Anti-fraud: Difference between revisions

From VoIPmonitor.org
(Add documentation for Fraud: sequential alert type)
(Update Fraud: sequential documentation - clarify destination number detection and leave number field empty for any destination)
Line 49: Line 49:
=== Fraud: Sequential Alert ===
=== Fraud: Sequential Alert ===


Detects sequential calling patterns from a single source, which is useful for identifying unusual traffic patterns such as:
Detects sequential calling patterns, which is useful for identifying unusual traffic patterns such as:


* A single IP making a high volume of calls to the same destination number
* A single destination number receiving a high volume of calls from any source
* Repeated calls to a specific destination number over a short time period
* Repeated calls to a specific destination number over a short time period
* Call volume spikes from a specific source
* Call volume spikes to a specific destination
* Single IP making a high volume of calls to the same destination number


This alert type focuses on detecting patterns based on call count within a time window, grouped by source IP.
This alert type focuses on detecting patterns based on call count within a time window, grouped by destination number or source IP.


'''Parameters:'''
'''Parameters:'''
Line 63: Line 64:
! Parameter !! Description !! Examples
! Parameter !! Description !! Examples
|-
|-
| '''interval''' || Time window in seconds/minutes for counting calls || 600 (10 minutes), 3600 (1 hour)
| '''interval''' || Time window in seconds for counting calls || 600 (10 minutes), 3600 (1 hour)
|-
|-
| '''incidents''' || Call count threshold - alert when exceeded || 100, 500
| '''limit''' || Maximum number of calls allowed - alert when exceeded || 100, 500
|-
| '''source''' || Grouping method for call count || '''By IP: source''' (to detect high volume from single IP)
|}
|}


'''Configuration Steps:'''
'''Configuration Steps:'''
To alert when a large volume of calls is made to any single destination number within a short period:


1. Navigate to '''GUI → Alerts → Anti Fraud'''
1. Navigate to '''GUI → Alerts → Anti Fraud'''
2. Create a new alert with type '''Fraud: sequential'''
2. Create a new alert with type '''Fraud: sequential'''
3. Set '''interval''' to your desired time window (e.g., 600 seconds for 10 minutes)
3. Set '''interval''' to your desired time window (e.g., 600 for 10 minutes)
4. Set '''incidents''' to your call count threshold (e.g., 100 calls)
4. Set '''limit''' to your maximum call count threshold (e.g., 100 calls)
5. Set '''source''' to '''By IP: source''' to group and count calls by source IP address
5. **Leave the number field empty** in the alert filter - this applies the rule to ANY number
6. Configure recipient email addresses as needed
6. Configure recipient email addresses
7. Save the alert
 
'''How It Works:'''
 
The alert triggers when the number of calls '''to any single destination number''' exceeds the '''limit''' threshold within the specified '''interval''' time window. Each destination number is evaluated independently - if any single number exceeds the threshold within its own time window, the alert fires.
 
{{Note|1=Leaving the number field empty is the key to detecting calls to ANY destination. If you specify a number, the alert only applies to that specific number. With an empty number field, the system monitors all destination numbers and alerts when any one of them exceeds the configured limit.}}


'''Example Use Cases:'''
'''Example Use Cases:'''
Line 83: Line 91:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Scenario !! interval !! incidents !! source
! Scenario !! interval !! limit !! number field
|-
| Detect >100 calls to any single number in 10 minutes || 600 seconds || 100 || Leave empty
|-
|-
| Detect single IP making >100 calls in 10 minutes || 600 seconds || 100 || By IP: source
| Warn when any destination gets >500 calls in 1 hour || 3600 seconds || 500 || Leave empty
|-
|-
| Warn when an IP makes >500 calls in 1 hour || 3600 seconds || 500 || By IP: source
| Identify high-volume attack (>50 calls in 5 minutes) || 300 seconds || 50 || Leave empty
|-
|-
| Identify aggressive dialing patterns (>50 calls in 5 minutes) || 300 seconds || 50 || By IP: source
| Monitor specific premium rate number (>200 calls in 30 min) || 1800 seconds || 200 || Enter number
|}
|}


