The $4.5 Billion Problem: IRSF Fraud Detection for Wholesale Carriers
It's 2:47 AM on a Saturday. Your Class 4 softswitch is routing calls the way it always does, quietly, automatically, without complaint. Nothing looks wrong. Nothing is triggering an alert. But somewhere in your routing table, an account has been compromised. Two hundred concurrent calls are already moving toward premium-rate destinations in Cuba and Somalia, generating interconnect revenue for someone who isn't you.
By 6 AM, when your NOC catches the spike, the fraud has been running for over three hours. The account balance is gone. Your exposure on interconnect agreements is in the tens of thousands. Recovery is unlikely.
This is IRSF — International Revenue Share Fraud. It moves fast, moves at night, and exploits the gap between when fraud starts and when someone notices.
This article explains exactly how it works, why your Class 4 switch is both the target and the solution, and what controls you should have active right now.
What IRSF Is and Why Does It Keep Working?
International Revenue Share Fraud is not random. It is structured, repeatable, and scalable.
The mechanics are straightforward. A fraudster establishes a revenue-share arrangement with a carrier in a high-cost destination. That’s typically a country where interconnect rates are elevated and regulatory oversight is limited.
They then compromise a VoIP account, either through credential theft, brute-force attack on SIP authentication, or social engineering. With account access established, they route large call volumes toward premium numbers they control. Every call that connects generates interconnect revenue, and the fraudster collects their agreed share.
Your Class 4 switch is the unwitting transit point. It accepts the calls, applies its routing logic, and bills the account. All while being entirely unaware that the originating account has been taken over.
According to the Communications Fraud Control Association, global telecom fraud losses reached $41.82 billion in 2025. IRSF remains one of the most significant individual contributors. Understanding the attack in precise detail is the first step to stopping it.
What Does IRSF Look Like on Your Switch?
Knowing the attack profile is your first real advantage. IRSF follows a consistent pattern and that consistency creates detection windows.
Attacks typically launch between 1 AM and 5 AM. That's when NOC staffing is thinnest and automated alerts are your only meaningful protection.
The average attack runs two to four hours, generates between 50 and 200 concurrent calls, and targets a small cluster of high-cost destination prefixes.
Call durations tend to fall in the 20–90 second range. These are long enough to generate billable revenue, short enough to cycle through numbers quickly.
| Attack Characteristic | Typical IRSF Profile |
|---|---|
| Time of attack | 1:00 AM – 5:00 AM local time |
| Duration | 2–4 hours |
| Concurrent calls | 50–200+ |
| Target destinations | Cuba, Somalia, satellite networks, high-cost Pacific |
| Average call duration | 20–90 seconds (scripted pattern) |
| Account balance | Depletes within 1–2 hours of attack start |
| CLI pattern | Single or few source CLIs to many destination numbers |
One detail that catches many carriers off guard: IRSF accounts typically show very high ASR (Answer Seizure Ratio) to these destinations, not low. The calls are being answered by numbers the fraudster controls.
A high ASR to a destination you've never seen before is a red flag, not a reassuring signal. This little nuance is exactly what generic fraud guides skip over.
Wangiri — The Missed Call Variant
Wangiri is a close relative of IRSF but distinct enough to warrant its own attention. It shows up differently on your switch and requires a different detection response.
The name comes from Japanese: "one ring and cut." Fraudsters blast short calls, ringing for one or two seconds, to thousands of numbers. The bet is that enough recipients will call back out of curiosity, connecting themselves to premium-rate numbers the fraudster controls.
To run this at scale, they need outbound calling infrastructure. One which is often a compromised account sitting on a wholesale carrier's network.
On your switch, Wangiri has a specific fingerprint: very high call volume, very short average call duration, concentrated toward specific international prefixes, and clustered in off-hours windows.
Your ACD by destination will fall sharply. If you're monitoring ACD only at the aggregate level, rather than broken down by destination prefix, you'll miss the signal entirely. Wangiri and IRSF often appear together in the same attack, with Wangiri sometimes functioning as a reconnaissance probe before the full flood follows.
Four Switch-Level Controls That Actually Stop IRSF
Most IRSF guidance stops at "implement fraud detection." That's not useful to a carrier engineer at 3 AM. Here's what specific controls look like at the Class 4 switch level.
