Q&A: Oculeus discusses the current state of telecoms fraud and beyond
The basic facts are that we are all exposed to telecoms fraud – from providers of communications services to enterprises and organisations to individual consumers.
This is nothing new as, over time, cybercriminals have always used advanced technologies to outpace the telecoms fraud practices of telcos and their business customers. However, as telcos improve their technology stack to fight telecoms fraud, there is hope that the threats will be minimised.
We recently spoke with software solutions provider for telecommunications service providers, Oculeus vice president Gavin Stewart, to learn more about his company's perspective.
What do we need to know about the current state of telecoms fraud?
Today, cybercriminals use the most advanced technologies available to execute telecoms fraud attacks rapidly. We have seen several recent incidents in which fraudsters used innovations like AI to continuously refine and adapt their methods for evading detection and outwitting traditional anti-fraud solutions whose approach is based on static rules.
Unfortunately, at the same time, telecoms fraud is currently one of the profitable forms of cybercrime and is relatively easy to execute.
Has the pandemic and the transition of the workplace impacted levels of telecoms fraud?
The pandemic jumpstarted and even fast-tracked the digital transformation of many organisations. Many of these projects were needed to support new work-from-home scenarios during the long lockdown periods in many places.
While many of these projects enabled enterprises to maintain the continuity of their business activities, work-from-home significantly widened the attack surface for cybercrimes during the pandemic.
Studies have shown a couple of wider trends that feed into this scenario. First, corruption and fraud activities tend to increase across all sectors in times of economic downturn or crisis. Second, criminal activities generally trend away from physical crimes and more towards online crimes as part of an overall move towards a digital society.
So from a telco point of view - and bearing in mind the additional constraints on the rights of people to physically gather during the pandemic - it's far easier to execute an account hijack or pump calls to a premium destination from the comfort of one's own home. The disruption to IT security controls associated with the working-from-home or hybrid models exacerbates this, where potential vulnerabilities become more difficult for an organisation's IT teams to fully control.
Who is more at risk – telcos or their business customers?
The position is complex because in the telco-B2B customer relationship, not only are the negative impacts quite complex and varied, but the commercial liability question is also nuanced.
Telcos have a duty of care bound by contracts and, as such, face significant risk if they fail to protect their B2B customers from fraud attacks and/or fail to implement a rapid, effective service recovery approach in the wake of an attack, in which case they are exposed to possible commercial losses, penalties and compensations as well as the possibility of customer churn.
Business customers are at risk because some or all of the liability may still land on them. While they may reasonably expect their telco provider to 'cover their losses' in case of a fraud attack, in practice, there can be constraints and limitations on the telco's obligation to do this. For example, if an enterprise suffers a hijack of its PBX, the blame for the attack could live with the telco due to insufficient vigilance or slow response. Equally, the blame could be shared or solely with the enterprise, perhaps through its own inadequate security controls or even nefarious actions by one of its employees.
So if a telco lacks a sufficiently sophisticated anti-fraud solution, it may even adopt a somewhat crude approach where it seeks to temporarily limit or even shut down telephony services for the customer as part of its immediate reaction to a fraud attack.
In other cases, whilst the telco may be happy to compensate a business customer for a first attack, if a second similar attack happens within a given period, the customer may be obliged to repay all previous compensations and carry the costs themselves.
It's a very messy landscape that highlights the critical need for avoidance and sophisticated anti-fraud controls to protect good B2B customer relations. Furthermore, speed of response becomes vital to limit the window for fraud losses – preferable by far to discuss a $50 loss with a customer than a $5,000 loss.
How does telecoms fraud differ from other cybersecurity threats?
There is a lot of common ground between the two in that illicit cybersecurity activities and telco fraud often share a desire to achieve financial gain.
However, cybersecurity attacks also have different motivations, such as state-sponsored, malicious actors looking to bring down essential services to inconvenience the wider public or even terrorism.
A key differentiator between the two is perhaps that telecoms fraud essentially springs from the activities of human beings. This is both in terms of the fraudster's ability to analyse and understand how other human beings typically behave according to a normal expectation and then to apply ingenuity and skill to behave with fraudulent intent whilst disguising what they do to 'appear normal' to evade suspicion.
This is why effective anti-fraud controls need to apply hugely sophisticated techniques for detecting that something abnormal and unexpected is actually taking place.
Any advice you would like to share on reducing exposure to telecoms fraud?
Our key recommendation is never to stand still.
Fraudsters apply a dynamic approach to continually adapt and outwit the efforts to detect them. Therefore, telecoms fraud controls must also be dynamic and avoid looking only for pattern matches that the fraudster has long since abandoned.
In practice, this follows through to employing advanced monitoring and not just focusing on fraudulent behaviours. For instance, SIMbox fraudsters don't generally start as huge businesses; they grow slowly, attract more business, evolve and grow.
The point here is that you can't always see a 'big bang' from day one, but you can catch them early with advanced monitoring. In this respect, machine learning is an essential ally since it enables an anti-fraud system to adapt, train itself and learn without explicit intervention to make more accurate predictions all by itself. By contrast, if a telco only applies a rules-based anti-fraud solution, it becomes too easy for the fraudster to evade suspicion. Having machine learning helps you outwit the other guy's attempts to evade detection.