Engineering

Jun 11, 2024

What is International Revenue Share Fraud (IRSF)? : An Overview

Here's everything you need to know about IRSF and SMS Pumping

If you’re building an app that requires users to enter a phone number and receive an SMS, you should be worried about fraud — International Revenue Share Fraud in particular.

With a 12% increase in fraud loss reported in 2023 as compared to 2021, equating to an estimated $38.95 billion lost, telecommunications fraud is becoming a major threat to business revenues.

While there are, unfortunately, too many different kinds of fraud, one that affects almost every player in the telecom industry is International Revenue Share Fraud (IRSF). Even if your app isn’t directly offering a telecom service, it can be affected during user verification and authentication attempts.

In this article, we’ll discuss what IRSF is and how it affects businesses and customers using SMS and OTP-based verification mechanisms.

What is International Revenue Share Fraud (IRSF)?

International Revenue Share Fraud, or IRSF, is a form of financial fraud in which cyber criminals leverage the complex pricing structures of international calls and SMS to generate and divert revenue to their own accounts. This type of fraud is also called SMS Pumping Fraud or SMS Toll Fraud.

SMS Pumping Fraud is committed when fraudsters artificially inflate the volume of international SMS messages sent to premium-rate numbers. They usually do this by tricking apps into completing fake signups or fake phone verification requests on those premium numbers. These numbers carry higher charges, and the app targeted by said fraudsters pays the cost.

And these costs can reach stellar amounts. In 2023, Elon Musk revealed that Twitter lost $60mn a year to SMS Pumping Fraud!

How does IRSF work?

The scammer procures a range of premium-rate phone numbers (IPRN) that they will use to register on different apps with phone verification signups.

They generally operate out of countries where regulations around this area are lax or weakly implemented.

The scammer is often in cahoots with a telecom carrier, operator or anyone operating a layer between the message and the end, such as the SMS aggregator. Indeed, telecom carriers have to reach agreements to share revenue with other carriers to facilitate international messages. While these agreements are meant to be mutually beneficial, they do create gaps for scammers to exploit.

The fraudsters then bombard a business with fake OTP requests to premium numbers they (the fraud people) control. The business racks up a big bill, while the fraudster and the telecom operator/carrier share the money made by the premium numbers.

IRSF can also occur within normal telecom routes to regular numbers. They may not cost as much, but still accrue enough stolen money to make the fraud worthwhile. This is what makes IRSF so difficult to detect.

This form of fraud is structurally hard to fight that it has caught Europol’s attention, as it should.

"This is the most damaging fraud scheme to date, where a criminal partners with an International Premium Rate Number (IPRN) provider that charges high rates… and agrees to share revenue for any traffic generated by the fraudster."Europol

Other IRSF attack methods

While SMS pumping fraud is the most common and the one that can result in the largest losses for businesses, fraudsters can use a range of attack methods:

PBX hacking

By exploiting vulnerabilities in Private Branch Exchange (PBX) systems - telephone networks used within a company - fraudsters can reroute calls to premium rate numbers.

Wangiri Fraud

Also known as "one-ring" fraud, attackers place short calls to targets, prompting them to call back. The return call is directed to a premium rate number.

SIM Swapping

Fraudsters take control of a victim’s phone number by tricking the mobile provider into swapping the number to a SIM card they control. This enables them to receive calls and texts meant for the victim.

Roaming Fraud

Fraudsters can exploit international roaming agreements to make billed calls to another network, using stolen or cloned SIM cards or taking advantage of billing delays in international call records.

Which businesses should be concerned with IRSF?

While certain sectors are more exposed to fraudulent attacks, such as finance, healthcare or social applications, any international company that sends verification messages around the world needs to be concerned about the IRSF.

It doesn’t even have to be a major brand or app. As long as the app has an input field for a phone number and is designed to send an SMS to anybody, it is vulnerable to IRSF.

Be it account openings, user signups, or transaction verifications, fraudsters can hijack any SMS-based delivery.

If you run or work in a company like this, you don’t have to ask, “Can it affect us?” You have to ask, “When will it happen to us?”

How does IRSF impact companies?

Financial losses

Companies face direct financial losses from IRSF, often resulting in exorbitant phone bills due to fake users.

This fraud comes also with indirect costs, like the cost of investigating and mitigating the fraud, and added operational costs.

Reputation damage

If customers are directly affected by the fraud or if their information security is compromised, this can lead to severe customer and employee trust damages.

