How are the alerts sent?

International Fraud alerts can be sent to us via email from different addresses. Reason being we have different application servers in which Broadsoft users and/or groups exist and each having fraud detection enabled. The email that it is sent from should follow the scheme of internationalfraud@AS[?].voip.evolveip.net. The subject line in the email will also state CARIBBEAN_FRAUD_ALERT.

How are these alerts different?

As stated in the definition of this type of alert, if the block threshold is reached, you will see 1 of 2 messages depending on the alert is for a user or the group indicating the seat or group was intercepted. Intercepted meaning the line will be placed out of service and all outbound and inbound call attempts will fail:

• User Intercept Message: THIS USER WILL BE BLOCKED!!!

• Group Intercept Message: THIS GROUP WILL BE BLOCKED!!!

By the time you see this message the user seat or group has already been intercepted by the platform, so it stating, “WILL BE” does not mean it did not happen.

Example Email Alert

In this example we see the fraud alert was sent from email address of AS15. In the email body we can see the threshold setting that caused this alert to fire is user call threshold=8. In addition, we can also see the group threshold as group call threshold=50. Next we can set the block thresholds are user block threshold=15 and group block threshold=100. We can see the user placed a total of 67 calls, but only 19 were to the Caribbean’s. We get the User ID of the seat, all 19 calls to the Caribbean’s that triggered the alert, and lastly the message, “THIS USER WILL BE BLOCKED.” So due to this user seat having block threshold being 15 and placing 19 consecutive calls to the Caribbean’s the seat was intercepted.

Before we begin troubleshooting please understand, INTERNATIONAL DIALING IS NOT NEEDED TO BE ABLE TO CALL THE CARRIBEANS. The Caribbean’s are apart of the North America dialing plan and can be dialed from our platform. Make sure you are taking the extra steps and double checking if there is any call forwarding in place to a Caribbean number especially if the location is based in the US.

Step 1:  Grab the User IDs/Phone Numbers in question and start gathering the details:

What you need to investigate is the legitimacy of these call attempts. Legitimacy can be determined by confirming but not limited to the following:

1. Is International Dialing Enabled?

2. What device was being used to initiate the calls (Ex: UC-One or Desk Phone)?

3. What IP of the said device is registering from? If placed from a desk phone, confirm if they have an Edgewater present.

4. There is no Call Forward Always, Remote Office, or Sim Ring sending calls to an International number. Please keep in mind that even if there is a Call Forward Always set in certain cases can be legit if the pinhole is created in Broadsoft Backend.

Step 2:  Providing your findings:

When finished find the original email in which the alert came in on and reply all, be sure to be replying from our personal email as some people may have filtering enabled for emails that come from Support@evolveip.net. Also be sure to include the ticket number in the subject line so it can be tracked and logged into the ticket. Include any PCAPS or screenshots of what you have found as evidence or if you need some assistance understanding. IF you think the alert is fraudulent INTERCEPT THE USER SEAT OR LOCATION, RESET THE SIP AUTHENTICATION, RESET THE VOCIEMAIL PIN, AND RESET THE APPLICATION PASSWORD  and engage Voice Engineering to confirm your findings; meaning if the alert is after hours you are to call the Voice Engineering on call. We need to act in speedy matter on real fraudulent behavior as the longer it happens the more money is being loss.

An example of how a reply should look. Please keep in mind all fraud is different and your investigation into the matter may not be as simple:

Step 3: Only IF the seat was intercepted and the traffic is legit

If you confirm the calls are legit or do not show any signs of fraudulent activity and the user seat was intercepted. YOU MUST REMOVE THE INTERCEPT OFF OF THE USER SEAT.

If there is any instance where you cannot confirm or are unsure then have the customer confirm the legitimacy of the traffic. ALWAYS ALWAYS ALWAYS change the customer facing ticket summary and details to the below client facing verbiage (You will need to add in the information) and save the ANI email as an internal log note:

Potential Fraudulent Calls – Ent Name – Date

We have received an alarm that an unusual number of international calls have been placed during the past hour from your enterprise user [List user’s name, DID , and Ext]. We will investigate this alert and take action as necessary to ensure security against fraudulent threats.

Step 4: Only IF Users are repeatedly Intercepted due to the Threshold Values

You can resolve the ticket out once finished, and unlike ANI Violations there are no separate cases to case to close out unless one was triggered in conjunction to the same user seat you investigated in the International Fraud. If you see the same user seat or different user seats getting blocked in the same group frequently you should send the ticket up to Voice Engineering to have the threshold limits increased. As we do not want to keep interrupting customer operations due to low thresholds if their business functions are to place multiple international calls. PLEASE KEEP IN MIND, THRESHOLD LIMIT INCREASES ARE ONLY APPLIED TO THE USER SEATS THAT ARE IN THE GROUP AT THAT POINT IN TIME. ALL NEW USERS SEATS WILL NOT HAVE THE UPDATED THRESHOLD SETTING APPLIED.