps monitor your messaging patterns, establish message thresholds, and send automatic alerts if an unusual pattern emerges. When a SIM swap is detected, you can put the account on temporary hold.

When discussing pattern-based alerts and how it helps detect SIM swaps, here’s what happens:

Spikes in traffic

A SIM swap fraudster usually tries to quickly take advantage of the victim’s phone number before the fraud is detected. This often involves sending or receiving many messages in a short amount of time to authorize access to accounts (e.g., bank logins, resetting passwords, or verifying transactions). This would cause an unusual surge in SMS traffic — far more than what a normal user would generate.

Low conversions

When a SIM swap happens, the original owner loses access to their phone number, but systems still try to send OTPs to the legitimate phone number. However, because the fraudster now controls the SIM, these OTPs fail to reach the original user, and the system may detect low conversion attempts and flag as suspicious.

Fraud thresholds for message control

To mitigate risks, you can use fraud thresholds for message control. If the threshold is exceeded, you have customizable options:

• Block and alert: Messages are blocked for 12 hours after a breach, and an alert is triggered.
• Alert only: An alert is sent, but messages are not blocked.

Plivo's dynamic controls will notify you of any unusual traffic patterns or surges when customized.

Protect your business with Plivo

Plivo's Lookup API, in conjunction with pattern-based alerts, can be a powerful tool for detecting fraudulent SIM swaps. Doing so can prevent your business from being vulnerable to further damage or associated risks and take needed measures.

Safeguarding your organization from SIM-swapping fraud is vital for protecting consumer security and retaining their trust. With Plivo’s advanced number validation solutions and Fraud Shield, you can secure critical accounts and improve overall communication security.

Contact us today to request a trial and protect your business from SIM swapping and other cybersecurity threats.

Telecom fraud is constantly emerging with various trends and is becoming a major threat. Recently, a Southern California resident lost $21,000 due to SIM swapping fraud after cybercriminals took control of the phone number to access a bank account. Different types of fraud are on the rise as fraudsters exploit telecom vulnerabilities. 

As the telecom industry grows, so does the need for robust fraud prevention strategies.

To navigate this, it’s essential for organizations to stay informed and prepared. In this blog, we’ll explore the top telecom fraud trends for 2024 and practical solutions to safeguard your business.

Five telecom fraud trends of 2024

Let's explore current trends in the telecom industry and how fraud detection and prevention solutions can safeguard your organization.

1. AIT accelerated A2P fraud

Artificial Inflation of Traffic (AIT) is a type of fraud that affects the Application-to-Person (A2P) SMS path. Traffic is artificially increased to generate revenue. Fraudsters utilize bots to boost traffic and send fake one-time passwords (OTPs) to manipulate conversion metrics and create false revenue streams.

AIT is estimated to account for 5% of all worldwide A2P traffic and will cost brands $2.4 billion between 2022 and 2024.

The three main categories of AIT fraud expected to have a major market impact are:

• Counterfeit fabrication AIT: An aggregator adds fake data or traffic while it's being transferred through the system.
• Human and bot amplification of AIT: Traffic is generated by OTPs and other triggers from brand websites and services.
• Masquerade parasite generation of AIT: This involves traffic being injected through CPaaS accounts.

Due to the widespread use of AIT in the messaging ecosystem, an estimated 19.8 billion and 35.7 billion fake messages were sent in 2023 — and business leaders report that the threat is accelerating.

Solution: Integrate strict security measures within your communication platforms. In addition, when choosing a business solution partner, consider the built-in fraud protection tools they offer.

For instance, Plivo Verify API offers a multi-channel two-factor authentication (2FA) solution and an in-built Fraud Shield, designed to mitigate the risk of AIT scams.

The advanced capabilities of the Plivo 2FA API allow you to send images, reach multiple recipients, and set message expiration. Messages that aren't delivered within a certain period are marked as “Failed” with error code 420 and are not charged to customers.

2. Toll fraud

Toll fraud, or International Revenue Sharing Fraud (IRSF), is when fraudsters exploit cloud-based systems. Unlike A2P fraud, toll fraudsters make money by phone calls instead of sending messages. 

Toll fraud impacts landline and mobile phone lines in more than 200 countries. The rise and resale of the number range, where up to 10,000 new IRSF-related areas are promoted weekly, indicate the profitable nature of toll fraud.