'''How It Works:'''
{{Tip|1=This alert type is different from concurrent calls alerts. Concurrent calls alerts detect how many calls are active simultaneously at one moment, while Fraud: sequential alerts detect the total call count over a time window, regardless of whether calls overlap or end before new ones begin.}}
 
The alert triggers when the number of calls '''from a single source IP''' exceeds the '''incidents''' threshold within the specified '''interval''' time window. Each IP is evaluated independently - if any single source IP exceeds the threshold within its own time window, the alert fires.
 
{{Note|1=This alert type is different from concurrent calls alerts. Concurrent calls alerts detect how many calls are active simultaneously at one moment, while Fraud: sequential alerts detect the total call count over a time window, regardless of whether calls overlap or end before new ones begin.}}


=== SIP Failed Register Alert ===
=== SIP Failed Register Alert ===
Line 133: Line 139:
== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' VoIPmonitor anti-fraud detection guide covering GeoIP-based alerts for toll fraud prevention. Features include: Fraud: sequential alerts (detect sequential calling patterns from single source IP within time window using interval/incidents/source parameters - useful for detecting high volume calls to same destination or call volume spikes), Country/Continent Destination alerts (real-time detection of calls to specific countries), Change CDR Country alerts (detect IP country changes between calls indicating account compromise), Change REGISTER Country alerts (detect device registration from unexpected countries indicating credential theft), and SIP Failed Register alerts (detect brute-force attacks by monitoring failed registration attempts). All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud. Fraud: sequential uses interval (time window in seconds), incidents (call count threshold), and source (By IP: source) to detect when single IP exceeds call count threshold within time window. This is different from concurrent calls alerts which detect simultaneous calls at one moment, while Fraud: sequential detects total call count over time window regardless of overlap.
'''Summary:''' VoIPmonitor anti-fraud detection guide covering GeoIP-based alerts for toll fraud prevention. Features include: Fraud: sequential alerts (detect sequential calling patterns using interval/limit parameters - useful for detecting high volume calls to any single destination number within short time period), Country/Continent Destination alerts (real-time detection of calls to specific countries), Change CDR Country alerts (detect IP country changes between calls indicating account compromise), Change REGISTER Country alerts (detect device registration from unexpected countries indicating credential theft), and SIP Failed Register alerts (detect brute-force attacks by monitoring failed registration attempts). All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud. CRITICAL: To configure Fraud: sequential for detecting high volume calls to ANY single destination number, leave the number field empty in the alert filter. The alert triggers when any single destination number exceeds the limit threshold within the interval time window. Parameters are interval (time window in seconds) and limit (maximum number of calls before alert). This is different from concurrent calls alerts which detect simultaneous calls at one moment, while Fraud: sequential detects total call count over time window regardless of overlap.


'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, continent alert, Change CDR Country, Change REGISTER Country, SIP failed register, brute-force, credential stuffing, account hijacking, international calls, premium rate, fraud prevention, Fraud: sequential, sequential alert, interval, incidents, source, By IP: source, time window, call count, high volume calls, traffic patterns, call volume spikes
'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, continent alert, Change CDR Country, Change REGISTER Country, SIP failed register, brute-force, credential stuffing, account hijacking, international calls, premium rate, fraud prevention, Fraud: sequential, sequential alert, interval, limit, time window, call count, high volume calls, destination number, leave number field empty, call volume spikes


