[go: up one dir, main page]

WO2016179391A1 - System and method for identifying fraudulent communication attempts - Google Patents

System and method for identifying fraudulent communication attempts Download PDF

Info

Publication number
WO2016179391A1
WO2016179391A1 PCT/US2016/030981 US2016030981W WO2016179391A1 WO 2016179391 A1 WO2016179391 A1 WO 2016179391A1 US 2016030981 W US2016030981 W US 2016030981W WO 2016179391 A1 WO2016179391 A1 WO 2016179391A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
suspicious
communication device
communications
consumption
Prior art date
Application number
PCT/US2016/030981
Other languages
French (fr)
Inventor
Noam Guzman
Guy GAVRIELY
Original Assignee
Contractfit, Limited
M&B IP Analysts, LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Contractfit, Limited, M&B IP Analysts, LLC filed Critical Contractfit, Limited
Publication of WO2016179391A1 publication Critical patent/WO2016179391A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Definitions

  • the present disclosure relates generally to electronic communications, and more specifically to identifying attempts to make fraudulent electronic communications.
  • mobile devices With advances in mobile computing technology, use of mobile devices has become increasingly widespread. Although mobile devices have adopted a variety of useful features, one of the primary benefits of mobile devices remains the ability to communicate and share data with other people around the world. In particular, mobile devices may be able to access telecommunications networks in order to deliver communications to other mobile devices.
  • fraudulent communications may be conducted for various reasons such as, for example, extracting information for use in identity theft or other scams, initiating communications subject to premium charges (e.g., premium calls costing the customer several dollars per minute), obtaining remote access to a communication device (by, e.g., prompting a user of the communication device to download malicious software), and the like.
  • premium charges e.g., premium calls costing the customer several dollars per minute
  • obtaining remote access to a communication device by, e.g., prompting a user of the communication device to download malicious software
  • the fraudulent communication may be treated as legitimate by the communications provider and, therefore, the customer may be charged for a communication he or she did not actually wish to receive.
  • the fraudulent communication causes a customer's data usage to exceed a throttling threshold, the fraudulent communication may result in throttling, thereby decreasing performance by the communication device.
  • the embodiments disclosed herein include a method for identifying fraudulent communication attempts for a communication device.
  • the method comprises: analyzing communication consumption analytics associated with the communication device to determine at least one communication consumption pattern of the communication device; monitoring communications associated with the communication device; determining, for each monitored communication, whether the monitored communication deviates from the at least one communication consumption pattern; and determining, for each deviating communication, whether the deviating communication is suspicious based on at least one predetermined suspicious attribute, wherein each communication determined to be suspicious is identified as a fraud attempt.
  • the embodiments disclosed herein also include a system for identifying fraudulent communication attempts for a communication device.
  • the system comprises: a processing unit; and a memory, the memory containing instructions that, when executed by the processing unit, configure the system to: analyze communication consumption analytics associated with the communication device to determine at least one communication consumption pattern of the communication device; monitor communications associated with the communication device; determine, for each monitored communication, whether the monitored communication deviates from the at least one communication consumption pattern; and determine, for each deviating communication, whether the deviating communication is suspicious based on at least one predetermined suspicious attribute, wherein each communication determined to be suspicious is identified as a fraud attempt.
  • Figure 1 is a network diagram utilized to describe the various disclosed embodiments.
  • Figure 2 is a flowchart illustrating a method for identifying fraudulent communication attempts according to an embodiment.
  • Figure 3 is a flowchart illustrating a method for determining suspicious communications according to an embodiment.
  • FIG. 4 is a schematic diagram of a fraud detection system according to an embodiment. DETAILED DESCRIPTION
  • the term "communications provider” refers to any entity providing communications services such as, but not limited to, the Internet, cable, satellite, telecommunications (e.g., landline or wireless telecommunications), combinations thereof, and any other entity providing electronic and/or computerized communications.
  • sending a communication may refer to any attempted or successful communication transmitted by or to a particular communication device such as, but not limited to, sending an email to or from an email address associated with the communication device, initiating a telephone or video call with the communication device (e.g., regardless of duration of the call), sending a text message to or from a phone number associated with the communication device, sending a SMS or other message based on an identifier (e.g., a username) associated with the communication device, and any other initiation or attempt at communication.