The frequent methods fraudsters employ to carry out IRSF are:

• PBX hacking: Unauthorized access to a company's telecommunications network to make international calls to premium rate numbers.
• Automated dialers: Programmed to call numbers at high frequency, which generates high traffic to specific destinations.

The most susceptible groups to toll fraud are Voice over Internet Protocol (VoIP) users, businesses that employ premium-rate numbers, and individuals who handle overseas communications.

Solution: You may not discover toll fraud until your phone bill arrives without real-time monitoring. Plivo’s Fraud Shield protects against high-risk outbound calls with static controls, such as:

• Geo-permissions: Disable communications to high-risk countries where users are not present.
• International Toll Fraud Protection: Create call blocklists for specific high-risk prefixes.
• Number validation: Validate phone numbers to reduce the risk of sending OTPs to fraudulent numbers.

Fraud Shield classifies destination countries based on risk levels. Using Plivo’s robust fraud control, you can set up thresholds based on these risk classifications to ensure that higher-risk countries have stricter controls to minimize the chances of fraud.

3. Account takeover (ATO)

Data breaches expose millions of users' passwords and personal data on the dark web, giving fraudsters the tools to carry out account takeover (ATO) attacks.

ATO involves using stolen personal data to hack accounts and gain access to bank and credit card information. In the second quarter of 2023, there was a 354% year-over-year increase in ATO attacks.

These scams aren’t limited to the financial sector — they also target government organizations. 

Solution: MFA is essential in eliminating account takeover attempts. A reliable MFA provider should support SMS, email, phone calls, hardware tokens, and other forms of authentication for secured verification.

Plivo provides global multi-channel OTP/2FA solutions, ensuring all Verify API requests are encrypted and transmitted securely over HTTPS. Plivo's API authenticates OTP transactions using your auth ID and auth Token, making it easy to integrate into existing systems by utilizing standard HTTP verbs and status codes.

4. Spoofing

Phone number spoofing is another common fraud tactic. Scammers manipulate caller IDs to display fake information, often using local phone numbers. They typically impersonate government agencies to trick recipients into sharing sensitive data such as bank or credit card details. Juniper Research reports that global mobile users have lost $58 billion to fraudulent spoofing calls.

Caller ID spoofing causes financial loss and reduces trust in mobile communications. While advancements in voice call technology have brought many benefits to organizations, they have also created new opportunities for fraudsters.

Solution: Work with telecom providers to implement STIR/SHAKEN caller authentication and trace the origin of calls. Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) authenticate calling numbers, increasing the credibility of caller IDs.

The Federal Communications Commission (FCC) requires carriers to adopt these standards to combat spoofing and provide accurate caller numbers and names.

Plivo’s built-in fraud control in SMS and Voice APIs help protect customers against SMS pumping and toll fraud and comply with STIR/SHAKEN protocols.

Developers can integrate anti-spoofing measures, including authentication protocols and number verification, using Plivo’s API to secure both inbound and outbound communications.

5. Robocalls and spam messaging

Robocalls are automated phone calls that send pre-recorded messages to multiple recipients at once. Robocalls are used for telemarketing, public service messages, and political campaigns. However, their connection to scams and fraudulent activities poses a serious threat to phone users' privacy and security.

According to the National Consumer Law Center, Americans receive 33 million fraudulent robocalls daily and 50 billion annually.

Fraudsters also utilize AI to create phishing emails that mimic the professional tone of reputed companies to collect personal data. With such tools at their disposal, even scammers with no prior coding knowledge can become hackers in an instant.

Solution: Carriers in the United States have mandated that companies register their brands and use 10-digit long codes (10DLC) for A2P texting. These numbers help distinguish legitimate messages from spam. Additionally, shortcodes must be configured according to carrier requirements, and toll-free numbers need to be validated before use.

Plivo enhances brand trust and recognition with higher-throughput mobile numbers, 10DLC, and short codes for SMS and MMS.

Customers can also automate the 10DLC registration process by using the upgraded server SDKs from Plivo. On the Plivo console, you may link numbers to campaigns and register brands and campaigns.

Conclusion

Rapid advancements in the telecom industry have enabled cybercriminals to execute complex and highly profitable attacks against both individuals and corporations. Protecting your business from fraud is crucial to maintaining customer security and confidence.

With Plivo's cutting-edge authentication solutions, you can protect important accounts within businesses of all sizes, strengthen overall communication security, and improve account security.

