IRSF Fraud: A Practical Guide to Detection and Prevention
The alert that should have fired never did. A team I worked with had everything you'd expect on paper: spend caps, a fraud dashboard, and an analyst who actually read it.
The alert that should have fired never did. A team I worked with had everything you'd expect on paper: spend caps, a fraud dashboard, and an analyst who actually read it. And they still ate a five-figure IRSF Fraud bill over one long weekend. Not because the controls were missing, but because every single one of them was tuned to catch a spike. The traffic that hit them didn't spike. It climbed, politely, in increments small enough that no threshold ever tripped, toward a destination range that looked like any other international number until you checked who owned it.
That's the uncomfortable thing about IRSF fraud once you've chased a few cases. The hard part isn't understanding what it is. The hard part is that the detection most teams build is shaped like the fraud they imagine, not the fraud that actually shows up.
Why the Usual Defences Look Right and Still Fail
Most IRSF defences are built backwards. They start from the bill, the thing that hurt, and work outward, so they end up catching the version of the attack that already happened. Big number, obvious destination, sudden jump. Once an operation has been burned that way, they patch for it, and they feel covered.
The fraudsters know what that patch looks like. They've been on the receiving end of it, too. So the campaigns that actually get through are the ones engineered to live under the line: traffic spread across many accounts so no single one looks heavy, volume that ramps instead of jumps, destinations rotated before any blacklist catches up. I've watched a single fraud operation deliberately hold each compromised account at maybe sixty per cent of its visible spend cap, high enough to be worth their effort, low enough that nothing flagged.
The lesson I keep relearning is that thresholds are necessary and rarely sufficient. A spending cap stops the catastrophic version. It does nothing about the patient version. And the patient version is where the steady losses live.
What You're Actually Hunting For
Strip away the dashboards, and IRSF detection comes down to one instinct: does this traffic make business sense? Not only is it within limits, but it makes sense.
A legitimate international calling pattern is anchored to something real. Customers in those countries. A support team that works those hours. A product that has a reason to dial those places. When I open a suspected case, I'm not first looking at how much I'm looking at whether the shape of the traffic matches the story of the account. A SaaS company with no Pacific customers suddenly terminating minutes on a small-island satellite range has a shape that doesn't match its story. That mismatch is the signal. The cost is just how you eventually find out.
So the thing you're hunting isn't "expensive traffic." It's traffic whose destination, timing, and duration don't align with any plausible reason for its existence. IRSF is profitable precisely because it can hide inside normal volume, which means the detection has to be about coherence, not size.
Building Detection That Catches the Quiet Version
Here's the order I'd actually build it in, having seen which layers earn their keep.
Start with destination intelligence, because it's the cheapest leverage you have. A large share of IRSF terminates on a relatively small, well-known universe of high-risk ranges, premium allocations, certain satellite and small-nation blocks, and number ranges flagged across the industry. Screening outbound destinations against current high-risk-range intelligence before the call completes kills a meaningful fraction of attempts at no analytical cost. This is the same number-intelligence discipline operators already apply to messaging routing, pointed at voice termination. If you know what a number actually is and where it actually lives before you spend money connecting to it, you've closed the easiest door.
Location of where traffic goes, per account. A sudden shift in the mix, a new high-cost prefix climbing in share is visible even when total volume looks calm. This is the layer that catches the destination-mix monitoring on top. Forget raw volume for a second and watch the distrs the ramp the spend cap misses, because it reacts to a change in pattern rather than crossing a number.
Then add behavioural baselining per account. Every account has a normal: its usual destinations, its usual hours, its usual call durations. Deviation from an account's own baseline is far more sensitive than a global threshold, because it adapts. The account that's never called outside business hours, suddenly running overnight bursts, is anomalous against itself long before it's anomalous against any company-wide cap.
Underneath all of it, keep an eye on the signalling. When the route a call actually takes doesn't match the destination it claims to reach, that gap is often the clearest evidence you'll get. The same firewall thinking used to catch SS7 and signalling manipulation applies here. IRSF and signalling abuse share a lot of plumbing, and routing that misbehaves is routing worth questioning?
The combination matters more than any single layer. Intelligence stops the lazy attempts, mix-monitoring catches the ramp, baselining catches the deviation, signalling confirms it. No one layer would have saved that team I opened with. Together they would have.