Some companies may be tempted to respond to fraud by blocking entire countries and regions, frustrating the real users they have there.

Operational disruption

A high volume of fake request can lead to a company’s system crash or downtime, impacting the experience of real users. The detection and response to IRSF can also disrupt regular business operations, diverting resources and manpower from core activities and may cause the loss of competitive advantage.

Legal penalties

Companies can be fined or prosecuted if it is proven that they have not adequately protected their customers' data. Any accusation of SMS pumping fraud can also result in organisations being charged with aiding and abetting fraud.

How to detect IRSF?

Detecting IRSF is tricky as it can be mixed with legitimate international calls. But you can keep an eye on those signals:

  • Investigate any sudden spike in the number of OTP requests in a short duration, especially from countries where your business doesn't have too many customers.

  • Pay close attention to the speed at which SMS requests are coming in from users. Be wary of IRSF anytime there is an unexplained boost in those numbers.

  • Ask your provider to flag any large volumes in OTP requests from international destinations that are at high risk for fraud.

  • Look for multiple SMSes directed to the same number or destination.

How to protect your business from IRSF with Prelude?

ISRF is not inevitable and your company can find a solution to protect your customers (and your budget) from these attacks.

At Prelude, we focus on doing a few things very well. One of them is preventing IRSF, particularly SMS Pumping. The Prelude SDK and API are specifically built to protect customers against IRSF within their OTP-based verification flows.

How do we achieve this?

  • We use cross-signal risk scoring to identify spam with the best accuracy so our clients only send OTP SMS to real users.

  • We enrich our analysis with commercial databases for more precise fraud detection.

  • Our knowledge is shared across all our clients. One blocked attack will benefit all accounts.

  • In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSs. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil — because legitimate customers should not suffer due to cybercriminals' actions.

We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Traditional providers only look at a phone number to determine fraud, but then you’re paying for false negatives and losing growth with false positives.

If we’ve piqued your curiosity, you can book a demo to see how Prelude sends OTP SMSes at 60% less than market cost, 99% deliverability, and astonishingly minimal fraud.

If you’re building an app that requires users to enter a phone number and receive an SMS, you should be worried about fraud — International Revenue Share Fraud in particular.

With a 12% increase in fraud loss reported in 2023 as compared to 2021, equating to an estimated $38.95 billion lost, telecommunications fraud is becoming a major threat to business revenues.

While there are, unfortunately, too many different kinds of fraud, one that affects almost every player in the telecom industry is International Revenue Share Fraud (IRSF). Even if your app isn’t directly offering a telecom service, it can be affected during user verification and authentication attempts.

In this article, we’ll discuss what IRSF is and how it affects businesses and customers using SMS and OTP-based verification mechanisms.

What is International Revenue Share Fraud (IRSF)?

International Revenue Share Fraud, or IRSF, is a form of financial fraud in which cyber criminals leverage the complex pricing structures of international calls and SMS to generate and divert revenue to their own accounts. This type of fraud is also called SMS Pumping Fraud or SMS Toll Fraud.

SMS Pumping Fraud is committed when fraudsters artificially inflate the volume of international SMS messages sent to premium-rate numbers. They usually do this by tricking apps into completing fake signups or fake phone verification requests on those premium numbers. These numbers carry higher charges, and the app targeted by said fraudsters pays the cost.

And these costs can reach stellar amounts. In 2023, Elon Musk revealed that Twitter lost $60mn a year to SMS Pumping Fraud!

How does IRSF work?

The scammer procures a range of premium-rate phone numbers (IPRN) that they will use to register on different apps with phone verification signups.

They generally operate out of countries where regulations around this area are lax or weakly implemented.

The scammer is often in cahoots with a telecom carrier, operator or anyone operating a layer between the message and the end, such as the SMS aggregator. Indeed, telecom carriers have to reach agreements to share revenue with other carriers to facilitate international messages. While these agreements are meant to be mutually beneficial, they do create gaps for scammers to exploit.

The fraudsters then bombard a business with fake OTP requests to premium numbers they (the fraud people) control. The business racks up a big bill, while the fraudster and the telecom operator/carrier share the money made by the premium numbers.

IRSF can also occur within normal telecom routes to regular numbers. They may not cost as much, but still accrue enough stolen money to make the fraud worthwhile. This is what makes IRSF so difficult to detect.

This form of fraud is structurally hard to fight that it has caught Europol’s attention, as it should.