Contact us today to discover how our Verify API can help protect your company and customers.

The Global Fraud Loss Survey 2023 found that robocall scams in North America now account for more than 50% of global losses. Yet, many businesses are unprepared to deal with robocall scams and their implications for customers. 

As businesses increasingly rely on automated systems and digital communication, the opportunities for fraudsters to exploit vulnerabilities also rise. 

Toll fraud not only affects customer trust but can lead to significant financial losses and damage to a company's reputation. It is crucial for businesses to understand the mechanisms of such frauds and implement robust prevention strategies to safeguard their operations and maintain customer confidence.

In this guide, we’ll dive deeper into toll fraud and explain how to take steps to protect your business.

What is toll fraud?

Toll fraud, otherwise called international revenue sharing fraud (IRSF), occurs when an unauthorized individual gains control of a company’s phone system to transfer long-distance, international, or even premium-rate calls at the owner's expense. 

Usually, fraudsters gain access to voice mail systems or private branch exchanges (PBXs) that are not adequately secured. They use this access to make call-through calls, which rack up expenses by using unreasonable foreign or premium services. 

How does toll fraud work?

Toll fraud affects landline and mobile numbers in more than 200 countries. The profitable nature of toll fraud is reflected in the emergence and re-selling of the number range, as many as 10,000 new IRSF-related areas are promoted weekly.

Here’s a step-by-step example of how toll fraud works to the detriment of a business. 

Finding weaknesses: Fraudsters scour telecommunication systems for vulnerabilities. These weaknesses could involve poorly secured account registration processes or weak security settings.

1. Fake account factory: Once a weakness is identified, the fraudster creates many fake accounts using automated bots or scripts. These fake accounts can appear quite legitimate at first glance.
2. Premium number power: Fraudsters leverage premium-rate or premium-service numbers provided by telecom carriers. These numbers charge significantly higher rates per call or text message compared to regular numbers.
3. Exploiting the system: Fraudsters use the fake accounts and premium numbers to steal money using two different methods:
   
   • The 2FA trap: If a service uses SMS or voice verification codes for two-factor authentication (2FA), fraudsters can exploit this. They trigger a massive number of verification code requests to be sent to their fake accounts, all routed to the premium numbers. This results in a surge of expensive texts or calls being billed.
   • Account activity abuse: Services with free trials or account creation are vulnerable. Fraudsters exploit weak registration processes to create a multitude of fake accounts. These accounts might then be used to trigger actions that generate SMS or voice traffic to premium numbers, racking up charges for the service provider.
4. Profit sharing scheme: In some cases, the fraudsters might collude with a complicit telecom carrier. The carrier might share a portion of the inflated revenue generated from the premium number usage.

By generating a massive amount of fake traffic to premium numbers, fraudsters steal money, often leaving the service provider or unsuspecting user with a hefty bill.

Who is at risk of toll fraud?

Voice over internet protocol (VoIP) users, firms using premium rate numbers, and people dealing with international communications are most vulnerable to the threat of toll fraud.

Industries and businesses at risk

1. VoIP Users

Volume: High

Fraudsters frequently target VoIP users. Because of its digital nature, VoIP software is more prone to manipulation than other telecommunication methods.

2. Users of premium-rate numbers

Volume: Very high

Businesses using premium-rate phone numbers are vulnerable to toll fraud. Fake helpline numbers are designed to charge callers more than they would pay if they directly called any other number. Fraudsters redirect callers to these helplines and collect the revenue.

Examples: adult chat lines, tech support lines, interactive voting systems

3. Companies with international call facilities

Volume: Medium to high

Remote or international businesses, as well as those who are in the habit of making calls overseas, fall under the high-risk category as well. Fraudsters divert these calls to the high-cost destinations of their choice to pocket a maximum of the bogus billing payments.

For example, a U.S. tech company discovers that its phone system has been hacked, with all calls being redirected to premium-rate numbers in Latvia and the Maldives. Overnight, the sudden surge in international calls reveals significant financial misuse. This anomaly allowed the breach to be detected quickly.

4. High-risk geographic locations

Volume: High

Fraudsters direct calls mainly to countries that are known for their comparatively expensive rates. Cuba, Estonia, Lithuania, Somalia, and Zimbabwe are a few popular options for toll fraud.

