Gabriele Lieser



Mobile communication has become an integral part of our lives. Attacks on mobile networks have accordingly very serious consequences to millions of subscribers, so a basic knowledge of telecom fraud is essential. Join us on a brief journey of discovery of the main threat vectors hitting the mobile industry and costing them a lot of money, data and time.

International Revenue Share Fraud thrives on the fees a victim network must pay to international carriers for traffic generated by its network towards the destination network. IP PBX/PBX hacking exploits the vulnerabilities of a company’s PBX (private branch exchange/telephone system). Roaming fraud focuses on network fees generated from stolen cell phones and SIM cards. In Interconnect bypass fraud, the criminal exploits the difference between high international interconnect rates and low retail prices for on-net and off-net calls. Grey routes scams take advantage of the fact that international text messages can be routed to their destination in several different ways, so that each route is charged differently.

Signaling attacks exploit the vulnerabilities of SS7 and Diameter protocols, they are able to reach any mobile network and subscriber in the world. The new world of 5G also contains old vulnerabilities: GTP, the GPRS Tunneling Protocol is used to transmit user data and control traffic in 2G, 3G, 4G and also 5G networks. The inability of GTP to verify the user’s location provides the main reason for successfully executed attacks. Identity fraud happens when a contract is signed with a fake identity and the fraudster gains access to phone, TV and internet services, but also to mobile financial services that can be used for money laundering. For operators, this means that there are more and more channels that need to be secured.

RoamsysNext Insights

In RoamsysNext Insights our experts share their views on extensive industry topics and possible solutions we can offer.

It’s no secret that telecom fraud is a fast-growing field. And why not: it’s a cutting-edge and relatively low-risk alternative to traditional crime methods like muggings and bank robberies. No, no, seriously: telecom fraud funnels significant amounts of money from carrier or subscriber accounts directly into the pockets of criminals. According to a 2019 report by Europol’s European Cybercrime Centre, fraud costs the telco industry an estimated €10.6 billion ($12 billion) per year. MNOs must usually bear the cost of fraud themselves; there is certainly cross-border cooperation in the fight against fraud, but investigations take a long time, and sometimes, cases cannot be conclusively resolved. Moreover, fraud has causes problems within companies: damage resolution costs time and effort on multiple fronts. MNOs suffer from the loss of revenues, subscriber churn and the deterioration of their brand image. Acquiring new customers costs much more time, money and effort than retaining existing ones.

Telecom fraud can take the form of a veritable cabinet of horrors that can drive you into paranoia. At the same time, it should be said that, thankfully, effective and powerful countermeasures exist, and they are constantly improved. Not only MNOs, also the people involved in fraud prevention and detection don’t just clean up after an attack, they take the fight to the fraudsters!


International Revenue Share Fraud calls often terminate at destinations with low tracking rates for any type of fraud or crime. A large number of calls from the victim network towards International Premium Rate Numbers (IPRNs) are made at high termination rates on a destination network they control. Then, the victim network has to pay the international carriers for the traffic generated by its network towards the destination network.

IP PBX / PBX hacking scammers are specifically designed to scour the Internet looking for vulnerabilities in a company’s PBX (private branch exchange/telephone system). As long as the connection is open, illegal revenue can be generated, so attacks are often launched at night, in the early morning hours, or on weekends.

Roaming fraud is a special case where the victim’s cell phone or stolen SIM cards are used to make exactly these expensive calls. Often, the victim is traveling, and a criminal steals the victim’s cell phone or SIM card. The device is then used excessively until it is locked/unlocked. Fortunately, compared to 20 years ago, fraud managers today have virtually 100% visibility of roaming traffic, as they can feed their Fraud Management Systems with data that is all available on the home network. Read article

Interconnect Bypass Fraud

In Interconnect bypass fraud, the scammer exploits the difference between high international interconnect rates and low retail prices for on-net and off-net calls, causing $4.27 billion in lost revenue worldwide (CFCA survey 2017).

In SIM box fraud, criminals exploit a local rate for on-net-to-on-net calls by purchasing SIM cards in one country and using them in SIM boxes to terminate calls to subscribers on the network from international routes. In this way, scammers pay only the subscription fee and the local rate (usually free minutes are included with a SIM card) and can make large profits.

Refiling, A-Party Refiling, A-Party Caller Spoofing, and other terms describe the method by which carriers, such as transit carriers or clearinghouses authorized to terminate traffic to an operator, spoof the CLIs (Calling Line Identity) of calls to a network.
False Answer Supervision means that the call is actually answered, but this is not reported back to the caller, driving up the minutes and cost of the call. Read article

Grey routes, Spam and Smish

SMS has a reputation as a secure communication channel and is growing due to application-to-person (A2P) messaging, e.g., from two-factor authentication to delivery notifications. This has led to a variety of attack vectors via SMS. Grey routes SMS scams benefit from the fact that international text messages can be routed to their destination in a variety of ways, so each route is calculated differently. Grey routes are prevalent where the mobile operator has an imbalance between international and local termination charges for SMS, coupled with an ineffective SMS firewall.

