Engineering

Jun 11, 2024

What is International Revenue Share Fraud (IRSF)? : An Overview

Here's everything you need to know about IRSF and SMS Pumping

If you’re building an app that requires users to enter a phone number and receive an SMS, you should be worried about fraud — International Revenue Share Fraud and SMS Pumping in particular.

"Telecommunications fraud continues to impact companies globally, with a 12% increase in fraud loss reported in 2023 as compared to 2021 equating to an estimated $38.95 billion lost in 2023 representing 2.5% of telecommunications revenues."

Source

While there are, unfortunately, too many different kinds of fraud, one that affects almost every player in the telecom industry is International Revenue Share Fraud (IRSF). Even if your app isn’t directly offering a telecom service, it can be affected during user verification and authentication attempts.

In this article, we’ll discuss what IRSF is and how it affects businesses and customers using SMS and OTP-based verification mechanisms.

Note: International Revenue Share Fraud also occurs on international calls and apps. However, for the sake of specificity and product relevance, this article will focus on IRSF, which affects SMS-based phone verification workflows, i.e., SMS pumping fraud.

What is International Revenue Share Fraud (IRSF) and SMS Pumping?

IRSF is a form of financial fraud in which cyber criminals utilize the complex (often convoluted) pricing structures of international SMS to generate and divert revenue to their own accounts.

In our case, we are talking about one form of IRSF: SMS Pumping Fraud.

Note: In 2023, Elon Musk revealed that Twitter Lost $60mn a Year to SMS Pumping Fraud.

SMS Pumping Fraud is committed when fraudsters artificially inflate the volume of international SMS messages sent to premium-rate numbers. They usually do this by tricking apps into completing fake signups or fake phone verification requests on those premium numbers. These numbers carry higher charges, and the app targeted by said fraudsters pays the cost.

Note: IRSF can also occur within normal telecom routes to regular numbers. They may not cost as much, but still accrue enough stolen money to make the fraud worthwhile. This is what makes IRSF so difficult to detect.

Telecom carriers have to reach agreements to share revenue with other carriers to facilitate international messages. While these agreements are meant to be mutually beneficial, they do create gaps for scammers to exploit.

This form of fraud is structurally hard to fight that it has caught Europol’s attention, as it should.

"This is the most damaging fraud scheme to date, where a criminal partners with an International Premium Rate Number (IPRN) provider1 that charges high rates… and agrees to share revenue for any traffic generated by the fraudster."

Europol

How does IRSF work?

The scammer procures a range of premium-rate phone numbers (IPRN) that they will use to register on different apps with phone verification signups. They generally operate out of countries where regulations around this area are lax or weakly implemented.

The scammer is often in cahoots with a telecom carrier, operator or anyone operating a layer between the message and the end, such as the SMS aggregator. They bombard a business with fake OTP requests to premium numbers they (the fraud people) control.

The business racks up a big bill, while the fraudster and the telecom operator/carrier share the money made by the premium numbers.

Which businesses should be concerned with IRSF?

Any international business that sends verification messages worldwide should be worried about IRSF.

It doesn’t even have to be a major brand or app. As long as the app has an input field for a phone number and is designed to send an SMS to anybody, it is vulnerable to IRSF. Be it account openings, user signups, or transaction verifications, fraudsters can hijack any SMS-based delivery.

If you run or work in a company like this, you don’t have to ask, “Can it affect us?” You have to ask, “When will it happen to us?”

How to detect IRSF

  • Investigate any sudden spike in the number of OTP requests in a short duration, especially from countries where your business doesn't have too many customers.

  • Pay close attention to the speed at which SMS requests are coming in from users. Be wary of IRSF anytime there is an unexplained boost in those numbers.

  • Ask your provider to flag any large volumes in OTP requests from international destinations that are at high risk for fraud.

  • Look for multiple SMSes directed to the same number or destination.

How to protect your business from IRSF

At Prelude, we focus on doing a few things very well.

One of them is preventing IRSF, particularly SMS Pumping. The Prelude SDK and API are specifically built to protect customers against IRSF within their OTP-based verification flows.

We’re only obsessed with keeping SMS prices low and protecting customers from SMS fraud — that’s it. And we put everything we have into these areas.

Our next article will go deeper into our anti-IRSF measures, but here is a rough overview:

  • We use cross-signal risk scoring to identify spam with the best accuracy. Only send OTP SMS to real users.

  • We enrich our analysis with commercial databases for more precise fraud detection.

  • Our knowledge is shared across all our clients. One blocked attack will benefit all accounts.

  • In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSs. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil — because legitimate customers should not suffer due to cybercriminals' actions.

We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Competitors will only look at a phone number to determine fraud, but then you’re paying for false negatives and losing growth with false positives. We don’t do that.

If we’ve piqued your curiosity, how about booking a demo? Let us show you how Prelude sends OTP SMSes at 60% less than market cost, 99% deliverability, and astonishingly minimal fraud.