How to prevent toll fraud

Plivo offers robust fraud control through Verify API for businesses to shield their operations. With built-in Fraud Shield, Plivo’s tools for limiting the risk of toll fraud can significantly help your business at no additional cost. Here’s how Fraud Shield works. 

Usage triggers

Statistically, large volumes of calls or SMS messages are strong indicators of fraudulent activity. Tracking these usage triggers is the first step to detecting and preventing toll fraud.

Plivo’s console has tools for users to review voice and SMS usage, react to unusual patterns, and initiate investigations.

Best Practices:

• Define usage allocations based on your business needs. For instance, if your application sends a one-time password (OTP) to a user account for two-factor authentication, you might limit the number of OTPs to one within a specific period (such as one OTP per user per 15 minutes).
• Track outgoing and incoming calls and text messaging activities for any sudden or unusual increases or changes in patterns.

Geographic Permissions

Toll fraud can be reduced by restricting call destinations. Through the Plivo console, geographic permissions can be managed and users can specify the countries that can process their outgoing calls. 

Best Practices:

• To manage location permissions, click on Voice > Geo Permissions from the Plivo console. Find the countries you’re looking for on this list. You can narrow the list of options by checking certain geo-spatial regions or countries as needed.
• Clarify permissions that align with your business and limit direct calls to risky countries unless only when necessary. 

Custom Prefix Blacklist

A blacklist of prefixes related to high percentages and fraud helps detect attempts at unrecognized use. Plivo follows an evolving list of risky prefixes that include the rate of calls, trends detected by third-party entities, and more. These characteristics can be used to make your phone system more secure.

Best Practices:

• From the Plivo high-risk screen (pictured below), follow the prompts to export the latest risky prefix list. 
• Include these prefixes in the system’s blacklist feature to automatically stop the number of calls when it reaches a certain threshold. 

High-Risk Permissions

By tweaking permissions in the Plivo console, you can limit access to phone calls and messages that pose a high risk. These controls include banning outbound calls to numbers for revenue sharing.

Best Practices:

• Publish and regularly update a list of high-risk areas from Plivo's Voice > Geo Permissions > High-Risk Permissions screen. The SIP filter blacklist provided by Plivo details more than a thousand of these expensive rates and higher-risk prefixes.
• Formulate rate limits to check the volume of outgoing calls and messages and avoid traffic from formidable amounts to high-risk destinations.
• Create voice verification functions and two-factor authentication to better identify real customers and block undue service use.

Prevent toll fraud with Plivo’s Fraud Shield

Plivo's Fraud Shield protects businesses against the negative impacts of toll fraud. Multiple security layers and continuous monitoring reduce the chances of unintended use of communication services that cause losses.

Key features of Plivo's Fraud Shield

• Real-time traffic monitoring: Plivo sends notifications in real time, allowing the detection of anomalous patterns that could indicate fraud. This feature is a decisive parameter for detecting and handling possible threats.

• Customizable thresholds: Call management systems allow businesses to set definite durations, intervals, and destinations for calls. Users can specify the parameters of normal activity for their particular operations. If all of the thresholds are exceeded, Plivo sends an alert.

• Geographic and prefix restrictions: Users can restrict calls to high-risk countries or with high-cost prefixes and edit them individually from the Plivo console.

• Automated blocks and alerts: Plivo can generate real-time alerts on suspicious activities and automatically take appropriate action to block an identified threat. This method effectively blocks unauthorized use while preventing overall losses.

• Detailed reporting: Plivo generates rich reports for businesses to study call patterns and examine whether the existing strategies to curb fraudulent activity are effective. With this detailed analysis, it may be possible to adjust settings and develop more robust security measures for the future.

Begin your free trial today to experience how our range of tools can safeguard your business from toll fraud.

We’ve written about the FCC’s mandate for US telecom service providers (TSP) to implement STIR/SHAKEN — two technical frameworks that attempt to authenticate calling numbers and measure trust in displayed caller names. We’ve been remiss at noting that Canada too has jumped on the STIR/SHAKEN train.

The Canadian Radio-television and Telecommunications Commission (CRTC) Decision 2021-123 “directs telecommunications service providers (TSPs) to implement STIR/SHAKEN to authenticate and verify caller identification (ID) information for Internet Protocol (IP)-based voice calls as a condition of offering and providing telecommunications services, effective 30 November 2021.” In other words, any Canadian carrier whose calls traverse IP networks in whole or in part must implement STIR/SHAKEN.

