Q1 2025 Fraud Report by AB Handshake

This read pulls together our quarterly findings, explains what each fraud looks like in practice, shares real-world patterns and anecdotes, and closes with practical detection and mitigation advice driven by AB Handshake’s AI-equipped Fraud Management System. 

Telecom fraud never stops, it only changes. Q1 2025 is full of surprising events across our customer base, as we see fraudulent attacks continuing to attempt to break through defenses.

Our Q1 review focuses on the major fraud vectors observed in voice and SMS traffic monitored by AB Handshake Fraud Management System:

• IRSF
• IRSF – PBX Hacking
• P2S
• Wangiri 2.0
• Spam
• Flash Calls
• SMS AIT

IRSF (International Revenue Share Fraud) typically includes fraudsters artificially driving traffic towards revenue share numbers, which fraudsters gain a profit from. IRSF may also often occur in combination with other fraud types such as Subscription Fraud, Stolen Phones, Roaming events, or PBX Hacking.

Q1 2025 Highlights

Top country codes identified with this traffic type: Barbados led with a fraud ratio of 85%, followed by Dominica at 73% and Sri Lanka at 40%.

This section presents the top 10 country range codes where IRSF (International Revenue Share Fraud) traffic had the highest ratio compared to legitimate (normal) traffic.

Commentary

Country ranges with higher interconnect rates are often found on high risk and hot destination lists for just that reason, so those destination ranges will be highly attractive targets for fraudsters conducting International Revenue Share Fraud (IRSF). As illustrated in the graph, several known high-risk destinations continue to appear prominently, confirming traditional IRSF targeting patterns remain active.

However, a key observation is that the overall proportion of attempted fraudulent IRSF-related traffic terminating to these destination ranges remains low as a percentage of total traffic that is actually connected. This reduction is a direct result of AI-driven detection capabilities within modern Fraud Management Systems (FMS). Prior to the introduction of AI-based detection, IRSF attacks could persist for extended periods, or often several hours or even days. Fraudsters were able to carefully operate below predefined rule-based thresholds (e.g., limiting call attempts per hour) to avoid triggering alerts. By deliberately staying under static monitoring limits, fraudsters could generate substantial fraudulent traffic before detection occurred.

AI-enhanced fraud detection has fundamentally changed this dynamic. Machine learning models identify anomalous traffic patterns in near real time, regardless of whether the activity remains below traditional rule thresholds. This makes the previous evasion approaches largely ineffective. Fraud activity has not stopped, it has just evolved. While fraudsters continue to target obvious high-yield destinations due to their attractive interconnect rates, they are increasingly forced to diversify and disguise their attack patterns. 

The key takeaway is that although IRSF attacks persist, AI-driven detection ensures they are identified and contained rapidly. As a result, fraudulent traffic now represents only a very small percentage of overall operator traffic and significantly reduces potential revenue loss exposure.

Understanding IRSF Traffic and PBX Hacking Methods

IRSF (International Revenue Share Fraud) typically includes fraudsters artificially driving traffic towards revenue share numbers, which fraudsters gain a profit from. IRSF may also often occur in combination with other fraud types such as Subscription Fraud, Stolen Phones, Roaming events, or PBX Hacking.

PBX’s are often used as a ‘fraud method’ to commit IRSF, by fraudsters who are able to access badly secured PBX devices inside businesses, and use those to generate artificial traffic towards revenue share numbers.  PBX hacking can be identified within typical IRSF attacks as the calls are often timed in one of two ways depending on the business profile: either for the calls to only occur during business hours (so nobody questions who is making calls during the night), or else to only occur outside of business hours (to ensure employees don’t notice constant busy lines during their work day). 

Q1 2025 Highlights

Top country codes identified with this traffic type: Uganda recorded the highest ratio at 77%, followed by Kiribati at 64% and Burundi at 46%.

The following dashboard identifies the top 8 country ranges where PBX Hacking traffic had the highest ratio compared to normal (legitimate) traffic during the quarter.

Commentary: 

PBX hacking enabled IRSF is typically opportunistic in nature, driven primarily by the discovery of poorly secured or misconfigured PBX systems such as those with PINs of Passwords like 1234 or 0000. Once access is obtained, fraudsters generate artificial traffic toward revenue share destinations, selecting countries based largely on the availability of monetizable number ranges rather than geographic targeting strategy.

During this quarter, PBX hacking enabled IRSF activity continued to impact multiple customers and resulted in traffic terminating across a broad range of global destination ranges. The data indicates that Uganda recorded the highest concentration of PBX-related IRSF activity, with more than 77% of all traffic terminating there as PBX-driven IRSF traffic.

This represents a significant proportion of total traffic to a single destination and highlights the scale of exposure where PBX vulnerabilities exist from where this traffic is originating from. It may also signal elevated risk for operators that do not deploy AI-driven IRSF detection capabilities in those locations. Fraudsters frequently reuse successful attack methodologies across multiple operators, systematically targeting networks in search of weaker detection controls.

