Unlike ransomware or data theft, telecom fraud rarely makes headlines. The money moves through billing systems over days or weeks, the victims often carry the loss without realizing what happened, and the infrastructure being abused — the global public switched telephone network and its interconnects — is older and more opaque than the web services most security teams focus on. But the losses are real, and the fraud types that drive them are systematic, scalable, and well-organized.
At the center of the most financially damaging schemes sits the International Premium Rate Number — a class of telephone numbers specifically structured so that a portion of each call's revenue flows back to the number's owner. That revenue-sharing mechanism is legitimate and widely used for commercial services. It is also the mechanism that fraudsters exploit to siphon money out of carriers and enterprises at scale.
How IPRNs and Revenue Sharing Work
When a call travels internationally, the originating carrier pays a termination fee to the carrier that delivers the call at the destination. For ordinary numbers, that fee is modest — a fraction of a cent per minute in many cases. For premium rate numbers, the termination fee is substantially higher, and a share of that revenue is contractually passed back to the registered owner of the number range.
This mechanism exists to support legitimate services: pay-per-call information lines, media voting lines, adult content services, and other value-added offerings where the caller is intentionally paying a premium for the service they receive. International Premium Rate Number providers acquire number ranges in jurisdictions where these arrangements are permitted, assign them to content providers, and collect and distribute the revenue share based on incoming call volume.
The fraud enters when a party controls both the premium rate number and the mechanism generating calls to it. If a fraudster can lease an IPRN and then drive artificial traffic to that number — using a hacked PBX, stolen SIM cards, automated dialers, or compromised VoIP accounts — they collect revenue for calls that were never voluntarily placed by any legitimate customer. The carrier or enterprise whose infrastructure was used to originate those calls is left with the bill. The fraudster collects their revenue share and moves on before anyone reconciles the discrepancy.
IPRN providers operate openly and advertise test numbers on their websites — phone numbers that prospective fraudsters can call to verify reachability before committing to a full-scale attack. Fraud management firms harvest these test number catalogs continuously, building databases now exceeding 1.4 million known IPRN numbers used to detect probing activity before an attack scales up.
The scheme is sometimes called International Revenue Share Fraud (IRSF) — the broader category that encompasses any fraud exploiting international revenue-sharing agreements. IRSF caused an estimated $6.23 billion in losses in 2023 alone according to the CFCA Global Fraud Loss Survey, and 48 percent of operators reported high volumes of IRSF attacks in 2024. The total number of IRSF attacks has grown roughly sixfold since 2013.
The Main Attack Vectors
IRSF is not a single attack technique — it is a fraud outcome that can be reached through several different initial access paths. Understanding those paths matters because the defenses are different for each.
PBX Hacking
A Private Branch Exchange (PBX) is the telephone switching system businesses use to manage internal calls and connect to the public telephone network. IP-based PBX systems — now standard across enterprises — are accessible over the internet and are a well-established target for automated scanning. Fraudsters run scripts that probe for exposed PBX systems, test for default credentials or known vulnerabilities, and gain administrative access. Once inside, they configure call forwarding or directly program the system to place high volumes of calls to premium rate destinations — typically to numbers the fraudster controls via an IPRN provider arrangement.
Attacks almost always occur outside business hours: evenings, weekends, and public holidays when call volume is low, monitoring is reduced, and there is maximum time before someone notices the anomaly. A single weekend attack against a compromised PBX can generate $50,000 or more in fraudulent call charges before the business opens Monday morning and sees an incomprehensible phone bill. There is no chargeback mechanism in telephony equivalent to what exists for card payments — the originating carrier typically holds the enterprise responsible for calls placed through their PBX regardless of whether those calls were authorized.
SIM Box Fraud
SIM box devices — also called GSM gateways — are physical units that can hold dozens or hundreds of SIM cards simultaneously. Fraudsters load these boxes with prepaid SIMs (often acquired through subscription fraud or purchased under false identities) and use them to terminate large volumes of international calls locally, bypassing legitimate interconnect routes and the fees carriers would normally charge for international termination. The calls appear to originate from local numbers, making them harder to identify as fraudulent traffic and allowing the fraudsters to underbid legitimate carriers for wholesale termination while generating their own revenue on the premium-rate side.
