Your subscribers are losing money. Not to network congestion or poor signal — to criminals who own their phone number, intercept their account resets, and drain their savings before anyone discovers the SIM was swapped. Meanwhile, international revenue share fraud bleeds carrier income, buried in the noise of international routing. And subscription fraud hides in the first-call-free period, scaling across temporary accounts before billing audits catch it weeks later. Industry estimates put fraud loss in the range of 2–4% of revenue in some regions — a number that stays invisible precisely because detection happens long after the money has moved.
The Problem: Fraud at Carrier Scale, Detected at Audit Speed
Three distinct fraud typologies bleed carrier revenue, each with its own timeline and detection blindness.
SIM-swap: A criminal contacts customer care, claims to have lost their phone, and walks away with a new SIM provisioned on the victim's account. The real subscriber notices their signal drops. By then the attacker has a window to change passwords, drain bank accounts and hijack email two-factor authentication. You discover it later when the victim complains or fraud investigators open a case.
International Revenue Share Fraud (IRSF): A wholesale partner terminates calls through a trusted route, but the call is artificially generated — originated to inflate termination volume rather than placed by a real subscriber. Your international tariff pays per minute. The traffic sits in your ledgers as routing volume until a periodic audit surfaces an impossible call-to-subscriber ratio. By then the money is gone and the shell company is dissolved.
Subscription fraud: Criminals open accounts in the grace period before first billing — names, addresses and emails recycled or fabricated. Those accounts abuse free trials, promotional data and calling credits, then churn before the bill lands. Each account looks legitimate in isolation. The fraud only emerges as a pattern, after acquisition costs have already been spent.
The common thread: detection happens at audit velocity — weeks to months — not at transaction velocity. Close the lag and you change the economics.
Real-Time Scoring on CDR and SIM-Activation Streams
Production telecom fraud detection lives on two streams: the Call Detail Record (CDR) feed that captures every call routed, and the SIM provisioning and activation logs that show which numbers are active on which devices. These models run against live streams in production at a global telco, on the same infrastructure that drives network maintenance and churn scoring.
For SIM-swap, the signal is velocity: a number that was dormant suddenly activates on a new device identifier. That activation, combined with an outbound international call shortly after, is the typology. The model flags it as it happens, surfacing a story to the NOC: a new SIM activation on a dormant account, an outbound international call moments later, a routing anomaly on the terminating leg.
For IRSF, the signal is cross-cutting. The model runs per-call, scoring the likelihood that a call is legitimate based on routing partner history, calling pattern (human vs. automated), and destination clustering in known high-fraud geographies. A call that scores as probable IRSF does not block — that kills customer experience and damages wholesale partnerships. Instead, the flag routes to a review queue where patterns accumulate and justify enforcement decisions.
For subscription fraud, the signals are enrollment-time: email-farming domains, address matching, proxy geography, immediate device changes. Each signal is soft until you see the pattern. A model scoring all three together flags accounts hitting a threshold shortly after creation, surfacing fraud within a window where account suspension is still possible.
The Data Stack: How Signals Become Scores
The model that moves fraud detection from audit-speed to real-time is only as good as the data feeding it. In production, a handful of sources have to arrive clean, fast and joined.
CDR completeness and latency: Every call routed has to reach the scoring system fast enough to act on, in order. CDRs may arrive out of order or missing fields. If you systematically miss a slice of records, a fraudster learns to route calls through that blind spot.
SIM provisioning and activation logs: Most carriers have this data siloed in the provisioning system. Getting it out in real time — flagging a new activation as it happens — requires a data integration many carriers have not yet built.
Billing and account records: For subscription fraud, you correlate enrollment with the customer account database — names, addresses, email domains, billing records. That linkage is often manual.
International routing tables: For IRSF detection, you need to know in real time which partners are sending calls on which routes. Routing agreements are often maintained in static spreadsheets. The model needs them as live signals.
- 2–4%
- Industry-benchmark fraud loss
- CDR + SIM
- Real-time fraud streams
- 95%
- Diagnostic accuracy (RealAI proof point)
- 4–6 weeks
- Assessment to ranked roadmap
The assessment phase inventories your mediation platform, provisioning system, billing database and routing tables. You measure latency and completeness, identify missing fields, and rank use cases by revenue-at-risk. Carriers that moved fastest had already invested in a real-time data spine for other use cases — churn prediction, network optimization — and plugged fraud scoring onto it.
Root Cause, Not Just a Flag
An analyst gets an alert: a SIM-swap flag on an account. If the only signal is the flag itself, the analyst cannot act. They have to open several systems, manually cross-check activation against CDR logs, and verify this is not a legitimate business traveler.
The model that works in production ships the root-cause signals alongside the flag. The alert reads as a chain of evidence: a new device activated on a dormant number, an outbound international call moments later routed through a partner with elevated fraud history, and whether that call reached the account holder's known contact.
That analyst now has four pieces of information to make a judgment — not a guess — on whether to suspend the SIM or monitor for a second call. This mirrors RealAI's broader design principle: every prediction surfaces the alarms and KPIs driving it, so engineers see why an account is flagged, not just that it is. That interrogable root cause earns trust inside the network-operations workflow.
Real-time CDR scoring without explanation just moves the bottleneck from detection to investigation. The flag and its reasons have to arrive together, or the analyst is back to opening five systems by hand.
Where to start
The assessment phase starts with a single question: where is your fraud loss actually concentrated?
For most carriers, SIM-swap is a public-relations crisis but comparatively small revenue impact. IRSF is the silent killer: international revenue nobody sees leaving until audit. Subscription fraud clusters in regions aggressively acquiring customers, quietly eroding return on acquisition spend.
The assessment maps revenue-at-risk by fraud type, correlates it to available data, and sequences models by impact and feasibility. You inventory your CDR system, provisioning system, billing database and routing records. You measure gaps and latency. The output in 4–6 weeks is a ranked roadmap: which fraud type pays back fastest given your data readiness.
From there, the transform phase builds the real-time scoring system. Start with the highest-confidence use case — often IRSF, because international call patterns are more stable than subscriber data. Build the model on historical CDRs, test against a holdout period, and wire it into your mediation platform so new CDRs score as they arrive. Tune it to a false-positive rate your fraud team can tolerate. Pilot on one international route and measure fraud caught against operational load.
Once working, expand to other fraud types. By then, your data pipeline is in place and your team has muscle memory. The infrastructure is the hard part and only has to be built once.
The hardest part is sustaining accuracy as fraud patterns shift. Routing agreements change. New gateways emerge. Attackers learn to mimic legitimate patterns. The model drifts. Carriers that held accuracy over years treated fraud detection as a living operation: feed new fraud cases back into retraining, monitor accuracy against fresh known-fraud samples, and retrain on the network's operational rhythm. Telco data shifts under you — new spectrum, tariff plans, seasonal demand — and the fraud surface shifts with it.
That is the work of turning fraud detection from an audit finding into a real-time operation that keeps revenue moving to your bottom line, not into criminal accounts. It is not a model project. It is a data-and-operations project that happens to have a model at the center.
“The difference between a fraud loss and a recovery is the lag between when the model flags it and when the human acts. Real-time CDR scoring moves that window from days to seconds.”
Get in touch
Put RealAI’s applied-AI team on your hardest data problem.
We help enterprises move from pilots to production — sovereign models, governed data, and agents you can audit. Start with a value-first assessment.