'''Key Questions:'''
'''Key Questions:'''
* How do I configure an alert for a large volume of calls to any single destination number?
* How do I configure Fraud: sequential alert for destination numbers?
* How do I detect unusual traffic patterns to a single destination?
* How do I detect high volume calls to any single number within a short period?
* Do I leave the number field empty or specify a number in Fraud: sequential?
* What is the Fraud: sequential alert type?
* What are the interval and limit parameters in Fraud: sequential?
* How do I configure anti-fraud alerts in VoIPmonitor?
* How do I configure anti-fraud alerts in VoIPmonitor?
* How do I detect toll fraud in VoIPmonitor?
* How do I detect toll fraud in VoIPmonitor?
* What is the Fraud: sequential alert type?
* How do I detect unusual traffic patterns from a single IP?
* How do I configure an alert for high volume calls to the same destination?
* What is the Change CDR Country alert?
* What is the Change CDR Country alert?
* How do I detect account hijacking in VoIPmonitor?
* How do I detect account hijacking in VoIPmonitor?
Line 150: Line 160:
* How does VoIPmonitor use GeoIP for fraud detection?
* How does VoIPmonitor use GeoIP for fraud detection?
* What is the difference between Fraud: sequential and concurrent calls alerts?
* What is the difference between Fraud: sequential and concurrent calls alerts?
* How do I use the interval and incidents parameters in Fraud: sequential?

Revision as of 20:26, 7 January 2026


Anti-Fraud Detection

VoIPmonitor provides built-in anti-fraud detection capabilities through GeoIP-based alerts and monitoring features.

Overview

Anti-fraud features help detect:

  • Unauthorized international calls (toll fraud)
  • Account hijacking attempts
  • Credential stuffing attacks
  • Unusual calling patterns

Configuration

Anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.

Country/Continent Destination Alert (Realtime)

Detects calls to specific countries or continents in real-time. Useful for detecting toll fraud where compromised accounts are used to make expensive international calls.

Configuration:

  • Set threshold for number of calls
  • Select target countries/continents
  • Configure notification recipients

Change CDR Country Alert

Detects when the IP country of caller or callee changes between calls. This can indicate:

  • Account compromise (calls from unusual locations)
  • SIP credential theft

Configuration:

  • Whitelist trusted countries (Exclude countries)
  • Apply filters by phone numbers or IP addresses

Change REGISTER Country Alert

Detects when a device registers from a different country than expected. This is a strong indicator of:

  • Account hijacking
  • Stolen SIP credentials
  • Unauthorized device registration

Use case: If a user normally registers from Germany but suddenly registers from a different country, this alert triggers.

Fraud: Sequential Alert

Detects sequential calling patterns, which is useful for identifying unusual traffic patterns such as:

  • A single destination number receiving a high volume of calls from any source
  • Repeated calls to a specific destination number over a short time period
  • Call volume spikes to a specific destination
  • Single IP making a high volume of calls to the same destination number

This alert type focuses on detecting patterns based on call count within a time window, grouped by destination number or source IP.

Parameters:

Parameter Description Examples
interval Time window in seconds for counting calls 600 (10 minutes), 3600 (1 hour)
limit Maximum number of calls allowed - alert when exceeded 100, 500

Configuration Steps:

To alert when a large volume of calls is made to any single destination number within a short period:

1. Navigate to GUI → Alerts → Anti Fraud 2. Create a new alert with type Fraud: sequential 3. Set interval to your desired time window (e.g., 600 for 10 minutes) 4. Set limit to your maximum call count threshold (e.g., 100 calls) 5. **Leave the number field empty** in the alert filter - this applies the rule to ANY number 6. Configure recipient email addresses 7. Save the alert

How It Works:

The alert triggers when the number of calls to any single destination number exceeds the limit threshold within the specified interval time window. Each destination number is evaluated independently - if any single number exceeds the threshold within its own time window, the alert fires.

ℹ️ Note: Leaving the number field empty is the key to detecting calls to ANY destination. If you specify a number, the alert only applies to that specific number. With an empty number field, the system monitors all destination numbers and alerts when any one of them exceeds the configured limit.