Wangiri Fraud
Wangiri is a Japanese term meaning "one ring and cut." The attack is straightforward: automated dialers place calls to large numbers of phone numbers and terminate each call after a single ring, before the recipient answers. The missed call notification prompts many recipients to call back out of curiosity. Those return calls are routed to premium rate numbers — numbers the fraudsters control and receive revenue from. The victim pays a high per-minute charge for the return call, the fraudster collects the revenue share, and the campaign moves on to the next batch of phone numbers.
Wangiri requires no compromise of corporate infrastructure. It targets individual phone users directly and generates modest per-call revenue, but at the scale of automated dialing campaigns the aggregate losses are significant. Carriers in the Asia-Pacific and MENA regions in particular report sustained high volumes of Wangiri activity.
SMS Pumping and AIT Fraud
SMS pumping — formally called Artificially Inflated Traffic (AIT) fraud — targets any application that sends SMS messages to phone numbers supplied by users. The fraud model is now tightly coupled with IRSF. A fraudster registers or controls a range of premium-rate mobile numbers, then uses an automated bot to submit those numbers to a target application's SMS-based verification flow. Each time the application sends an OTP or verification SMS to those numbers, the message travels through the carrier network and incurs a per-message charge. The IPRN provider receives revenue for message delivery to their premium numbers, shares it with the fraudster, and the targeted application receives a billing shock from its SMS provider.
"This is the most damaging fraud scheme to date, where a criminal partners with an International Premium Rate Number provider that charges high rates and agrees to share revenue for any traffic generated by the fraudster." — Europol
Any application with a phone number input field that triggers SMS delivery is vulnerable. The exposure is not limited to telecom companies — any SaaS product, fintech application, consumer platform, or enterprise app using SMS for two-factor authentication or account verification can become an unwilling traffic generator. The fraud does not require access to the application's backend; it only requires a publicly accessible form that accepts phone numbers and sends a message.
SMS pumping fraud does not require a breach of your systems. It only requires that your application sends SMS messages to phone numbers users supply. If your registration, login, or verification flow sends OTPs to arbitrary international numbers without rate limiting or carrier validation, it is already exposed.
Why Detection Is Structurally Difficult
Telecom fraud persists at scale partly because the international telephone network was not designed with real-time fraud detection in mind, and partly because the fraud traffic is structurally indistinguishable from legitimate traffic at many inspection points.
IRSF calls look like normal international calls. They travel legitimate routes through legitimate carriers. The numbers being called may not appear on any official national numbering plan, making it impossible for the originating carrier's fraud management system to automatically classify them as premium-rate destinations. By the time billing reconciliation happens — often 30 to 60 days later — the fraudsters have long collected their payout and disappeared.
The geographic distribution of IPRN destinations compounds the problem. Premium rate number arrangements are now available in over 200 countries, meaning that blocking calls to a handful of high-risk destinations is no longer a reliable countermeasure. Fraudsters shift destination countries frequently as carriers implement targeted blocks.
IRSF traffic is also often distributed — spread across many originating lines and destinations — so threshold-based fraud management rules that look for a single device or account placing an unusual volume of calls may not trigger. The pattern only becomes obvious in aggregate.
Unlike credit card fraud, there is no chargeback mechanism in telephony. When a hacked PBX generates $50,000 in fraudulent calls over a weekend, the enterprise that owns that PBX is typically responsible for the bill. Carriers may offer goodwill credits in clear-cut compromise cases, but there is no standardized consumer protection framework equivalent to card network chargeback rights.
The Test Call Signal
Before launching a full IRSF attack, fraudsters need to confirm that their chosen IPRN number is reachable — that calls placed through the device or account they plan to use will successfully connect and generate billable minutes. This creates a predictable pre-attack behavior: test calls placed to known IPRN numbers in low volumes.
IPRN providers publish test numbers on their websites to help potential customers verify connectivity before signing up. Fraud management firms harvest these catalogs — some updating databases of known test numbers twice monthly — and distribute them to carriers as hotlists. When a call lands on a known test number, it triggers an alert that an IRSF attack may be imminent. Carriers using these databases report stopping up to 75 percent of IRSF attacks by catching the test call phase before the high-volume traffic begins.
This detection window is narrow. Test calls may happen only hours before the main attack. But for organizations with real-time fraud management systems tied to current IPRN databases, catching test call activity remains one of the most reliable early warning signals available.