  • an identifier e.g., a username
  • the various disclosed embodiments include a method and system for identifying fraudulent communication attempts.
  • communication consumption analytics associated with a communication device are analyzed to determine one or more communication consumption patterns of the communication device. Communications by the communication device are monitored. Based on the monitoring, it is determined whether any of the monitored communications deviate from the communication consumption patterns. It is further determined, based on one or more attributes identifying suspicious communications, whether each deviating communication is suspicious. Each deviating communication that is determined to be suspicious is identified as a fraud attempt.
  • Fig. 1 shows an example network diagram 100 utilized to describe the various disclosed embodiments.
  • the network diagram 100 includes a fraud detection system 120, a communication device 130, a plurality of data sources 140-1 through 140-n (hereinafter referred to individually as a data source 140 and collectively as data sources 140, merely for simplicity purposes), and a communications provider (CP) server 150 communicatively connected via a network 1 10.
  • the network 1 10 may be, but is not limited to, a wireless, cellular or wired network, a local area network (LAN), a wide area network (WAN), a metro area network (MAN), the Internet, the worldwide web (WWW), similar networks, and any combination thereof.
  • the communications provider server 150 may be communicatively connected to a database 160.
  • the database 160 may be communicatively connected via the network 1 10.
  • the communication device 130 may be a portable or non-portable device equipped with communications capabilities.
  • the communication device 130 may be, but is not limited to, a mobile phone, a smart phone, a landline phone, a wearable computing device, a tablet computer, a laptop computer, a desktop computer, a smart television, and any other device capable of sending and/or receiving electronic or computerized communications.
  • the communication device 130 may include an agent 135 configured to collect communications data based on detected communications and to generate communication consumption analytics based on the collected communications data.
  • the agent 135 may be, but is not limited to, an application.
  • An application executed or accessed via the communication device 130 may be, but is not limited to, a mobile application, a virtual application, a web application, a native application, and the like.
  • the communications provider server 150 may collect communications data related to communications by the communication device 130 and generate communication consumption analytics based on the collected communications data.
  • the communications provider server 150 may store the collected communications data and/or communication consumption analytics in the database 160.
  • the communications data may indicate communication parameters such as, but not limited to, a duration of a call, a length of a voice message, a length of a text message, a data size of a communication.
  • the communications data may also include metadata associated with a communication (e.g., metadata in a call detail record associated with the communication) indicating communications parameters.
  • the communication consumption analytics may include representations of communications consumption and, in particular, the communication parameters, such as, but not limited to, numbers of geographic locations of senders and/or recipients of communications (e.g. particular cities, states, countries, continents, etc.), beginning and end times of communications or communication sessions, numbers of communications occurring at particular time intervals (e.g., a number of calls occurring between 3 PM and 4 PM, a number of text messages sent between 12 AM and 1 AM, etc.), amounts of time spent on outgoing and/or incoming calls (e.g., duration in minutes), a number of messages sent to or from the communication device 130, time spent web browsing, an amount of data delivered, time spent roaming, and the like.
  • the communication parameters such as, but not limited to, numbers of geographic locations of senders and/or recipients of communications (e.g. particular cities, states, countries, continents, etc.), beginning and end times of communications or communication sessions, numbers of communications occurring at particular time intervals (e.g., a number of calls occurring between 3 PM and 4 PM,
  • the data sources 140 may be web sources including, but not limited to, servers of communications providers. Each of the data sources 140 may include suspicious attributes associated with fraudulent communications. Each suspicious attribute may be, but is not limited to, a suspicious source identifier (e.g., a geographic location, name, user name, phone number, email address, etc.), a suspicious action (e.g., calling and immediately hanging up, communicating at a suspicious time, sending a communication having a length or data size below a predefined threshold, etc.), a combination of suspicious actions, and the like.
  • a suspicious source identifier e.g., a geographic location, name, user name, phone number, email address, etc.
  • a suspicious action e.g., calling and immediately hanging up, communicating at a suspicious time, sending a communication having a length or data size below a predefined threshold, etc.
  • Each of the data sources 140 may optionally include an agent 145.
  • Each agent 145 may be configured to crawl through its respective data source 140, to extract suspicious attributes associated with fraudulent communications, and to provide the extracted suspicious attributes to the fraud detection system 120.
