Today, we received a threatening email from an anonymous sender (go figure…) alerting us that we shouldn’t verify customers’ IP addresses when they buy a service from us. This John Doe seems to think that we are breaking a supposed law and that they could sue us for it. The gist of his email is that it collects information about customers who have been denied service based on their IP address location, for example, Starbucks.

Now here comes the logical question: As a provider of what could be construed as equivalent to “phone services” (note that VoIP is NOT a replacement for phone service!), wouldn’t we expect our customers to use their service at home? Or work? Why would an honest user choose to create their account from Starbucks, when you are required to have Internet service at home to use our service anyway?

The answer is simple, with a few exceptions (a fraction of a percent), it doesn’t make sense, and the clear proof is that real users with nothing to hide register from their home or work computers connected to a network that allows you to verify your identity with a reasonable level of certainty.

If that is the case, why do we, as providers, receive such a “notice”? The answer is simple: the IP address verification and anti-fraud measures implemented by VoIP stop criminals dead in their tracks. When we first started serving the public, the percentage of stolen credit cards thrown at us was a staggering 40% (!). We were neither prepared nor expected such figures. The main criminals were criminal networks from Egypt, Jordan, the Palestinian territories and some countries in Africa, but we have definitely gotten some criminal transactions right here in the US after implementing minimal steps like preventing automatic processing of new unverified accounts , our numbers are down to a manageable 5%, and after adding IP address validation, we’re down to a comfortable fraction of a percent and can focus on doing business instead of worrying who we serve. .

This online crime epidemic is especially targeting companies that provide VoIP services. Why? because it is an easy target and as good as cash in the bank. For an international criminal network, obtaining stolen credit cards or PayPal accounts is not only easy, but also cheap. We are talking about a few cents per number. Not only do they get the identity theft victim’s credit information, but they usually get their name, address, and sometimes even more than that. For criminals based in the US, it is possible to do things like create a credit card in the victim’s name, which could net them thousands of dollars. However, in the case of criminals in Egypt, for example, there is not much they can do except compare prices online. Of course, they can’t log on to your-electronics-store.com and have a TV shipped to them, so they need an easy way to “launder” their stolen cards into cash. The solution? Minutes of international calls. A company that operates a network of calling shops or calling cards in the Middle East can get that cash from its customers, while getting free minutes from the victim’s VoIP provider of their choice. If you’ve been in the VoIP business for a few days, you’ll soon learn that international minutes are as liquid as cash. In fact, some operators are paid by exchanging minutes instead of money.

Now that we’ve established that VoIP providers are one of the most desirable targets for these criminals, let’s focus on how to stop them. Some ways we have found to be effective are:

1. Don’t process payments automatically. When a thief wants to cash out on that PayPal account he just bought for 30 cents, he wants to make it quick and easy. If their site doesn’t deliver what they expect, chances are they’ll just leave and try their luck with another merchant.

2. While we’re talking about the whole “try your luck somewhere else” thing, another important theme comes up. Be consistent. Reject fraud when you find it, and find it 100% of the time. These guys are looking for easy targets that don’t require a lot of work. Make life difficult for them and they will pick on someone else.

3. Check that IP address! If you live in a cave, or if you don’t yet store the IP address your new customers sign up from, join the 21st century and start storing this information! Here’s a great tip: If your username is John Smith, your credit card address is in California, but your IP address resolves to Pakistan… well, let’s just say it’s not very likely that the good guy John visits Grandma in the homeland…

4. Check IP address proxies. These can range from very basic (and traceable) to completely undetectable. However, if you can spot it, do something about it. Don’t let your clients log in from a proxy and be consistent about it.

5. Patterns. VoIP fraud exhibits certain patterns that you can easily spot. If Johnny goes back to making 30 calls a day to Guinea, something smells fishy. He doesn’t spy on his clients, but it’s perfectly within his rights to prevent abuse on his network by checking for fraudulent patterns.

6. Don’t compromise. If you believe that a (alleged) user is a criminal, disconnect them immediately and refund your deposit. DO NOT keep your deposit! remember this is STOLEN MONEY that can not only get you into trouble, but is also hurting the identity theft victim a lot. Do them and your conscience a favor and get your money back immediately. If the so-called user requests that you restore service, your best option is to send them on their way and not provide service. Alternatively, you can ask them to provide copies of your passport and a utility bill. Be aware that they may ship fake, usually from a foreign country, so it’s hard to verify. If you’re not 100% sure beyond a shadow of a doubt that they’ve proven they are who they say they are, tell them you’re sorry but you can’t provide them with a service.

Let’s go back to the email we received earlier, the one about anti-fraud measures harming consumers. If true. In a case out of several thousand, you may be misidentifying a real customer as an identity thief because their information is not verified. Personally, it only happened once: the guy had an address in one state and was connected from another state, and he was adamant about not wanting to provide us with ID when we contacted him. He eventually provided these documents and we agreed to service him, but instead of creating a scene, he could have explained to us that he lives in both states to begin with. The bottom line is that the average Joe will not be affected by these verification techniques, and he should definitely implement them.

After all, your customers are the ones who benefit from a more secure network, one that is unlikely to be shut down due to cybercrime and unlikely to go out of business due to crime-related losses. If you as a provider can save thousands of dollars in unnecessary stolen call costs, you can offer your customers better prices and terms. In the end, we are here to provide a service, and the more affordable we can buy it, the more affordable we can sell it.

I wish you the best of luck in stopping cybercrime and identity theft!