1. Prepaid billing and hard credit limits.
This is your most effective IRSF control, full stop. Prepaid accounts cannot be exploited beyond their deposited balance. Hard credit caps on post-paid accounts create a firm ceiling on fraud exposure.
If you're extending open-ended credit without hard limits, you're accepting uncapped liability. The fix is operational, not technical and it costs nothing to implement.
2. Per-account concurrent call limits.
A legitimate wholesale customer does not send 200 concurrent calls to Cuba at 3 AM. Set CPS (Calls Per Second) and concurrent call caps at the account level. When a compromised account tries to ramp to attack volume, it hits the wall and the fraud economics collapse instantly.
3. Destination prefix blacklists.
Maintain an active blacklist of high-risk destination prefixes and update it regularly. Fraud destinations rotate as local carriers shut down fraudulent revenue-share arrangements and fraudsters move on.
False Answer Supervision detection feeds directly into this layer, catching fraudulent call attempts before they complete and flagging suspicious destination patterns upstream.
4. Automated alerting with block capability.
An alert that wakes someone up is useful. An alert that automatically blocks the route is better. Configure triggers for traffic to destinations not seen in the past 30 days, off-hours volume spikes above 150% of rolling average, and ACD drops below 15 seconds to specific destination prefixes. If your switch supports auto-block on alert trigger, enable it, every minute of delay is revenue leaving your network.
The Metrics That Expose IRSF Before It Completes
Fraud detection is fundamentally a data problem. The signals exist in your CDRs and real-time call data. The question is whether you're watching the right metrics at the right granularity.
| Metric | What to Watch For | IRSF Alert Threshold |
|---|---|---|
| ACD by destination prefix | Short ACD signals scripted, automated traffic | Flag if ACD < 15 seconds to any prefix |
| ASR to new destinations | High ASR on a first-time destination | Flag if ASR > 90% on a never-seen prefix |
| Concurrent calls per account | Sudden spike indicates compromised account | Alert at 3× rolling 7-day average |
| Balance depletion rate | Speed of funds leaving an account | Alert if >25% depletes in under 60 minutes |
| New destination flags | First-time traffic to high-cost prefixes | Alert on any first-time high-cost prefix |
| Off-hours traffic index | Traffic during 1–5 AM vs. business hours | Alert if >200% of rolling off-hours average |
The combination of a new high-cost destination, short ACD, and rapid balance depletion is a near-certain IRSF signature. Any two of the three warrant immediate investigation. All three together warrant immediate account suspension and route block.
Our 10-Point Security Checklist for VoIP Carriers covers the broader security framework these controls sit within; useful context if you're auditing your overall security posture.
And if you haven't run a structured security audit recently, our VoIP Carrier Network Security guide walks through the process for validating that detection thresholds and access controls remain calibrated to current threats.
Your Upstream Carriers Are Part of the Risk Equation
IRSF doesn't only flow from compromised customer accounts. It can enter your network from upstream too.
If a carrier you're purchasing transit from is passing fraudulent traffic, whether knowingly or not, that traffic moves through your switch and lands downstream. This creates exposure in both directions: financial, reputational, and potentially regulatory.
Upstream fraud has a different detection signature.
Watch for consistently high ASR from a specific upstream carrier to known high-cost destinations, clusters of very short calls originating from that carrier, and CLI patterns that don't match the claimed origin country.
These signals indicate that something in your upstream chain has a problem. Whether it's a bad actor or a carrier with poor fraud controls of their own. Our guide on identifying bad carriers covers these signals in operational detail.
Fraud flows in both directions through your switch. Upstream carrier vetting is not separate from your fraud prevention strategy. It is part of it.
Conclusion
The IRSF threat is not static. Detection thresholds that caught last year's attacks may miss this year's. Modern fraud campaigns increasingly use AI-generated traffic patterns designed to blend into your CDR noise and stay under alert thresholds.
The real question for every Wholesale carrier isn't "do we have fraud controls in place?", it's "are our controls calibrated to today's attack patterns, or are they relics of a threat landscape that has already evolved?"
Revisiting your alert thresholds, credit limits, and destination blacklists quarterly is not paranoia. It is the minimum operational standard for any carrier serious about protecting its margin.