Example Use Cases:

Scenario interval limit number field
Detect >100 calls to any single number in 10 minutes 600 seconds 100 Leave empty
Warn when any destination gets >500 calls in 1 hour 3600 seconds 500 Leave empty
Identify high-volume attack (>50 calls in 5 minutes) 300 seconds 50 Leave empty
Monitor specific premium rate number (>200 calls in 30 min) 1800 seconds 200 Enter number

💡 Tip: This alert type is different from concurrent calls alerts. Concurrent calls alerts detect how many calls are active simultaneously at one moment, while Fraud: sequential alerts detect the total call count over a time window, regardless of whether calls overlap or end before new ones begin.

SIP Failed Register Alert

Detects brute-force attacks and credential stuffing by monitoring failed registration attempts from a single IP address.

Parameters:

  • threshold - Maximum number of failed attempts before alert
  • interval - Time window in seconds for counting attempts

GeoIP Integration

Anti-fraud features rely on GeoIP services for IP-to-country resolution. Configure GeoIP in GUI → Settings → System Configuration → GeoIP.

Priority of GeoIP processing:

  1. MaxMind API
  2. IPInfoDB API
  3. Local GeoIP database
  4. Free portals

See CountryGrouping for detailed GeoIP configuration.

Best Practices

  • Configure alerts for high-risk destinations (premium rate numbers, high-cost countries)
  • Set up Change REGISTER Country alerts for all critical accounts
  • Regularly review failed registration patterns
  • Combine with IP Groups for more granular control

Related Topics

  • Alerts - General alert configuration
  • CountryGrouping - GeoIP features and country grouping
  • Groups - IP and telephone number groups for filtering

AI Summary for RAG

Summary: VoIPmonitor anti-fraud detection guide covering GeoIP-based alerts for toll fraud prevention. Features include: Fraud: sequential alerts (detect sequential calling patterns using interval/limit parameters - useful for detecting high volume calls to any single destination number within short time period), Country/Continent Destination alerts (real-time detection of calls to specific countries), Change CDR Country alerts (detect IP country changes between calls indicating account compromise), Change REGISTER Country alerts (detect device registration from unexpected countries indicating credential theft), and SIP Failed Register alerts (detect brute-force attacks by monitoring failed registration attempts). All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud. CRITICAL: To configure Fraud: sequential for detecting high volume calls to ANY single destination number, leave the number field empty in the alert filter. The alert triggers when any single destination number exceeds the limit threshold within the interval time window. Parameters are interval (time window in seconds) and limit (maximum number of calls before alert). This is different from concurrent calls alerts which detect simultaneous calls at one moment, while Fraud: sequential detects total call count over time window regardless of overlap.

Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, continent alert, Change CDR Country, Change REGISTER Country, SIP failed register, brute-force, credential stuffing, account hijacking, international calls, premium rate, fraud prevention, Fraud: sequential, sequential alert, interval, limit, time window, call count, high volume calls, destination number, leave number field empty, call volume spikes

Key Questions:

  • How do I configure an alert for a large volume of calls to any single destination number?
  • How do I configure Fraud: sequential alert for destination numbers?
  • How do I detect unusual traffic patterns to a single destination?
  • How do I detect high volume calls to any single number within a short period?
  • Do I leave the number field empty or specify a number in Fraud: sequential?
  • What is the Fraud: sequential alert type?
  • What are the interval and limit parameters in Fraud: sequential?
  • How do I configure anti-fraud alerts in VoIPmonitor?
  • How do I detect toll fraud in VoIPmonitor?
  • What is the Change CDR Country alert?
  • How do I detect account hijacking in VoIPmonitor?
  • How do I configure alerts for international calls?
  • What is the Change REGISTER Country alert?
  • How do I detect brute-force attacks on SIP registration?
  • How does VoIPmonitor use GeoIP for fraud detection?
  • What is the difference between Fraud: sequential and concurrent calls alerts?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=9832"