  • the fraud detection system 120 may be configured to interact with the data sources 140 via an application programming interface (API).
  • API application programming interface
  • the fraud detection system 120 is configured to identify an attempt at a fraudulent communication (hereinafter a "fraud attempt") involving the communication device 130.
  • the fraud detection system 120 may be configured to monitor communications sent to and/or by the communication device 130 to identify deviations from communication consumption patterns representing typical communication tendencies associated with the communication device 130.
  • the fraud detection system may be configured to determine whether the communication is suspicious and, if so, to identify the communication as a fraud attempt.
  • the fraud detection system 120 includes a communications analysis (CA) unit 126 configured to analyze communications data to identify deviating and/or suspicious communications.
  • CA communications analysis
  • the fraud detection system 120 may be configured to begin monitoring the communications to and/or from the communication device 130 upon receiving a request from, e.g., the communication device 130, a user of the communication device 130, a communications provider (via, e.g., the communications provider server 150), and the like.
  • the monitoring may include, but is not limited to, retrieving communications data related to communications to and/or from the communication device 130.
  • the data may be retrieved via, but not limited to, the communications provider server 150 and/or the database 160, the agent 135, and the like.
  • the fraud detection system 120 may be configured to retrieve images (e.g., of bills or other statements including information related to communications by the communication device 130) and to analyze, via an optical recognition processor, the retrieved images to identify communications data of communications sent to and/or by the communication device 130.
  • the fraud detection system 120 may be configured to generate communication consumption analytics based on the monitored communications and/or to retrieve communication consumption analytics associated with the communication device 130.
  • generating the communication consumption analytics may include, but is not limited to, analyzing communications data.
  • the fraud detection system 120 is configured to retrieve communications data and/or communication consumption analytics associated with the communication device 130 using a received identifier of the communication device 130.
  • the communications data and/or communication consumption analytics may be retrieved via the communications provider server 150 and/or the database 160.
  • the fraud detection system 120 is configured to receive an identifier associated with the communication device 130 and/or a user of the communication device 130.
  • the identifier may be an indicator utilized to identify and extract communications data and/or communication consumption analytics of the communication device 130.
  • Example identifiers may include, but are not limited to, a phone number of the communication device 130, an identification number associated with the communication device 130 and/or a user of the communication device 130, a name of a user of the communication device 130, a voice record of a user of the communication device 130, a social security number of a user of the communication device 130, a user name of a user of the communication device 130, an email address of a user of the communication device 130, combinations thereof, and the like.
  • retrieving the communication consumption analytics may further include retrieving images including information related to the received identifier and analyzing the retrieved images to identify the communication consumption analytics.
  • the fraud detection system 120 may be configured to cause an optical recognition processor (not shown in Fig. 1 ) to identify characters and strings in the retrieved images.
  • the images may include, but are not limited to, images of billing statements or other documents featuring information related to communications by the communication device 130. Based on the identified characters and strings, the fraud detection system 120 may be configured to identify the communication consumption analytics.
  • the fraud detection system 120 may be configured to analyze the communication consumption analytics to determine one or more communication consumption patterns.
  • Each communication consumption pattern may be a quantitative representation of a communication performance parameter such as, but not limited to, average communications usage, numbers of communications to or from particular geographic locations, a number of times a communication consumption limit is reached, a number of times blocking and/or throttling thresholds are reached, active hours (i.e., typical periods during which communications are sent to and/or from the communication device 130 such as, e.g., between 8 AM to 1 1 PM, between 5 PM to 10 PM and 6 AM to 12 PM, etc.), an amount of data throttled, bandwidth, latency, total price, unused communications (i.e., unused minutes, data, texts, etc.), and the like.
  • active hours i.e., typical periods during which communications are sent to and/or from the communication device 130 such as, e.g., between 8 AM to 1 1 PM, between 5 PM to 10 PM and 6 AM to 12 PM, etc.
  • active hours i
  • the active hours may further depend on the day. As an example, active hours from Monday to Friday may be between 6 AM to 8 AM and 6 PM to 12 PM, while active hours on Saturdays and Sundays may be between 8 AM to 1 AM.
  • the communication consumption patterns may be further represented as an average and/or per time period.
  • isolated incidents may not be considered to be communication consumption patterns.