If you’re building an app that requires users to enter a phone number and receive an SMS, you should be worried about fraud — International Revenue Share Fraud and SMS Pumping in particular.

"Telecommunications fraud continues to impact companies globally, with a 12% increase in fraud loss reported in 2023 as compared to 2021 equating to an estimated $38.95 billion lost in 2023 representing 2.5% of telecommunications revenues."

Source

While there are, unfortunately, too many different kinds of fraud, one that affects almost every player in the telecom industry is International Revenue Share Fraud (IRSF). Even if your app isn’t directly offering a telecom service, it can be affected during user verification and authentication attempts.

In this article, we’ll discuss what IRSF is and how it affects businesses and customers using SMS and OTP-based verification mechanisms.

Note: International Revenue Share Fraud also occurs on international calls and apps. However, for the sake of specificity and product relevance, this article will focus on IRSF, which affects SMS-based phone verification workflows, i.e., SMS pumping fraud.

What is International Revenue Share Fraud (IRSF) and SMS Pumping?

IRSF is a form of financial fraud in which cyber criminals utilize the complex (often convoluted) pricing structures of international SMS to generate and divert revenue to their own accounts.

In our case, we are talking about one form of IRSF: SMS Pumping Fraud.

Note: In 2023, Elon Musk revealed that Twitter Lost $60mn a Year to SMS Pumping Fraud.

SMS Pumping Fraud is committed when fraudsters artificially inflate the volume of international SMS messages sent to premium-rate numbers. They usually do this by tricking apps into completing fake signups or fake phone verification requests on those premium numbers. These numbers carry higher charges, and the app targeted by said fraudsters pays the cost.

Note: IRSF can also occur within normal telecom routes to regular numbers. They may not cost as much, but still accrue enough stolen money to make the fraud worthwhile. This is what makes IRSF so difficult to detect.

Telecom carriers have to reach agreements to share revenue with other carriers to facilitate international messages. While these agreements are meant to be mutually beneficial, they do create gaps for scammers to exploit.

This form of fraud is structurally hard to fight that it has caught Europol’s attention, as it should.

"This is the most damaging fraud scheme to date, where a criminal partners with an International Premium Rate Number (IPRN) provider1 that charges high rates… and agrees to share revenue for any traffic generated by the fraudster."

Europol

How does IRSF work?

The scammer procures a range of premium-rate phone numbers (IPRN) that they will use to register on different apps with phone verification signups. They generally operate out of countries where regulations around this area are lax or weakly implemented.

The scammer is often in cahoots with a telecom carrier, operator or anyone operating a layer between the message and the end, such as the SMS aggregator. They bombard a business with fake OTP requests to premium numbers they (the fraud people) control.

The business racks up a big bill, while the fraudster and the telecom operator/carrier share the money made by the premium numbers.

Which businesses should be concerned with IRSF?

Any international business that sends verification messages worldwide should be worried about IRSF.

It doesn’t even have to be a major brand or app. As long as the app has an input field for a phone number and is designed to send an SMS to anybody, it is vulnerable to IRSF. Be it account openings, user signups, or transaction verifications, fraudsters can hijack any SMS-based delivery.

If you run or work in a company like this, you don’t have to ask, “Can it affect us?” You have to ask, “When will it happen to us?”

How to detect IRSF

  • Investigate any sudden spike in the number of OTP requests in a short duration, especially from countries where your business doesn't have too many customers.

  • Pay close attention to the speed at which SMS requests are coming in from users. Be wary of IRSF anytime there is an unexplained boost in those numbers.

  • Ask your provider to flag any large volumes in OTP requests from international destinations that are at high risk for fraud.

  • Look for multiple SMSes directed to the same number or destination.

How to protect your business from IRSF

At Prelude, we focus on doing a few things very well.

One of them is preventing IRSF, particularly SMS Pumping. The Prelude SDK and API are specifically built to protect customers against IRSF within their OTP-based verification flows.

We’re only obsessed with keeping SMS prices low and protecting customers from SMS fraud — that’s it. And we put everything we have into these areas.

Our next article will go deeper into our anti-IRSF measures, but here is a rough overview:

  • We use cross-signal risk scoring to identify spam with the best accuracy. Only send OTP SMS to real users.

  • We enrich our analysis with commercial databases for more precise fraud detection.

  • Our knowledge is shared across all our clients. One blocked attack will benefit all accounts.

  • In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSs. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil — because legitimate customers should not suffer due to cybercriminals' actions.

We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Competitors will only look at a phone number to determine fraud, but then you’re paying for false negatives and losing growth with false positives. We don’t do that.

If we’ve piqued your curiosity, how about booking a demo? Let us show you how Prelude sends OTP SMSes at 60% less than market cost, 99% deliverability, and astonishingly minimal fraud.

Start optimizing your auth flow

Send verification text-messages anywhere in the world with the best price, the best deliverability and no spam.