The information provided in this guide will help assist you on investigating the many different fraud detection alerts we receive. Please keep in mind this guide is not ALL that you should be doing, and processes do change.

The Fraud Types and What Exactly They are Monitoring

These are alerts that tracks international calls for our US based customers with several different Violation Rules (Ex. Calls to Hotlist Countries, Call Count Attempts, Calls to Same International Number, etc.). Thresholds are set for each rule and if a specific threshold is reached an alert is triggered and based off the rule that was triggered a score is now calculated. Meaning the higher the score the more the fraudulent the behavior can be potentially. Rules can be updated to have higher thresholds if needed, if the customer is known to place a many international calls to avoid repeated alerts. This is handled by the Voice Engineering team.

These are alerts that tracks international calls for our EU based customers with several different Violation Rules (Ex. Calls to Hotlist Countries, Call Count Attempts, Calls to Same International Number, etc.). Thresholds are set for each rule and if a specific threshold is reached an alert is triggered and based off the rule that was triggered a score is now calculated. Meaning the higher the score the more the fraudulent the behavior can be potentially. Rules can be updated to have higher thresholds if needed, if the customer is known to place a many international calls to avoid repeated alerts. This is handled by the Voice Engineering team. Our EU team handles the investigation portion and we are responsible for closing the cases out for them.

These are alerts that monitor international calls on the application servers for Broadsoft. This fraud type also has threshold but not as detailed as the ANI Violations. Meaning, it has a threshold set at the user level and the group level for the different enterprises. It only monitors the number of attempts to different international numbers. If the call threshold is reached the email is sent, however if the block threshold is met then the user seat and/or group will be intercepted so no more calls can be placed.

These are alerts that monitor calls to the Caribbean’s on the application servers for Broadsoft. This fraud type also has threshold but not as detailed as the ANI Violations. Meaning, it has a threshold set at the user level and the group level for the different enterprises. It only monitors the number of attempts to different Caribbean numbers. If the call threshold is reached the email is sent, however if the block threshold is met then the user seat and/or group will be intercepted so no more calls can be placed.

This alert monitors the amount of failing registrations to all our servers that have a 404 error. The 404-error means that User IDs that are trying to register, are not found on that respective server. It can be due to typos in the User ID field, registrations sent to the wrong server, or the user seat not existing that server it is registering to. When the amount of the total 404’s passes the threshold, an alert is sent indicating the time/minute window of when it raised. Brute force attempting is the more common with these alerts.

These alerts monitor a set of failing calls to a digit string. The calls that are failing are usually between 5-10 minutes before the alert was sent off. It takes about 15 consecutive failed calls to the same number for the alert to trigger. The monitoring is being done on the capture files hosted on Switch1. These calls can also be found in OCOM/Paladion by searching the provided string.

Like Evolve IP, our PSTN carriers monitor for fraud. Sometimes they will contact us if they believe they detect fraud coming from Evolve IP. For information regarding handeling, please click on the link above.