"This is the most damaging fraud scheme to date, where a criminal partners with an International Premium Rate Number (IPRN) provider that charges high rates… and agrees to share revenue for any traffic generated by the fraudster."Europol

Other IRSF attack methods

While SMS pumping fraud is the most common and the one that can result in the largest losses for businesses, fraudsters can use a range of attack methods:

PBX hacking

By exploiting vulnerabilities in Private Branch Exchange (PBX) systems - telephone networks used within a company - fraudsters can reroute calls to premium rate numbers.

Wangiri Fraud

Also known as "one-ring" fraud, attackers place short calls to targets, prompting them to call back. The return call is directed to a premium rate number.

SIM Swapping

Fraudsters take control of a victim’s phone number by tricking the mobile provider into swapping the number to a SIM card they control. This enables them to receive calls and texts meant for the victim.

Roaming Fraud

Fraudsters can exploit international roaming agreements to make billed calls to another network, using stolen or cloned SIM cards or taking advantage of billing delays in international call records.

Which businesses should be concerned with IRSF?

While certain sectors are more exposed to fraudulent attacks, such as finance, healthcare or social applications, any international company that sends verification messages around the world needs to be concerned about the IRSF.

It doesn’t even have to be a major brand or app. As long as the app has an input field for a phone number and is designed to send an SMS to anybody, it is vulnerable to IRSF.

Be it account openings, user signups, or transaction verifications, fraudsters can hijack any SMS-based delivery.

If you run or work in a company like this, you don’t have to ask, “Can it affect us?” You have to ask, “When will it happen to us?”

How does IRSF impact companies?

Financial losses

Companies face direct financial losses from IRSF, often resulting in exorbitant phone bills due to fake users.

This fraud comes also with indirect costs, like the cost of investigating and mitigating the fraud, and added operational costs.

Reputation damage

If customers are directly affected by the fraud or if their information security is compromised, this can lead to severe customer and employee trust damages.

Some companies may be tempted to respond to fraud by blocking entire countries and regions, frustrating the real users they have there.

Operational disruption

A high volume of fake request can lead to a company’s system crash or downtime, impacting the experience of real users. The detection and response to IRSF can also disrupt regular business operations, diverting resources and manpower from core activities and may cause the loss of competitive advantage.

Legal penalties

Companies can be fined or prosecuted if it is proven that they have not adequately protected their customers' data. Any accusation of SMS pumping fraud can also result in organisations being charged with aiding and abetting fraud.

How to detect IRSF?

Detecting IRSF is tricky as it can be mixed with legitimate international calls. But you can keep an eye on those signals:

  • Investigate any sudden spike in the number of OTP requests in a short duration, especially from countries where your business doesn't have too many customers.

  • Pay close attention to the speed at which SMS requests are coming in from users. Be wary of IRSF anytime there is an unexplained boost in those numbers.

  • Ask your provider to flag any large volumes in OTP requests from international destinations that are at high risk for fraud.

  • Look for multiple SMSes directed to the same number or destination.

How to protect your business from IRSF with Prelude?

ISRF is not inevitable and your company can find a solution to protect your customers (and your budget) from these attacks.

At Prelude, we focus on doing a few things very well. One of them is preventing IRSF, particularly SMS Pumping. The Prelude SDK and API are specifically built to protect customers against IRSF within their OTP-based verification flows.

How do we achieve this?

  • We use cross-signal risk scoring to identify spam with the best accuracy so our clients only send OTP SMS to real users.

  • We enrich our analysis with commercial databases for more precise fraud detection.

  • Our knowledge is shared across all our clients. One blocked attack will benefit all accounts.

  • In the case of an attack, we don’t block entire carriers or countries. Instead, we do a granular fraud scoring and pinpoint the issues so that your business is not impacted, either through financial loss or suspension of necessary SMSs. We prefer to be precise to the extent that we can offer SMS infrastructure in countries not serviced by competitors like Indonesia, the Philippines, and Brazil — because legitimate customers should not suffer due to cybercriminals' actions.

We’re also an AI-native company, which means we can better pinpoint fraud using precise scoring methods that consider heuristics and enriched data. Traditional providers only look at a phone number to determine fraud, but then you’re paying for false negatives and losing growth with false positives.

If we’ve piqued your curiosity, you can book a demo to see how Prelude sends OTP SMSes at 60% less than market cost, 99% deliverability, and astonishingly minimal fraud.

Start optimizing your auth flow

Send verification text-messages anywhere in the world with the best price, the best deliverability and no spam.