On May 31, 2022, TSPs were required to file their first post-implementation STIR/SHAKEN status reports with the CRTC. Reports are filed every six months.

An end to call spoofing?

Unfortunately, STIR/SHAKEN doesn’t guarantee that no calls will be spoofed. Even if calls are made and terminated on IP networks, if they’re interconnected via time-division multiplexing (TDM) on the public switched telephone network (PSTN), STIR/SHAKEN attribution information won’t be carried over. And calls from numbers outside the US and Canada, from countries that haven’t implemented STIR/SHAKEN, won’t carry attestation information either.

Still, it’s a start, and we expect more accurate attribution information on a higher percentage of voice calls as carriers do a better job of implementing the protocols.

While STIR/SHAKEN technology can uncover call spoofing, it doesn’t stop it or reduce the number of times it occurs. That will take additional standards that have yet to be written. For now, consumers can rely on smartphone apps like Truecaller, Hiya, and a host of others that let people identify incoming calls as possible spam and potentially automatically block them or send them to voicemail.

Plivo has been compliant with STIR/SHAKEN regulations since they rolled out, so you can be sure that any calls you make using Plivo’s Voice API and phone numbers rented from Plivo will have the highest possible levels of attestation

The number of unwanted and illegal robocalls in the US continues to rise. According to YouMail, Americans were hit by more than 50 billion robocalls in 2021, with about 40% of those calls thought to be fraud-related. And as annoying as these calls are for people who receive them, they’re even more detrimental for businesses that are trying to reach people with pertinent information. Many of these robocalls use caller ID spoofing to make recipients think they might know the caller. Caller ID spoofing hurts legitimate businesses by making call recipients less likely to pick up any calls.

UC Today interviews Plivo’s Tony Graham to learn what’s shaking with STIR/SHAKEN.

Understanding STIR/SHAKEN Standards: Trusted Calling with Shake Stir

While historically, telephony was highly regulated, technical innovations such as computerized dialers and inexpensive IP-based calling on the public telephone network has turned robocalling into an everyday nuance. As a result, the US agency in charge of protecting consumers from communication scams, the Federal Communications Commission (FCC), directed carriers to implement robust call authentication by adopting STIR/SHAKEN standards targeting by June 30, 2021.

What is STIR/SHAKEN?

STIR/SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. They’re technical frameworks that measure trust in the displayed caller name and number by authenticating the calling number.

Together they work in a way similar to attesting to the identity of the caller with a digital certificate. In the STIR/SHAKEN framework, a secure telephony identity (STI) governance authority issues digital certificates to carriers, or others who own or are assigned dedicated telephone numbers. The private key associated with a digital certificate is then used to sign a VoIP call, thereby indicating that the calling party number is who they claim to be.

Levels of Attestation in STIR/SHAKEN: Shake Stir Caller Trust

Attestation provides the mechanism for carriers to communicate about a calling phone number’s legitimacy. A Secure Telephony Identity (STI) authentication service assigns an attestation level to a call that represents how confident a service provider is that the number’s owner is truly the one placing the call:

• Full attestation (A) — The service provider has authenticated its relationship with the customer making the call and the customer is authorized to use the calling number.
• Partial attestation (B) — The service provider has authenticated its relationship with the customer making the call, but cannot verify that the customer is authorized to use the calling number.
• Gateway attestation (C) — The service provider has authenticated that it has placed the call on its network, but has no relationship with the originator of the call (for example, a call received from an international gateway).

How STIR/SHAKEN Notifications Enhance Trusted Calling?

When someone receives an authenticated call, they may be notified with a verification keyword or symbol on the incoming call display. If a call cannot be verified (attestation C or no attestation), it may be blocked or the consumer may be warned on their caller ID screen of a potential scam call. The purpose of notifications is to allow people who receive calls to decide whether they want to answer, ignore, or block a number.

If you’re a business, these changes should help you feel more empowered and increase the chances of your calls being answered by recipients.

We have more details about STIR/SHAKEN in our documentation.

Implementing STIR/SHAKEN

Without Plivo:

Businesses that implement STIR/SHAKEN themselves (typically within a private cloud environment) are held accountable with near-instant traceback by regulatory groups and law enforcement if STIR/SHAKEN is abused, including faking attestation levels.

