Inside the Telecom Fraud Supply Chain: How Scam Calls Are Bought, Sold, and Scaled
The phone rings.
It’s a local number with a familiar area code. An elderly woman in Nairobi answers, expecting a routine call. The person on the other end knows her name, mentions her mobile money account, and speaks with the calm confidence of someone from her bank. The voice sounds familiar because it has been carefully designed to.
Four minutes later, her savings are gone.
What happened wasn’t the work of a lone scammer armed with a prepaid phone. It was the final step in a coordinated operation involving specialized tools, infrastructure, and people spread across multiple countries. Long before that call reached its target, others had sourced the SIM cards, spoofed the caller ID, routed the traffic through trusted networks, cloned the voice, and prepared channels to move the stolen money beyond recovery.
Telecom fraud has evolved into a business ecosystem. Like any legitimate industry, it has suppliers, distributors, service providers, and customers. Every participant plays a specific role, making the operation more efficient, scalable, and difficult to trace.
Understanding that supply chain is the first step toward disrupting it.
In this article, we’ll follow a scam call from its origins to its payout, examining how Fraud-as-a-Service, disposable SIM infrastructure, AI-powered voice cloning, and international routing work together to fuel today’s telecom fraud economy. More importantly, we’ll explore where carriers can intervene before a fraudulent call ever reaches a subscriber.

Fraud-as-a-Service: Telecom Fraud’s Business Model
Modern telecom fraud doesn’t rely on a single criminal doing everything themselves. Instead, it operates much like a legitimate software company.
Known as Fraud-as-a-Service (FaaS), this model allows criminals to purchase ready-made tools, infrastructure, and expertise instead of building them from scratch. According to SEON’s guide to Fraud-as-a-Service, the ecosystem is built around specialized roles. Developers create the software, resellers distribute it, and operators use it to launch fraud campaigns. Many of these participants never meet or even know one another.
That separation makes the ecosystem remarkably resilient. If one group is disrupted, another quickly fills the gap.
Today, someone running a SIM boxing operation in Africa can purchase software developed in Eastern Europe, receive technical support through encrypted messaging platforms, and process payments through cryptocurrency—all without ever interacting directly with the people behind the tools.
This specialization has dramatically lowered the barrier to entry. Criminals no longer need advanced telecommunications expertise to launch sophisticated attacks. They simply buy the services they need.
The result is a thriving underground marketplace where caller ID spoofing, AI voice cloning, SMS phishing kits, SIM box management software, and routing services are sold much like commercial software subscriptions.
The scale of this economy continues to grow. Juniper Research notes that the commercialization of cybercrime is accelerating as Fraud-as-a-Service continues to industrialize online fraud, making sophisticated attacks increasingly accessible to less experienced criminals.
Telecom fraud sits near the beginning of this chain. A convincing scam call often provides the stolen credentials, authentication codes, or account access that enable downstream financial fraud.
The scam call isn’t the product.
It’s the delivery mechanism.
The SIM Card Marketplace: Building the Infrastructure
Every industry depends on raw materials.
For telecom fraud, that raw material is the SIM card.
Former FBI cybercrime advisor Marc Goodman famously observed in Future Crimes that crime follows the same economic principles as legitimate business—competition, innovation, supply, and demand. Few examples illustrate that better than today’s industrial market for bulk SIM cards.
On their own, SIM cards are harmless. In large numbers, they become the foundation of large-scale fraud operations.
SIM boxes—devices capable of housing anywhere from eight to more than two hundred active SIM cards—allow fraudsters to disguise international calls as local traffic. Instead of paying international termination rates, calls are injected into domestic mobile networks, dramatically reducing costs while increasing profits.
The economics are simple.
International traffic enters one side of the operation. Local-looking calls leave the other.
The difference between international and local termination rates becomes profit.
These systems are also designed for resilience. When one SIM card is blocked or a device is detected, operators simply replace the affected cards or move traffic to another SIM box. Because the infrastructure is inexpensive and highly disposable, shutting down individual devices rarely disrupts the wider operation for long.
This constant rotation creates an ongoing challenge for carriers. Traditional detection methods often identify suspicious activity only after patterns have emerged, by which point fraudsters have already shifted to new infrastructure.
That is why identifying abnormal traffic behavior—not just suspicious phone numbers—has become increasingly important.
SIM boxes rarely operate in isolation. They are one component of a much larger ecosystem that includes routing providers, spoofing services, AI voice tools, and financial networks working together to maximize the success of every campaign.
By themselves, SIM cards don’t steal money.