AI-infused fraud detection systems such those offered by AB Handshake significantly mitigate this risk by rapidly identifying abnormal traffic signatures associated with PBX compromise, thereby limiting duration, financial exposure, and downstream revenue impact.

Understanding P2S

P2S attacks typically involve automated bots or scripts abusing web forms or online verification processes to trigger voice-based OTP calls to revenue share numbers, which the fraudsters will gain revenue from.  Such patterns often reveal systematic P2S attacks, where repeated automated attempts focus on specific destinations, highlighting them as potential hotspots for this type of revenue share fraud.

Q1 2025 Highlights

Top country codes identified with this traffic type:  Bahamas recorded the highest ratio at 23%, followed by Vietnam at 15% and Guatemala.

The following dashboard identifies the country ranges with P2S.

Understanding Wangiri 2.0

Wangiri 2.0 typically involves automated systems or bots that submit revenue share numbers through online forms, triggering automated callbacks from enterprises or applications.

These callbacks are then monetized by keeping the line active, often using ringing tones or recorded loops to extend call duration and entice the caller to ‘stay on the line’.

Q1 2025 Highlights

Top country codes identified with this traffic type:  Satellite Networks lead with 53%, followed by Bahamas at 40% and Ghana at 34%.

This section displays the top 9 country range codes where Wangiri 2.0 callback fraud made up the largest share of total traffic during the quarter.

Wangiri 2.0 Activity

Commentary: 

Wangiri 2.0 activity continues to be observed across multiple customers this quarter. Unlike traditional missed-call Wangiri fraud, this variation exploits online number input forms and automated callback systems to trigger outbound calls to revenue share numbers purchased by fraudsters.

Several destination ranges identified in this quarter’s findings are well-established high-risk ranges for revenue share fraud. The recurrence of these destinations reinforces the pattern that fraudsters consistently target jurisdictions with attractive interconnect rates and accessible revenue share number ranges.

Notably, the same high-risk destinations detected under Wangiri 2.0 could equally be used in other IRSF methodologies, such as PBX hacking or P2S to name a few. The underlying monetisation model remains consistent however of artificially inflating traffic to revenue share numbers. 

This demonstrates that IRSF is method-agnostic. As long as exploitable entry points exist. Whether network-level, enterprise-level, or end-user-level, fraudsters will continue to repurpose established high-risk destinations across multiple fraud techniques. Continuous monitoring, AI-driven anomaly detection, and layered preventative controls remain critical to limiting exposure and containing revenue loss like AB Handshake’s Fraud Managements system.

Understanding Spam

Spam traffic typically includes unsolicited robocalls or auto-dialed messages, often used for advertising, scamming, or phishing. 

Q1 2025 Highlights

Top country codes identified with this traffic type:  New Zealand leads with 56%, followed by Lithuania at 43% and Bermuda at 42%.

This section shows the top 10 country range codes where spam calls accounted for the highest percentage of total inbound traffic during the quarter.

Commentary: 

New Zealand, Lithuania and Bermuda lead this quarter’s list of spam-terminating destinations. This is not unexpected, as these markets amongst many others have long experienced elevated levels of spam and scam-related traffic. 

From a fraudster’s perspective, the dominance of these three destinations reveals diverse targets, with likely a higher return identified for investments.   When highly divergent locations are targeted such as these at such high levels, it many indicate the reuse of similar large scale attacks which could also reduce operational complexity and increases scalability from the fraudster’s perspective. The data from this quarter reinforces the concept of “reuse,” where successful scam methodologies are repeatedly deployed across similar markets to maximise return on investment.

By detecting pattern reuse across multiple country ranges, AI-driven systems significantly improve early identification and suppression of scam traffic. While spam activity remains persistent in these high-volume markets, advanced behavioural analytics offered by fraud management systems like AB Handshake’s continue to strengthen prevention and reduce the overall impact of fraud.

Understanding Flash Calls

Flash calls are often used for rapid one time password or two factor authentication (app sign-ins, one time password delivery) in place of traditional authentication approaches which rely on A2P SMS delivery.

Q1 2025 Highlights

Top country codes identified with originating this traffic type: Peru leads with an overwhelming 278M Total attempts, followed by Colombia 177 M and France 153M.

This section ranks the top 10 country range codes where Flash Call traffic originated, based on total call attempts during the quarter.

Commentary: 

Flash Calls continue to grow quarter over quarter, with both overall generation volumes and detection rates increasing consistently. This sustained growth highlights their expanding role within the authentication and messaging ecosystem.

In the latest quarter, flash call volumes were particularly significant from specific country codes. More than 276 million flash calls were generated from Peru country codes alone, followed by over 177 million from Colombia and approximately 153 million from France. These figures demonstrate the scale at which flash call based verification mechanisms are now operating globally.

