Anti-fraud

From VoIPmonitor.org
Revision as of 19:39, 7 January 2026 by Admin (talk | contribs) (Add documentation for Fraud: sequential alert type)


Anti-Fraud Detection

VoIPmonitor provides built-in anti-fraud detection capabilities through GeoIP-based alerts and monitoring features.

Overview

Anti-fraud features help detect:

  • Unauthorized international calls (toll fraud)
  • Account hijacking attempts
  • Credential stuffing attacks
  • Unusual calling patterns

Configuration

Anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.

Country/Continent Destination Alert (Realtime)

Detects calls to specific countries or continents in real-time. Useful for detecting toll fraud where compromised accounts are used to make expensive international calls.

Configuration:

  • Set threshold for number of calls
  • Select target countries/continents
  • Configure notification recipients

Change CDR Country Alert

Detects when the IP country of caller or callee changes between calls. This can indicate:

  • Account compromise (calls from unusual locations)
  • SIP credential theft

Configuration:

  • Whitelist trusted countries (Exclude countries)
  • Apply filters by phone numbers or IP addresses

Change REGISTER Country Alert

Detects when a device registers from a different country than expected. This is a strong indicator of:

  • Account hijacking
  • Stolen SIP credentials
  • Unauthorized device registration

Use case: If a user normally registers from Germany but suddenly registers from a different country, this alert triggers.

Fraud: Sequential Alert

Detects sequential calling patterns from a single source, which is useful for identifying unusual traffic patterns such as:

  • A single IP making a high volume of calls to the same destination number
  • Repeated calls to a specific destination number over a short time period
  • Call volume spikes from a specific source

This alert type focuses on detecting patterns based on call count within a time window, grouped by source IP.

Parameters:

Parameter Description Examples
interval Time window in seconds/minutes for counting calls 600 (10 minutes), 3600 (1 hour)
incidents Call count threshold - alert when exceeded 100, 500
source Grouping method for call count By IP: source (to detect high volume from single IP)

Configuration Steps:

1. Navigate to GUI → Alerts → Anti Fraud 2. Create a new alert with type Fraud: sequential 3. Set interval to your desired time window (e.g., 600 seconds for 10 minutes) 4. Set incidents to your call count threshold (e.g., 100 calls) 5. Set source to By IP: source to group and count calls by source IP address 6. Configure recipient email addresses as needed

Example Use Cases:

Scenario interval incidents source
Detect single IP making >100 calls in 10 minutes 600 seconds 100 By IP: source
Warn when an IP makes >500 calls in 1 hour 3600 seconds 500 By IP: source
Identify aggressive dialing patterns (>50 calls in 5 minutes) 300 seconds 50 By IP: source

How It Works:

The alert triggers when the number of calls from a single source IP exceeds the incidents threshold within the specified interval time window. Each IP is evaluated independently - if any single source IP exceeds the threshold within its own time window, the alert fires.

ℹ️ Note: This alert type is different from concurrent calls alerts. Concurrent calls alerts detect how many calls are active simultaneously at one moment, while Fraud: sequential alerts detect the total call count over a time window, regardless of whether calls overlap or end before new ones begin.

SIP Failed Register Alert

Detects brute-force attacks and credential stuffing by monitoring failed registration attempts from a single IP address.

Parameters:

  • threshold - Maximum number of failed attempts before alert
  • interval - Time window in seconds for counting attempts

GeoIP Integration

Anti-fraud features rely on GeoIP services for IP-to-country resolution. Configure GeoIP in GUI → Settings → System Configuration → GeoIP.

Priority of GeoIP processing:

  1. MaxMind API
  2. IPInfoDB API
  3. Local GeoIP database
  4. Free portals

See CountryGrouping for detailed GeoIP configuration.

Best Practices

  • Configure alerts for high-risk destinations (premium rate numbers, high-cost countries)
  • Set up Change REGISTER Country alerts for all critical accounts
  • Regularly review failed registration patterns
  • Combine with IP Groups for more granular control

Related Topics

  • Alerts - General alert configuration
  • CountryGrouping - GeoIP features and country grouping
  • Groups - IP and telephone number groups for filtering

AI Summary for RAG

Summary: VoIPmonitor anti-fraud detection guide covering GeoIP-based alerts for toll fraud prevention. Features include: Fraud: sequential alerts (detect sequential calling patterns from single source IP within time window using interval/incidents/source parameters - useful for detecting high volume calls to same destination or call volume spikes), Country/Continent Destination alerts (real-time detection of calls to specific countries), Change CDR Country alerts (detect IP country changes between calls indicating account compromise), Change REGISTER Country alerts (detect device registration from unexpected countries indicating credential theft), and SIP Failed Register alerts (detect brute-force attacks by monitoring failed registration attempts). All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud. Fraud: sequential uses interval (time window in seconds), incidents (call count threshold), and source (By IP: source) to detect when single IP exceeds call count threshold within time window. This is different from concurrent calls alerts which detect simultaneous calls at one moment, while Fraud: sequential detects total call count over time window regardless of overlap.

Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, continent alert, Change CDR Country, Change REGISTER Country, SIP failed register, brute-force, credential stuffing, account hijacking, international calls, premium rate, fraud prevention, Fraud: sequential, sequential alert, interval, incidents, source, By IP: source, time window, call count, high volume calls, traffic patterns, call volume spikes

Key Questions:

  • How do I configure anti-fraud alerts in VoIPmonitor?
  • How do I detect toll fraud in VoIPmonitor?
  • What is the Fraud: sequential alert type?
  • How do I detect unusual traffic patterns from a single IP?
  • How do I configure an alert for high volume calls to the same destination?
  • What is the Change CDR Country alert?
  • How do I detect account hijacking in VoIPmonitor?
  • How do I configure alerts for international calls?
  • What is the Change REGISTER Country alert?
  • How do I detect brute-force attacks on SIP registration?
  • How does VoIPmonitor use GeoIP for fraud detection?
  • What is the difference between Fraud: sequential and concurrent calls alerts?
  • How do I use the interval and incidents parameters in Fraud: sequential?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=9772"