The Tells, in the Order They Surface
When I'm reading call records on a live case, the pattern tends to assemble like this. A new high-cost destination prefix is climbing in share without a business reason. Calls clustering on premium or rarely-used international ranges that don't map to any customer footprint. Traffic peaking overnight, on weekends, or over holidays, the windows are when nobody's watching the board. Calls that answer instantly and run long, round, repetitive durations, because there's no human on the line, just a billing meter. One account, trunk, or API key is quietly responsible for a disproportionate slice of international minutes. A freshly provisioned integration whose destinations don't match its stated purpose. And the quiet one was a mismatch between the number dialled and the route the signalling actually took.
Any one of these can be innocent. Two or three on the same source is your cue to stop and look before the settlement cycle turns the question into an invoice.
Where Prevention Actually Lives
Detection tells you it happened. Prevention is about making it not worth running against you, and most of that work is unglamorous.
Treat every credential that can originate international calls as a financial instrument, because to a fraudster, that's exactly what it is. The compromised PBX, the leaked API key, the test account, nobody disabled these are the front doors, and they're almost always boring. Kill demo and test credentials the moment they've served their purpose. Geo-fence outbound destinations to the places you actually do business; an account with no reason to call a given region shouldn't be able to. Set per-account and per-destination caps not as your last line but as your floor, and pair them with the mix-and-baseline monitoring that catches what stays under them.
Rate-limit aggressively on new and unverified accounts, since that's where compromise concentrates. And close the settlement-delay gap as far as you can the entire IRSF business model leans on the 30-to-90-day window between fraudulent traffic and the invoice that reveals it. The shorter you make the time between traffic and scrutiny, the less room the patient version of the fraud has to operate.
The mindset under all of it: stop asking whether traffic is allowed and start asking why it exists. Allowed-but-meaningless is the exact gap IRSF lives in.
Where the Fight Is Heading
The revenue-share structure that makes IRSF possible is legitimate and load-bearing for telecom networks; you can't remove the payout mechanism without breaking real premium services. So this stays a detection-and-prevention problem rather than something that gets solved at the root, and both sides are automating.
Fraud operations are getting better at studying defences. They distribute across more sources, ramp more gently, and rotate destinations faster as ranges get flagged. The defensive answer is moving toward shared cross-operator intelligence on high-risk ranges, faster anomaly detection that doesn't wait for settlement, and pattern recognition that can spot the concentration-timing-duration signature earlier than a human scanning a dashboard.
The shift I'd prepare for is convergence. As voice, messaging, and verification increasingly run through the same platforms, fraud follows the credential rather than the channel. One compromised account becomes a multi-channel liability, burning voice minutes and pumping SMS from the same foothold. The teams that do well will treat fraud as a property of the account and the traffic pattern, not as something the voice team or the messaging team owns separately.
What's Worth Remembering
Every serious IRSF loss I've looked at had controls in place. They just guarded the wrong shape. The catastrophic spike was covered; the patient walked right past.
If there's one thing worth carrying out of this, it's that IRSF detection isn't a number you set. It's a question you keep asking of your own traffic: Does this make sense applied relentlessly enough that the version of the fraud designed to stay under your thresholds has nowhere left to be quiet.
Quick Answers: IRSF Fraud Explained
What is IRSF fraud?
International Revenue Share Fraud generates artificial call or message traffic to premium international ranges that pay a revenue share. The traffic mimics normal usage, so the victim pays an inflated bill while the fraud operation collects the payout.
How do you detect IRSF fraud?
Screen destinations against high-risk-range intelligence before calls complete, monitor each account's destination mix for shifts, baseline accounts against their own normal behaviour, and watch for signalling routes that don't match the dialled number.
Why do spending caps fail to stop IRSF fraud?
Caps catch sudden spikes but miss the patient version, where traffic ramps gradually and spreads across many accounts to stay below every threshold. Detection has to react to changes in pattern, not just to crossing a number.
What are the warning signs of IRSF fraud?
A high-cost destination climbing in share without a business reason, calls on rarely-used international ranges, overnight or holiday traffic peaks, long calls with repetitive durations, and one account driving most international minutes.
How can businesses prevent IRSF fraud?
Geo-fence outbound destinations, disable test and demo credentials promptly, rate-limit new accounts, treat call-originating credentials as financial instruments, and pair per-destination caps with destination-mix and behavioural monitoring.
What should companies monitor to catch IRSF fraud early?
Per-account destination distribution, deviation from each account's own calling baseline, concentration on high-risk prefixes, and any gap between dialled destination and actual signalling route, all in as close to real time as the systems allow.
Is IRSF fraud connected to SMS pumping fraud?
Yes. Both exploit revenue-share payouts and often start from the same compromised credentials. IRSF targets voice termination fees while SMS pumping inflates messaging traffic, so finding one is a good reason to check for the other.
Share this post