As flash calls become more embedded in standard authentication workflows, particularly for one-time password (OTP) verification, we are observing recurring source patterns across networks. 

How operators respond remains an evolving strategic decision. Outcomes will depend heavily on the detection methodologies deployed and the decisions made by various Operator’s on how this traffic continues.  Advanced detection capabilities are increasingly essential to maintaining network integrity while supporting legitimate use cases.

Understanding SMS AIT

SMS AIT (Artificial Inflation of Traffic) is one of the most structurally damaging fraud types in the telecom ecosystem. Unlike spam or phishing, its goal is not to deceive an end user, but to silently manufacture large volumes by generating large quantities of SMS traffic with no legitimate recipient and no genuine business purpose. SMS AIT occurs as inflated or higher than normal termination volumes, often with no legitimate user behind the traffic. 

Q1 2025 Highlights

• Top senders identified: Telegram leads with 830 K alerted attempts, followed by Viber 592 K and numeric 566 K.

This section lists the top 10 brands most frequently targeted by SMS Artificial Inflation of Traffic (AIT) fraud attempts during the quarter.

Commentary: 

SMS Artificially Inflated Traffic (AIT) continues to present a significant risk to brands and application-to-person (A2P) senders. The financial and reputational impact can be substantial, particularly where high volumes of one-time passwords (OTPs), verification codes, or account sign-up messages are generated artificially.

This exposure affects both large, established platforms such as Telegram and smaller or emerging brands. While major enterprises are frequently targeted due to their scale and predictable authentication flows, smaller organisations are often more vulnerable due to limited awareness of SMS AIT risks and insufficient monitoring controls.

In typical AIT scenarios, fraudsters automate account creation, password reset, or verification workflows to trigger large volumes of SMS traffic. Without appropriate traffic validation or behavioural monitoring, this activity can escalate rapidly, generating substantial artificial traffic and inflated messaging costs.

The key risk factor remains visibility. Organisations that lack real-time monitoring, anomaly detection, and AI-driven behavioural analytics like those of AB Handshake remain unaware that their platforms are being abused. Proactive detection mechanisms are therefore critical, not only to prevent direct financial loss, but also to protect brand reputation and maintain the integrity of authentication systems.

One of the most significant advantages of deploying an established, AI-driven fraud detection platform is the ability to share intelligence across multiple operators and customers. Fraud is rarely isolated. As demonstrated throughout this quarter’s findings across IRSF, PBX hacking, P2S abuse, Wangiri 2.0, and even SMS AIT, fraudsters consistently reuse successful destinations, number ranges, and behavioural patterns.

Well established high-risk destinations for artificially inflated traffic frequently appear on this report, while the entry point varies. Whether the attack vector is a compromised PBX, an exploited PIN-to-Speech platform, a vulnerable online callback form, SMS authentication abuse, or spam campaigns, the underlying patterns of reuse are clear.

This is where shared fraud detection becomes strategically powerful, and leveraging reliable fraud detection and revenue loss prevention systems like those at AB Handshake.

Preventing Reuse Across Customers

Fraudsters frequently deploy the same attack methodology across multiple operators in quick succession, seeking networks with weaker controls. In isolated detection environments, each operator must independently identify and respond to the threat, often after exposure has already occurred.

In contrast, a shared AI-driven detection ecosystem enables immediate cross-customer protection. Once anomalous behaviour is identified in one network, such as unusual ASR/ALOC patterns, sudden traffic spikes to a high-risk destination, surges from specific country codes, or abnormal patterns, the intelligence can inform protective models across all connected customers.

AI as a Network Effect Multiplier

Advanced AI models do not rely solely on static thresholds. Instead, they detect behavioural anomalies regardless of the specific entry point or methods used to conduct the fraud.

The more networks and traffic profiles the system observes, the stronger and faster the models become. Each detected anomaly improves pattern recognition across the ecosystem. As seen in this quarter’s results, although fraud attempts continue, the percentage of fraudulent traffic relative to total traffic remains low which demonstrates rapid identification and suppression.

This network-wide intelligence sharing creates a protective multiplier effect:

• When one customer is targeted, all customers benefit.
• When a new fraud pattern emerges, it is learned once and applied globally.
• When high-risk destinations resurface, models adapt immediately.

Strategic Takeaway

Fraud will continue to evolve, however the common thread remains reuse and monetisation of known high-yield destinations.

An established, shared AI-driven fraud detection platform transforms this challenge into an advantage. By leveraging cross-network intelligence and behavioural anomaly detection, operators are no longer defending in isolation, they are operating within a collaborative, adaptive defence framework that significantly limits fraud duration, scale, and financial impact.

In a landscape where fraud never stops but continually changes form, shared AI-driven detection ensures that protection evolves faster than the threat.