With Plivo:

If you’re a direct customer of Plivo’s, we can sign outgoing calls on your behalf and ensure calls get the right attestation so that call recipients feel confident in answering them. We can also validate the attestation levels on incoming calls received on the Plivo Voice API platform, providing customers with the necessary information so that they and their end users can decide whether to answer the calls or not.

To ensure the right level of attestation, Plivo customers should submit to us their business information and the phone numbers they own and use as caller IDs so they can be verified. We’ll determine the appropriate level of attestation depending on the results of the verification and thus the level of confidence Plivo has in the caller ID used on an outgoing call.

Plivo’s compliance operations team makes this process as seamless as possible for our customers. We believe that STIR/SHAKEN is crucial in preventing illegal or deceptive behavior like caller ID spoofing, and we’re excited to be part of the fight against unwanted robocalls.

If you read our blog post from a couple of months ago, you’re already familiar with STIR/SHAKEN — Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN). They’re technical frameworks that fight call spoofing by authenticating the calling number.

The US Federal Communications Commission (FCC) has directed carriers to implement STIR/SHAKEN by June 30, 2021. Plivo will be ready; we’re already running a successful pilot program.

When we roll out STIR/SHAKEN support for inbound calls, we’ll validate attestation of calls to Plivo DIDs and toll-free numbers in the US, irrespective of whether they’re used for Voice or Zentrunk. For calls through the Voice API, we’ll pass the STIR/SHAKEN verification level as part of webhook requests to various URLs — answer_url, fallback_url, hangup_url, etc. For both Voice and Zentrunk calls, we’ll also show verification levels on the Plivo console and in Call Detail Reports.

Going in the other direction, we’ll sign all Voice and Zentrunk outbound calls to the US — unless a customer violates the rules:

1. The calls breach the Plivo Fair Usage Policy.
2. The calls are identified as unsolicited robocalls.
3. Plivo gets a traceback request from the Industry Traceback Group about calls made by the customer.
4. The calls have invalid caller IDs — for instance, if they don’t adhere to E.164 format or  have too many digits.

In these scenarios, Plivo may stop signing all calls initiated by the customer. That could lead to lower answer rates, because calls won’t be marked as Verified. Worst case, they could be marked as spam by receiving networks.

Verification levels for outbound calls

In the STIR/SHAKEN framework, a secure telephony identity (STI) governance authority issues digital certificates. STIR/SHAKEN provides three attestation levels that can be assigned by an STI authentication service, which represent how confident a service provider is in that the number’s owner is truly the one placing the call.

Plivo will sign outbound calls as Verified (attestation A) for calls that use a Plivo DID as caller ID. The DID used should be rented by the same Plivo account that originates the outbound calls. All other outbound calls, assuming they are signed at all, are signed Not Verified (attestation B or C).

We strongly encourage customers to use Plivo DIDs as caller ID to improve their STIR/SHAKEN verification levels.

How verification status maps to STIR attestations

For both outbound and inbound Voice API calls, Plivo will display the verification status of a call as a parameter called Stir Verification, which can have one of three values:

• Verified means the call is from a Verified caller who has authorized access to the customer’s caller ID, and hence should be treated with confidence. Verified is equivalent to attestation level A.
• Not Verified means that, for this call, either the caller is not Verified, or it’s uncertain whether they have access to the caller ID used, or both. Not Verified means the call received attestation level B or C.
• Not Applicable means STIR/SHAKEN doesn’t apply to this call, as would be the case if a call is not addressed to a US number or if it’s a cloud call (WebRTC or SIP).

How to access verification status

Voice and Zentrunk customers have several ways to access STIR verification statuses.

Voice API

Plivo Voice customers can access verification values on the Voice > Calls page of the console as part of call logs, as part of CDR exports, and via Voice APIs in several ways:

Webhook Callbacks

We’ve added a new STIRVerification parameter as part of status update JSON code sent to these callback URLs:

• answer_url
• fallback_url
• hangup_url

We’ve also added the parameter as part of call_status_callback_url for multiparty call events:

Voice API Call Object

You can also access STIR verification as part of the response of the Get CDR API call:

Zentrunk

Zentrunk customers will be able to see STIR verification values in the several ways:

Console

On the Zentrunk > Logs page as part of Call Detail Records (CDR).

