Telecom Fraud Detection: Technical Analysis
Transforming generic e-commerce fraud detection into a telco/MSP-specific platform. A Principal TPM analysis of domain adaptation, transferable architectural patterns, and interview-ready frameworks.
Executive Summary
This analysis demonstrates a critical Principal TPM skill: adapting architectural patterns to new domains while identifying transferable principles. The transformation from e-commerce to telco fraud detection reveals what changes and what remains constant across domains.
Key Takeaway: The methodology transfers; the implementation must be tailored.
Strategic Context: Why This Matters
When interviewers ask "How would you apply your experience to our domain?", they evaluate two things:
1. Domain Understanding: Do you grasp what makes their industry unique?
2. Transferable Skills: Does your experience apply beyond the specific context?
The telco adaptation showcases both capabilities simultaneously.
Domain Mapping: E-Commerce → Telecom
| E-Commerce | Telco/MSP | Implication |
|---|---|---|
| `merchant_id` | `service_id` (carrier, network operator) | Entity hierarchy changes |
| Product SKU | SIM ICCID, IMEI, Phone Number | Multiple device identifiers |
| Card testing | SIM farm attacks | Different attack patterns |
| One-time purchase | Ongoing subscription + events | Continuous relationship model |
| Simple transaction | Event types (activation, swap, upgrade) | State machine complexity |
Cascade Effect: The shift from "merchant selling products" to "carrier providing services to subscribers" propagates through every system component.
Telco-Specific Fraud Vectors
1. IRSF (International Revenue Share Fraud)
Attack Pattern: Fraudsters route calls to premium-rate international numbers, splitting revenue with the destination operator.
Detection Signals:
- International calling enabled on new SIM
- High-volume calls to specific country codes (Cuba, Somalia, Latvia)
- Pattern of short-duration calls (testing routes before high-volume fraud)
- Calls outside subscriber's historical pattern
Business Impact: $4-6B annual industry loss globally
2. SIM Swap Account Takeover
Attack Pattern: Attacker convinces carrier to transfer victim's number to a new SIM, intercepting 2FA codes for financial account access.
Detection Signals:
- SIM swap event from unfamiliar device
- Immediate high-value transactions post-swap
- Geographic impossibility (old device active elsewhere within hours)
- Social engineering patterns in call center interactions
Business Impact: $68M reported losses in US (2021), likely underreported
3. Device Subsidy Fraud
Attack Pattern: Acquiring subsidized phones with no intent to maintain service, reselling devices internationally.
Detection Signals:
- New subscriber + high-value device combination
- Minimal plan selection (cheapest option)
- Pattern of previous accounts from same identity/device fingerprint
- Shipping address in resale hotspots
4. SIM Farm Attacks
Attack Pattern: Automated systems using many SIMs for spam, fraud verification bypass, or traffic pumping.
Detection Signals:
- Emulator/rooted device detection
- High velocity SIM activations from single device
- Datacenter IP addresses
- SMS-only usage patterns (no voice/data)
- Bulk activation during off-peak hours
Architecture Adaptations
Event-Based Rules Layer (New)
Telco fraud often correlates with specific events, not just transactions:
Rule Priority (Telco-Adapted):
1. Hard Overrides (blocklists, fraud rings)
2. Event-Based Rules ← NEW LAYER
- SIM swap → always REVIEW
- International enable → always FRICTION
- Device upgrade from new subscriber → REVIEW
- Port-out request → REVIEW + callback verification
3. Velocity Circuit Breakers
4. ML Score Thresholds
5. Contextual Rules
6. Default (ALLOW)Extended Entity Model
New entities beyond card/device/IP:
| Entity | Velocity Metrics | Risk Signals |
|---|---|---|
| Phone Number | Porting frequency, line type changes | Recent port-in, VOIP indicator |
| IMEI | Activation count, blacklist status | Multiple SIMs, known fraud device |
| SIM ICCID | Activation date, swap count | Rapid replacement pattern |
| Subscriber | Account age, plan changes | New subscriber + premium device |
Adjusted Velocity Windows
Telco fraud operates on different timescales than e-commerce:
| Metric | E-Commerce Window | Telco Window | Rationale |
|---|---|---|---|
| Device activations | 1 hour | 24 hours | SIM farm detection |
| High-value events | 15 minutes | 6 hours | IRSF pattern emergence |
| Identity velocity | 24 hours | 30 days | Subscriber lifecycle |
Transferable Principles
Despite domain differences, these patterns transfer directly:
1. Latency Budget Thinking
"Every millisecond matters" applies whether authorizing a payment or a SIM activation. The 10ms target and component-level budget breakdown remain valid.
2. Three-Path Data Architecture
- **Request-time**: Event details, device fingerprint
- **Real-time velocity**: Redis counters, subscriber activity
- **Async enrichment**: Historical profiles, external signals
The paths exist regardless of domain.
3. Score Calibration Philosophy
Every threshold traces to false positive rates. The *methodology* transfers, not the specific numbers:
| Signal | E-Commerce | Telco |
|---|---|---|
| Emulator | 0.9 | 0.95 (even higher - no legitimate use) |
| VPN | 0.3 | 0.4 (more suspicious in telco context) |
| New device | 0.2 | 0.3 (subscriber lifecycle expectations) |
4. Failure Mode Design
"Design for when, not if" applies universally:
- Component-level fallbacks
- System-wide safe mode
- Attack vs bug distinction
5. Ownership Model
Speed of change dictates ownership boundaries:
| Change Type | Speed | Owner |
|---|---|---|
| Blocklists | Immediate | Ops |
| Velocity thresholds | Minutes | Ops |
| Event rules | Hours | Fraud Policy |
| ML models | Days | Data Science |
Interview Application Framework
When asked "How would you adapt this to [new domain]?":
1. Identify the core entities - What are the nouns in this domain?
2. Map fraud vectors - What can go wrong? What is the attack surface?
3. Adapt velocity windows - What timescales matter for this domain?
4. Add domain-specific rules - What events are high-signal?
5. Preserve transferable patterns - What architectural principles remain constant?
The goal: Demonstrate systematic thinking about new domains while recognizing what transfers and what must be reimagined.
Technical Implementation Summary
The refactoring touched every system layer:
| Layer | Changes |
|---|---|
| Schema | `merchant_id` → `service_id`, added telco-specific fields |
| Event Model | Added telco event subtypes (sim_activation, sim_swap, device_upgrade, port_out) |
| Detection | New IRSF and SIM farm detectors |
| Policy | Event-based rules layer for SIM swap/international enable |
| Evidence | Extended capture for telco-specific dispute resolution |
Key Insight: The code changes reinforce the interview narrative - same architectural thinking, domain-specific application.
*This analysis is part of the Fraud Detection capstone project. See the [Thinking Process documentation](/nebula/fraud-detection-thinking) for the complete design derivation.*