3.5 Fighting Wireless Fraud with Link Analysis: A Case Study

Wireless fraud is by nature reactive in that a carrier can't detect it until it takes place. One way that carriers are reducing fraud is by identifying and stopping repeat offenders via link analysis. Using link analysis, fraud investigators gather and correlate subscriber information that can associate new customers to fraudulent activities. Various types of subscriber data can be used for this type of analysis. One method, known as a dialed-digit analysis, scrutinizes the records of who's calling whom. Using a link analysis tool, a large volume of call detail records (CDRs) is used to reveal correlations between records. The strategy is to identify fraud and potential suspects by association.

Using link analysis techniques an investigator can track a new subscriber's 10 most frequently called numbers. For example, alarms are set to activate when the dialed numbers match those associated with ongoing or previous fraud case phone number accounts. This enables the carrier to identify a previously banished criminal by his or her most frequently dialed numbers. Expanding the fraud circle of association, accomplished by including the criminals' incoming calls, is another way to perform a dial-digit analysis. The system tracks not only the people the fraudulent phones dial, but also those who call the fraudulent phones.

Because the analysts can visually represent the calling patterns, they can find numbers to investigate that may not have popped up through other methods. In some cases, returning criminals may not call numbers that can be linked to past crimes, but they might call a number called by another fraudulent subscriber, which can alert the fraud analyst of possible criminal activity by association. Using link analysis, an analyst creates a web of who calls whom and represents those associations in a digital map, which from an analyst's perspective makes it a lot easier to recognize patterns of behavior that may not be evident through other traditional analyses.

Another way that carriers use link analysis to detect potential bad accounts is by analyzing call-pattern usage information in combination with billing information. The objective here is to understand usage information better in the context of a subscriber's billing profile. For example, if a new customer subscribes to the least expensive plan a carrier offers but starts making 300 calls a day, there's a problem. Link analysis is also used to detect potentially fraudulent new subscribers, primarily by looking at their provided credit-card information and its association with other bad accounts. The analyst marks accounts that have used fraudulent credit cards before and looks for new accounts that use the same credit-card information.

Link analysis is also used to catch subscription fraud by detecting suspicious changes early in the life of a new account; for instance, a subscriber who changes the account address within the first week would raise suspicion. Sometimes fraudulent subscribers change the account address early to prevent the legitimate credit-card owner from receiving welcome information from the wireless carrier. A series of link analyses are also performed on other identity data, such as Social Security numbers and home telephone numbers, again the objective being to find associations with previously tainted, bad accounts.