They simply make fraudulent calls appear legitimate enough for someone to answer.
In the next stage of the supply chain, criminals focus on something even more convincing than the phone number.
They manufacture trust itself.
The AI Voice Layer: Manufacturing Trust at Scale
If SIM boxes provide the infrastructure, AI provides the illusion.
Scammers no longer rely solely on spoofed phone numbers. Increasingly, they’re using AI to clone voices, making calls sound as convincing as they look. With just a few seconds of publicly available audio, modern tools can recreate a person’s voice well enough to fool customers, employees, and even family members.
The consequences are already being felt.
In 2024, a finance employee at a multinational company approved a $25 million transfer after joining what appeared to be a video meeting with his chief financial officer and several colleagues. Every participant on the call had been generated using AI.
This marks a significant shift in telecom fraud. Criminals are no longer just disguising where a call comes from—they’re fabricating who is speaking.
Voice cloning, caller ID spoofing, and phishing kits are now readily available through underground marketplaces, allowing fraudsters to assemble sophisticated campaigns without developing the technology themselves. As these tools become cheaper and more accessible, the barrier to entry continues to fall.
The implication for carriers is clear: trust can no longer depend on what a caller sounds like. It has to be verified at the network level before the call reaches the subscriber.
For a closer look at how AI is changing telecom fraud, read our article on AI-powered telecom fraud prevention.
The Distribution Network: Borrowing Legitimacy
A convincing voice means little if the call never reaches its target.
To improve their chances of success, fraudsters route calls through multiple carriers and countries before they arrive at the terminating network. Each hop adds another layer of separation, making it harder to identify the call’s true origin.
The objective is simple: borrow legitimacy.
By passing traffic through smaller or less-regulated carriers, fraudulent calls can inherit trust they haven’t earned. That’s why STIR/SHAKEN has become such an important tool. The framework verifies caller identity and assigns calls an attestation level based on how confidently that identity can be trusted.
The challenge is that telecom traffic doesn’t stop at national borders. Calls frequently cross networks where STIR/SHAKEN isn’t yet required, creating opportunities for criminals to exploit gaps in global enforcement.
Learn more about these challenges in our guide to international call validation and STIR/SHAKEN enforcement.
The Cash-Out Layer: Following the Money
The phone call is only the beginning.
Once victims authorize a payment or disclose sensitive information, criminal networks move quickly to distance themselves from the stolen funds. Money is transferred through money mules, fragmented across multiple digital wallets, and often converted into cryptocurrency before authorities can intervene.
By the time the victim reports the fraud, the money has typically crossed several accounts, platforms, and jurisdictions, making recovery extremely difficult.
Fortunately, every stage of this process leaves clues. Traffic anomalies, signaling behavior, and unusual transaction patterns all create opportunities for carriers to detect and disrupt fraud before the damage is done.
In the next section, we’ll look at six practical ways carriers can identify telecom fraud and break the supply chain before it reaches subscribers.

How Carriers Can Break the Fraud Supply Chain
Telecom fraud may be sophisticated, but it isn’t invisible. Every stage of the fraud supply chain leaves behind signals that carriers can identify before a scam succeeds. Recognizing these patterns early doesn’t just reduce financial losses—it protects customer trust, safeguards revenue, and strengthens the integrity of the network.
Here are six indicators every carrier should monitor:
- Unexpected spikes in international traffic may indicate SIM boxing activity, particularly when large volumes of calls originate from unfamiliar routes or sequential number ranges.
- Low or inconsistent STIR/SHAKEN attestation on trusted corridors can signal attempts to exploit gaps in international call authentication. Learn more about international call validation and STIR/SHAKEN enforcement.
- CLI mismatches—where the presented caller ID doesn’t match the actual signaling path—often reveal caller ID spoofing or unauthorized routing.
- Rapid SIM changes followed by authentication requests or mobile money activity are strong indicators of SIM swap fraud and should trigger immediate investigation.
- High volumes of short-duration calls to premium-rate destinations frequently point to Wangiri fraud before revenue is lost.
- Traffic routed through unfamiliar intermediary carriers may indicate attempts to borrow trust from less-scrutinized networks. Validating these routes before they enter your network is critical to stopping fraudulent traffic.

Key Takeaways
Telecom fraud is no longer a collection of isolated scams—it has evolved into a coordinated commercial ecosystem with specialized roles, scalable infrastructure, and global reach.
- Fraud-as-a-Service has industrialized telecom fraud, allowing criminals to purchase tools, infrastructure, and expertise instead of building them from scratch.
