The impact of fraud on telecommunication users

Fraud is one of the scourges most affecting telecommunication service users.  It can be classified under two basic types:  internal fraud, which is generally perpetrated by internal staff or persons working in telecommunication companies, and external fraud perpetrated by third parties or organizations outside companies.

Fraud modalities have been evolving over time.  A few years ago, fraud mainly took place at the vulnerable points of the telecommunication infrastructure (internal plant and external network), such as the main distributors, telephone terminals, and service drops of telephone companies.  Nevertheless, technology breakthroughs, the sector’s drive, the convergence of networks and services, and the mass use of Internet have brought with them an evolution in fraud.

Some of the most common types of fraud that are currently noteworthy are:

• Theft of phone calls: Fraudulent connections to phone lines from which local and long-distance phone calls are made to mobile phones and premium-rate service lines without the subscriber’s authorization.

• Phone tapping: Fraudulent connections to phone lines, from which private conversations can be heard, spying on classified information, extortion, all of which without the subscriber’s knowledge or authorization.

• Theft of lines or unauthorized transfers: Unscrupulous persons steal or transfer lines without the authorization of the company or the user and resell or use them for their own phone traffic at the cost of the affected user.

• Mobile phone cloning: Using radio equipment, electronic serial numbers (ESN) of mobile terminals are tapped; on the basis of this information, other terminals are reprogrammed, and from these terminals calls are made and charges are accrued to the legitimate holder of the ESN.

• Unfair competition: Restrictions to multi-access imposed by operators for the purpose of preventing users from dispatching traffic through other operators.

• Adware: Unwanted advertisement sent without the consent of the user, which slows down browsing speed.

• Backdoor: Program that sets up a backdoor in the computer through which it can be controlled and various types of fraudulent actions can be made.

• Hacking: Fraudulent access to computer networks and/or systems of companies or entities in order to carry out all kinds of actions for one’s own benefit or for the benefit of third parties.

• Keystroke loggers: Fraudulent method of taking information inputted by users from the keyboard to obtain data on accounts, credit cards or bank passwords or to commit fraud.

• Phishing: Fraudulently obtaining bank information from users by different means to commit fraud.

• Spyware: Programs which secretly take confidential information from computers through Internet connections for fraudulent purposes.

• Spam: Unwanted mail that reaches computers through Internet and which may contain spyware, dialers and viruses.

• Dialers: Web sites that request the downloading and installation of applications that cut the switched access to initial Internet and through the modem set up fraudulent connections with another provider of international Internet or destinations with premium-rate services.

The perpetration of these types of fraud exerts a direct impact on users and/or companies in different aspects, namely:

• Economic impacts: Generally, the users and/or companies end up by paying exorbitant bills for calls, products or services that are unauthorized, unsolicited and unused.

• Impacts on assets: The assets of users and/or companies may be affected, as they may lose both personal property and real estate assets to pay bills for calls, products or services that are unauthorized, unsolicited and unused.

• Impact on credit rating: Users may be reported to risk rating agencies because they have not paid for unauthorized, unsolicited and unused calls, products or services.

• Loss of image and/or reputation: The good image and/or reputation of users and/or companies may be undermined by the unauthorized publication of confidential information, fraudulent transactions, trafficking, pornography, and other, without the subscriber’s knowledge.

• Processing: When users and/or companies receive bills due for unauthorized, unsolicited, and unused calls, products, or services, they are generally obliged to file complaints, requests for replacement and writs of appeal, whose processing cause exhaustion, require time, and entail expenditures for transportation, photocopying, and legal advisory services; these processes can last many months and even, in some cases, many years.

• Traditionally, companies have left users to bear the burden of providing evidence, that is, the users must prove that they did not make the call, that the service was not requested, that the service was not used, etc.

• When fraud undermines the interests and income of companies, operating costs rise and this surely leads to higher end prices for users.

There are few exceptions to the rule, in which the user comes out of it well, such as billing mistakes, damaged lined, expiration of the deadline for replying to the filing of a complaint or appeal, with administrative silence leading to a positive outcome for the user.

In Colombia, all of the above led surveillance, inspection, and monitoring entities, regulatory agencies, companies, and users to take measures aimed at preventing, tackling and mitigating the scourge of telecommunication fraud.  Some of the actions that were undertaken are listed below:

• Security inspection visits in the telecommunication infrastructure of companies by the Superintendency of Household Public Services (Superintendencia de Servicios Públicos Domiciliarios—SSPD) and feedback to companies, with conclusions and recommendations.

• The companies welcomed and applied the recommendations of the SSPD (restrictions on access to vulnerable points of the network, security of telephone terminals, restructuring of the external network, others), on the basis of which it was possible to reduce the perpetration of this type of fraud.

• Since in 2005 the SSPD identified a substantial rise in claims for cases of fraud involving dialers to users for switched access to Internet, long-distance operators were initially called upon and then local operators, Internet service providers (ISPs), the telecommunication regulation commission and other sector entities were also called to raise awareness and organize working tables to prevent and mitigate this type of fraud.

• As a result of these steps, the SSPD issued Resolution 20051300027315 on November 18, 2005, which among other aspects ordered companies to provide detailed information to users about the safe use of services and made available local and national information 018000 phone lines.

• The mass use of secret code services was proposed to prevent phone call theft.

• Companies attached to their bills informative flyleaves informing about risks and the care that must be taken by users when using services, links on the web sites with information about this, free software against destructive software.

• The Colombian Association of Internet Companies (Asociación Colombiana de Empresas de Internet—ASONET) sent by e-mail to the users of switched Internet the text of the informative flyleaf with the risks and care that users should take regarding the use of services.

• The companies blocked the destinations identified as dialers and exchanged this information with the other operators.

• According to information from companies, thanks to actions carried out against the dialer fraud, in 2006 this scourge declined considerably and, in 2007, there were virtually no cases of this kind.

• Some companies have established divisions or areas in charge of controlling, preventing and mitigating fraud and have drawn up agreements with police force authorities to address the scourge.

Since the telecommunication sector is evolving by leaps and bounds, which means that fraud modalities are also evolving, it must be kept clear that actions combating fraud must be maintained, reviewed, and improved constantly.  Some of these actions are listed below:

• In cases of complaint for denying phone calls and/or services, the burden of proof must be assumed equally by the companies and the users.

• Companies must avoid the indiscriminate allocation of lines and/or services to the same subscriber without previously knowing and checking the customer’s identification and profile.

• Establishment of groups, divisions, or units inside the companies exclusively dedicated to controlling, preventing, and mitigating fraud and providing them with the tools needed for this purpose.

• Management of customer profiles by the companies.

• Systems to monitor and detect suspicious traffic behavior.

• Management of black and white lists of customers and feedback about black lists among companies.

• Cooperation from state security institutions for anti-fraud actions.

• Stimulating and extending the massive use of secret codes on phone lines.

• Providing users with services to consult phone consumption and detailed billing, to permit self-control of consumption and stop fraud on time.

• Keep users informed about risks and care that must be taken regarding service use and fraud prevention.

• Active participation of users to prevent, monitor and report fraud.

• Working together among surveillance and control entities, regulatory agencies, companies, and users.

Arturo Quiñónez Quiñónez
Telecommunications Professional
Superintendencia de Servicios Públicos Domiciliarios de Colombia