Custom SIP header

As part of a new SIP header:

P-Asserted-ID Header

Zentrunk customers can also use the SIP verstat parameter as part of the P-Asserted-ID header:

Upcoming attestation refinements

Soon, Plivo will start taking into consideration more factors to determine the attestation level for outbound calls, including (but not limited to):

1. Results of Know Your Customer (KYC) validation, a feature coming to the Plivo console and API in the near future.
2. Customers’ own DIDs sourced from other providers and whitelisted with Plivo. We plan to enable whitelisting through the Plivo console and the API in the near future.
3. The confidence Plivo has in customer traffic patterns not constituting fraudulent and unsolicited robocall traffic.

Looking forward to less spoofing

We believe STIR/SHAKEN will have a big impact in preventing caller ID spoofing and containing unsolicited robocalls, and we’re excited to join the fight. Talk to a Plivo expert for help getting started.

Telecom fraud and scams are a fast-growing problem — Americans were hit by almost 46 billion robocalls in 2020 alone, costing $10 billion annually. As more businesses turn to IP telephony for their communications needs, and with mobile communication becoming an integral part of our lives, the obligation to address fraudsters and scammers has become increasingly urgent.

Telecom fraud comes in various forms — PBX hacking, toll fraud, robocalling, subscription fraud — and it’s detrimental to businesses and individuals alike. In recent months, the telecom industry has begun deploying new technologies to combat the surge of spam phone calls at scale, and CPaaS providers like Plivo are joining the fight.

Here are some policies and actions the telecom industry is taking to minimize the risk of telecom fraud, along with information about how Plivo plans to support these initiatives for its customers.

STIR/SHAKEN

To help prevent unwanted robocalls, the FCC has begun implementing the STIR/SHAKEN protocols. STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted Information Using Tokens) encompass a framework of standards that aim to address the accuracy of caller ID information. They help consumers authenticate calls they receive by digitally validating calls passing through carrier networks. The FCC has directed carriers to implement robust call authentication by adopting STIR/SHAKEN standards by June 30, 2021.

Plivo is working on an authentication process to comply with the STIR/SHAKEN protocols. We’re already testing calls, and we expect to complete our implementation well before the June 30 deadline. This means that we’ll be able to start signing outgoing calls on customers’ behalf and ensure their calls get the right attestation so that call recipients can feel confident answering them. In the coming weeks, our customers will be able to submit to us their business information and the phone numbers they own and use as caller IDs so we can verify them.

Google Verified SMS and Verified Calls

Meanwhile, Google is adding a couple of security-focused features to its Android Messages app, including Verified SMS and Verified Calls, two tools to combat fraudulent text messages and phone calls. Verified text messages and incoming calls will display a business’s name, their logo, and a verification symbol that indicates that the communication has been verified by Google. For phone calls, Google takes it a step further by indicating why the business is calling.

Now that mobile communications is so popular and widely used, businesses need to stand out and provide messages and call recipients with greater confidence that their brand is reputable. Verified SMS and Verified Calls are great ways for businesses to enhance customers’ trust in their brands.

Plivo is partnering with Google to register businesses and implement the back-end technology to support the services through both our messaging and voice API products. Our customers will be able to enroll via Plivo. Implementation requires no additional engineering efforts and offers organizations a richly branded profile including the business name, description, and logo. We expect support for Verified SMS and Verified Calls to be available in beta sometime this year.

A2P 10DLC

On yet another front in the battle against spam, A2P 10DLC has shifted the landscape of business text messaging, providing new routes dedicated to high-volume text messaging in the form of 10-digit long codes. The objective for 10DLC is to provide stability, reliability, and security to both businesses and their customers. But before telecom customers can take advantage of these sanctioned routes, carrier networks such as AT&T and T-Mobile require an in-depth qualification process that verifies the legitimacy of the business. (Verizon doesn’t require businesses to submit themselves for qualification.) The qualifying process takes into consideration both business details and the use case of a messaging campaign, and yields a result that dictates the number of messages the business can send within a given day.

Plivo customers can register their brand — the business they’re creating a campaign for — through the Plivo website. Once the brand has been approved and has been assigned a “trust score,” campaign and throughput details for the AT&T network will be passed over to us, which we will then confirm with you via email. At this time, T-Mobile hasn’t disclosed throughput details; once this information is available, we’ll make it known to all customers via email.

A new verification tool to help give customers confidence

Through all of these scenarios you’ll notice the common theme of confirming that a business is who they say they are. To streamline this qualification process across the different protocols and features, we’ll be enabling a verification tool in the Plivo console, which will comprise of two parts:

The first part will be dedicated to the verifying business details. Plivo will confirm the legitimacy of an organization’s submitted details and apply approval at the account level, giving customers access to the products highlighted above.