Enterprise Exposure Beyond Carriers
Telecom fraud is not solely a carrier problem. Several exposure points sit squarely within the enterprise security perimeter.
PBX and VoIP systems are the primary enterprise attack surface for IRSF. IP PBX systems exposed to the internet with weak credentials or default configurations are compromised regularly. Small and mid-sized businesses are disproportionately targeted because they are less likely to have dedicated telephony security teams or real-time monitoring on call activity. The attack surface expanded significantly as enterprises adopted cloud-based UCaaS and VoIP platforms — many of which introduced internet-exposed administrative interfaces that traditional on-premises PBXs did not have.
SMS-sending applications are the primary enterprise attack surface for AIT fraud. Any application that sends OTPs, verification codes, notification messages, or marketing SMS to phone numbers entered by users can be turned into a traffic pump. The fraudster does not care what the message says — only that it gets sent and billed. Applications without rate limiting per phone number, geo-restrictions on destination countries, or carrier number validation are particularly vulnerable.
Cloud communications APIs — platforms like Twilio, Vonage, Sinch, and similar — pass SMS and voice costs directly to the customer. When an application built on these platforms is targeted by AIT fraud, the bill lands on the company that owns the API key. Some providers now offer built-in fraud controls and automatic blocking of suspicious traffic patterns, but the default configuration on many accounts offers limited protection without deliberate hardening.
Defenses: What Organizations Can Do
The appropriate defenses depend on which exposure surface applies, but several measures apply broadly.
For organizations operating PBX or VoIP systems, the fundamentals matter more than most realize: strong credentials on all administrative interfaces, multi-factor authentication where the platform supports it, disabling international calling for extensions that have no business need for it, setting hard caps on simultaneous call legs, and alerting on anomalous call volumes — particularly outside business hours. Automated scripts scan for exposed PBX systems continuously; any system with default credentials or a known-unpatched vulnerability will be found and exploited.
For applications that send SMS messages, rate limiting on OTP requests per phone number and per IP address is baseline protection. Geographic restrictions — refusing to send messages to country codes where the application has no legitimate user base — reduce the attack surface significantly. Number validation services that check whether a submitted number belongs to a known premium-rate range before sending are now available from several providers and can block fraud at the submission step rather than after the message has already been sent and billed.
IPRN database subscriptions are the primary tool carriers use for detection and are increasingly available to enterprises via fraud prevention APIs. Checking submitted phone numbers against current IPRN databases before initiating any outbound call or SMS is one of the highest-value controls available for organizations with significant telephony exposure.
For Wangiri, the main protection is user education and caller ID validation: users who understand that one-ring-and-disconnect is a scam pattern will not call back unknown international numbers, and carrier-level call validation services (STIR/SHAKEN in the US, equivalent frameworks in other jurisdictions) help surface suspicious caller ID patterns.
Key Takeaways
- Revenue sharing is the mechanism, not a vulnerability in the traditional sense: IRSF exploits a legitimate billing structure rather than a software flaw. Patching does not fix it — you have to control who can generate traffic and to where.
- PBX compromise is an enterprise risk, not just a telco risk: Any organization running IP-based telephony with internet-exposed management interfaces is a target. Weak credentials on a PBX have the same risk profile as weak credentials on a server.
- SMS-sending applications are indirect fraud targets: You do not have to be a carrier to be a victim. Any application that sends OTPs or verification messages to user-supplied numbers without rate limiting or number validation is exposed to AIT fraud.
- Test call detection provides the earliest warning: IPRN providers advertise test numbers publicly. Monitoring calls to these known numbers gives fraud teams a signal that an attack is being planned before it scales.
- There is no chargeback: Once fraudulent calls have been placed through your infrastructure, the liability is typically yours. Prevention and real-time detection are the only effective responses — reactive investigation after the bill arrives is rarely productive.
Telecom fraud occupies an unusual space in the threat landscape: technically sophisticated in aggregate, but built on simple principles that individual organizations can address with straightforward controls. The volume of losses reflects not the insolubility of the problem but the frequency with which the basics — credential hygiene on PBX systems, rate limiting on SMS flows, number validation before delivery — are overlooked until a bill arrives that cannot be ignored.