- SIM boxes and AI voice cloning have made scam calls easier to launch and more convincing, dramatically increasing the scale and effectiveness of fraud campaigns.
- Cross-border routing and STIR/SHAKEN gaps allow fraudulent traffic to borrow legitimacy, highlighting the need for stronger international call validation.
- Every stage of the fraud supply chain leaves behind detectable signals, creating opportunities for carriers to identify and stop attacks before customers become victims.
- A layered defense combining call validation, signaling intelligence, and device-level protection offers the strongest opportunity to disrupt telecom fraud before it succeeds.
Breaking the Supply Chain
The woman in Nairobi never saw the supply chain behind the call that emptied her savings.
She couldn’t see the SIM box that disguised international traffic as a local call. She couldn’t see the AI that recreated a trusted voice, the routing partners that helped the call appear legitimate, or the money mule network waiting to move the stolen funds before anyone could react.
By the time her phone rang, the operation had already been set in motion.
That is the reality of modern telecom fraud. Scam calls don’t succeed because criminals are smarter than telecom providers. They succeed because every stage of the supply chain exploits a different weakness—identity, routing, signaling, or payment. When those weaknesses remain disconnected, fraud becomes easier to scale and harder to stop.
The good news is that the same supply chain also creates multiple opportunities for intervention.
SIM box traffic leaves recognizable patterns. Spoofed identities create validation gaps. Fraudulent routing generates signaling anomalies. SIM swap attacks follow predictable sequences before money moves. Detect those signals early, and carriers can stop attacks before trust is exploited and before revenue is lost.
That’s the philosophy behind 1Route’s approach to telecom fraud prevention.
Our EDGE platform validates calls as they enter the network, helping carriers identify suspicious traffic before it reaches subscribers. FINIS monitors SS7 and SIP signaling in real time to detect fraud patterns such as SIM boxing, Wangiri, and International Revenue Share Fraud (IRSF). On-SIM protection secures subscribers at the device level, helping prevent SIM swap attacks and protecting mobile money transactions.
Telecom fraud thrives when every stage of the supply chain works exactly as criminals intend. Carriers don’t have to stop every attack—they only have to break the chain.
When trust is verified, traffic is validated, and fraud is detected before it reaches subscribers, the economics of telecom fraud begin to collapse.
FAQs
What is Fraud-as-a-Service in telecom?
Fraud-as-a-Service (FaaS) refers to the commercialization of telecom fraud tools and infrastructure — packaged, sold, and supported like legitimate software products. Rather than one criminal executing an entire scheme, FaaS separates the operation into specialized layers: developers who build the tools, resellers who distribute them, and end-users who run the actual fraud campaigns. This division of labor makes telecom fraud scalable, harder to trace, and accessible to operators with little to no technical background. The result is a scam call ecosystem that functions less like criminal activity and more like a supply chain.
How does STIR/SHAKEN bypass work — and can it be stopped?
STIR/SHAKEN assigns trust levels — A, B, or C — to calls based on the originating carrier’s ability to verify the caller’s identity. Fraudulent operators bypass this by deliberately routing traffic through smaller, less-scrutinized carriers in jurisdictions where STIR/SHAKEN enforcement is limited or absent, effectively borrowing those carriers’ attestation credentials to make fraudulent calls appear legitimate. The framework itself isn’t broken — its global coverage is. Stopping it requires real-time attestation validation at network ingress and an international clearing house function that extends verified trust to cross-border traffic. 1Route’s EDGE Computing Solution is designed to help carriers meet exactly this challenge, validating attestation levels in real time and flagging traffic that arrives with unearned or unverifiable credentials.
How does 1Route detect and disrupt the telecom fraud supply chain?
1Route’s three-pillar defense strategy is built around the principle that fraud must be stopped before it completes — not analyzed after it does. Our EDGE Computing Solution intercepts fraudulent traffic at network ingress, validating STIR/SHAKEN attestation and blocking suspicious calls during setup. Our FINIS Platform operates inside the core SS7 and SIP signaling layer, detecting fraud patterns like SIM boxing, Wangiri, and International Revenue Share Fraud (IRSF) in real time. Our On-SIM protection sits on the physical SIM card itself, preventing SIM swap attacks and securing mobile money transactions at the device level. Together, these three layers cover every point in the telecom fraud supply chain where disruption is possible — and where, without intervention, revenue walks out the door.
To learn more about how 1Route’s solutions are designed to help carriers and enterprises protect their networks, visit 1routegroup.com.