The second part will be product-specific, with dedicated pages on our left-side menu detailing requirements for each (STIR/SHAKEN, Google Verified SMS, 10DLC), where you can submit the appropriate information.

We expect to roll out this tool sometime in 2021, and we’ll share more details once they’re available.

Brands that value building trust with their customers are likely to outperform those that don’t. Plivo is eager to help our customers implement measures to safeguard against telecom fraud. We believe that all of these initiatives will help businesses strengthen their conversations with users, build trust, prevent scams, and provide a safer space for mobile communications globally.

Plivo now supports geo permissions for outbound calls on Zentrunk, Plivo’s cloud-based SIP trunking product. Geo permissions helps users prevent toll fraud attacks.

Toll fraud is a situation where fraudsters take control of a customer’s VoIP infrastructure and make calls to expensive destinations. An affected customer may experience a sudden surge in their call usage and expenses towards uncommon destinations.

With geo permissions enabled for your account, you can adopt proactive measures to prevent toll fraud.

Zentrunk geo permissions

Zentrunk users can now restrict the countries to which you can place calls globally. Configure country-specific rules for outbound trunks and set an account-level default by visiting Zentrunk > Geo Permissions on the Plivo console. See our documentation for complete info.

Enable calls to specific countries

You can enable and disable calling to selected destinations by choosing specific countries to which you expect to make outbound calls. You can configure these separately for different trunks. Zentrunk will allow calls to selected countries and block calls to all other destinations.

Block calls to high-risk destinations

Plivo periodically analyzes call patterns and rates of networks worldwide and identifies high-risk destinations susceptible to toll fraud. These high-risk phone networks are unlikely to be used by end consumers for regular use cases. You can enable high-risk destination blocking to ensure that calls made to these destinations are blocked.

To prevent losses from potential toll fraud, we recommend that you configure geo permissions to enable calls to only those countries that you or your customers expect to make calls, and enable blocking of high-risk network groups.

Zentrunk geo permissions is available at no additional cost.

Not using Plivo yet? Getting started takes just five minutes. Sign-up and get started today.

Plivo’s cloud communication platform lets you send text messages globally via web and mobile apps. With our new feature, geo permissions for SMS, we’re putting more control of your SMS traffic into your hands. Geo permission offers a simple way to control which countries you want to enable or disable for SMS messages, without the need for developer support or code base changes.

SMS geo permissions is a tool to reduce the risk of SMS fraud and abuse. We suggest you maintain international geo permissions to protect your business from sending unwanted messaging.  

Advantages of maintaining international geo permissions

Here are some of the top reasons for you to consider managing your SMS traffic by geographic region.

• Prevent SMS fraud: Though it’s unlikely, your Plivo Auth ID or Auth Token may get compromised. If that happens and you have geo permission enabled, you can reduce the potential for a surcharge in SMS fees for messages sent to high-rate destinations.
• Reduce nonserviceable destinations: Among the 195 countries across the globe and more than 240 country codes, there are many places where your text messages could end up. If your web or mobile app caters to a specific geography or country, you may want to block SMS traffic to other countries and aligning your SMS spend with where your customers are concentrated.
• Avoid incorrect destination numbers: An incorrect or incomplete country code can land your text message in an unexpected part of the world. Some recipients’ phone numbers come from forms, and some form applications are not equipped to automatically geotag form inputs. Consider enabling geo permissions if you don’t validate user input using code.
• Improve customer segmentation: If you segment your SMS traffic using subaccounts, you can use geo permission to customize the reach for each subaccount. If a particular subaccount caters to a specific region, you can disable text messages to other destinations.  

Simple to set up, easy to maintain

Plivo customers can send messages to all countries, or with a click of a button disable messages to all countries except the ones where your audience is focused. By default we enable traffic to the US, Canada, Australia, India, and the country where your account is registered. To modify your geo permissions, navigate to Messaging > Geo Permissions on the Plivo console.

What happens if you send a text message to a disabled country?

If you try to send a text message to a country for which sending is disabled, Plivo will block it and you will not be charged for the message. On SMS logs, the message state will be “failed” and the error code will be 450.

Visit our documentation for more information about geo permissions.

Not yet using Plivo? Getting started takes just five minutes. Sign up today.