Subscriber Targeting “Spam” is the unsolicited notification of a subscriber that can lead to a dangerous privacy attack through “smishing” (SMS phishing). It usually contains a call-to-action, such as a phone number or web address to click. Apart from the cost of handling subscriber complaints, this can lead to a high churn rate. Read article

Identity fraud

Identity fraud can start at the sign-up stage when a contract is signed with a fake identity. SIM swap fraud happens when fraudsters use their victims’ SIM cards to take over a legitimate subscriber account. Especially with identity fraud, it often takes a long time for the intrusion to be discovered. Once a fake subscription is set up, fraudsters have access to a wide range of value-added services, including phone calls, television and internet, and also mobile financial services which can be used for criminal activities such as money laundering. For operators, this means there are more and more channels that need to be secured. Read article

Signaling attacks

The vulnerabilities of SS7 and newer Diameter protocols and their use for signaling attacks is sufficiently documented and unfortunately widespread. If the home network cannot provide adequate protection, attackers are able to gain access to the SS7/Diameter interconnection network and launch attacks against any mobile network and subscriber in the world. These attacks range from privacy breaches to fraud to denial of service attacks on the core network infrastructure impacting millions of subscribers. Read article

Insecure GTP

The new world of 5G offers the opportunity to address the vulnerabilities of another long-standing technology: GTP, the GPRS Tunneling Protocol. It is used to transmit user data and control traffic on 2G, 3G and 4G networks and will also be used as part of 5G. The main reason for successfully carried out attacks is the inability of GTP to verify the user’s location, so it is important to have as much traffic visibility as possible. Given the complexity of both LTE and 5G roaming networks, configuration errors must be avoided at all costs. Attackers discover misconfigurations very quickly and exploit them to their advantage. Read article

Helping MNOs become fraud-proof

At the same time, it should be said that, thankfully, effective and powerful countermeasures exist, and they are constantly improved. Not only MNOs, also the people involved in fraud prevention and detection don’t just clean up after an attack, they take the fight to the fraudsters. We have decided to help them to be smarter than their criminal opponents.

There is no way around understanding and controlling exactly how traffic flows in and out of the network. Carefully reviewing roaming network configurations, for example, is one of the first steps to protecting your valuable assets from attacks. RoamsysNext is an independent link in this chain, and already today our tools simplify and validate the correct configuration of each roaming-relevant network element. This helps MNOs block any unwanted or unauthorized traffic with very little effort. For more than 12 years, RoamsysNext has specialized in software development and project management.

Since 2009, we have been the exclusive provider of RAEX solutions for the GSMA. We serve our customers with excellent service and competitive pricing. Already more than 700 MNOs around the world rely on our tools and services. If you would like to learn more about our products, just get in touch at We will be happy to help you, and we will always find a great solution for your requests.

Gabriele Lieser joined RoamsysNext in 2020 as Customer Success Manager to strengthen the bonds with our increasing number of customers and to support the marketing team. Gabriele has a strong background in corporate sales. She studied at the Universities of Trier (Germany) and Manitoba (Canada) and is incorporated in the RoamsysNext Client Service team.

“The team is a crucial asset”

It has been an exciting year for RoamsysNext. And as 2023 is coming to an end, we took the opportunity to talk with CEO Michael Grasmück about the past year, the growing team that becomes more and more international, and the comeback of an industry institution.

Reporting at a glance: The RoamsysNext Dashboards

The RoamsysNext tools offer many reporting functionalities of which the dasboards play an important role. Learn more about using them in practice to identify bottlenecks, visualize your team's performance and bring a smile to your management's faces.

How to Stay Secure

What can MNOs do to stand up to the ever-growing tide of telecom fraud and protect their assets? Stay alert, use great tools, collaborate with other market players, and take the fight to the fraudsters.

Telecom Fraud Hurts

Telecom fraud is a rapidly growing area that has serious effects on national critical infrastructure (civil, healthcare, energy, agriculture...) and wider industrial processes.

  • RMX_Insights_Template21

How to Choose a Signaling Firewall Wisely

In times of global turbulences and increasing fraud attacks the decision for a sophisticated signaling firewall becomes more and more a priority. Some general considerations help to narrow down the choice.

Two-Factor Authentication rules!

For some time now, we have introduced 2FA and have contributed our share to provide more secure access to our tools. Norbert Becker, Head of Software Development, picks up the thread and provides engaging insights into his area of responsibility.

  • RoamsysNext Insights - Wholesale Roaming Manager

Introducing: The RoamsysNext Wholesale Roaming Manager

The RoamsysNext Wholesale Roaming Manager provides powerful collaboration and reporting tools for all roaming partner relationships by converging everything from service openings to the user’s roaming footprint, test SIM cards and tariffs, document and contact management.

We’re in this together

In the second part of our interview with Alexandre De Oliveira, POST Luxembourg Cyberforce, he highlights major pain points in fraud detection and stresses the importance of global information sharing via the GSMA T-ISAC initiative.

Mastering today’s Fraud Landscape

Learn how Alexandre De Oliveira’s team at POST Luxembourg Cyberforce is mastering today’s fraud landscape with penetration tests, security assessments, the Telecom Intrusion Detection System (TIDS) and the Telecom Security Scanner (TSS).

How to avoid configuration errors

Hardening the network is a good way to get configuration errors under control. Introducing smart firewall rules and consistently updating these rules can be very time-consuming, but it’s a crucial measure to be taken.

  • RoamsysNext Insights 9: Interview with Hendrik Hoehndorf

Making a Stand against Fraud

In an insightful interview, our CTO, Hendrik Hoehndorf, speaks about further GSMA initiatives on fraud detection and prevention such as the MISP (Malware Information Sharing Platform) and T-ISAC (Telecommunication Information Sharing and Analysis Centre).

  • RoamsysNext Insights

Let’s talk about data quality

Most fraud and security issues are caused by misconfigured network nodes. This article shows, how RoamsysNext treats this problem on their quest for data quality.