  • An incident may be isolated if, e.g., that type of incident occurs below a predefined threshold in a given time period. As an example, if the communication device is used for a call with a person in England only once in a given year, that call with England may be considered as not being a communication consumption pattern.
  • the fraud detection system 120 is configured to determine whether any of the monitored communications deviate from the communication consumption patterns. To this end, the fraud detection system may be configured to compare the monitored communications to the communication consumption patterns. In an embodiment, the fraud detection system is configured to determine that a monitored communication deviates from the communication consumption patterns if the monitored communication does not match any of the communication consumption patterns. It should be noted that the communication consumption patterns are generated based on monitored communication data gathered over time.
  • the fraud detection system may be configured to determine whether the deviating communication is suspicious based on one or more suspicious attributes.
  • the suspicious attributes may include, but are not limited to, suspicious source identifiers of entities known to make fraudulent communications, suspicious actions associated with fraudulent communications, combinations of suspicious actions, and the like.
  • the suspicious attributes may be predetermined and/or may be determined based on previously identified fraud attempts.
  • the fraud detection system 120 is configured to identify each suspicious communication as a fraud attempt.
  • the fraud detection system 120 may be configured to automatically mitigate fraud attempts.
  • Automatically mitigating fraud attempts may include, but is not limited to, sending a notification to a communications provider associated with the communication device, generating one or more electronic forms required for requesting removal of the fraud attempt from a communications statement (e.g., a monthly billing statement indicating communications consumption for the month), and the like.
  • the forms may be electronic documents capable of accepting structured and/or semi-structured data, or that may otherwise be filled out electronically.
  • a retrieved form may be a carrier agreement in a PDF document featuring fillable fields.
  • the electronic forms may be generated based, at least in part, on the identifier associated with the communication device 130.
  • the fraud detection system 120 may be further configured to send the electronic forms for execution by a user of the communication device 130.
  • the fraud detection system 120 may be configured to automatically block, in real-time, a fraud attempt.
  • the fraud detection system 120 may cause the communication device 130 to disconnect from a network.
  • the blocking may include determining whether a communication is a fraud attempt based on communication parameters of the communication that do not require the communication to first be completed. For example, an identifier and/or time of the attempted communication may be utilized to determine whether a phone call is a fraud attempt even if the communication device has not yet answered the call.
  • the fraud detection system 120 typically includes a processing system 122 coupled to a memory (mem) 124.
  • the processing system 122 may comprise or be a component of a processor (not shown) or an array of processors coupled to the memory 124.
  • the memory 124 contains instructions that can be executed by the processing system 122. The instructions, when executed by the processing unit 122, cause the processing system 122 to perform the various functions described herein.
  • the one or more processors may be implemented with any combination of general-purpose microprocessors, multi-core processors, microcontrollers, digital signal processors (DSPs), field programmable gate array (FPGAs), programmable logic devices (PLDs), controllers, state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
  • DSPs digital signal processors
  • FPGAs field programmable gate array
  • PLDs programmable logic devices
  • controllers state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
  • the processing system 122 may also include machine-readable media for storing software.
  • Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing system to perform the various functions described herein.
  • the fraud detection system 120 may reside in a cloud computing platform, a datacenter, and the like. Moreover, in an embodiment, there may be a plurality of fraud detection systems operating as described hereinabove and configured to either have one as a standby, to share the load between them, or to split the functions between them.
  • Fraud identifiers may be retrieved from a single data source (e.g., a storage including information related to communication programs provided by various communications providers) without departing from the scope of the disclosure.
  • Fig. 2 is an example flowchart 200 illustrating a method for identifying fraudulent communication attempts according to an embodiment.
  • the method may be performed by any computational system (e.g., the fraud detection system 120). The method may begin in response to, but not limited to, receipt of a request to identify fraud attempts.
  • an identifier associated with a communication device and/or with a user of the communication device is received.
  • the identifier may be received from, e.g., the communication device.
  • the identifier may be, but is not limited to, an identifier utilized by a communications provider to identify a customer associated with the communication device.
  • Example identifiers may include, but are not limited to, a telephone number, an identification number, a name of a user of a communication device, a voice record, a user name, an email address, a social security number, combinations thereof, and the like.
  • communication consumption analytics associated with the communication device are obtained.
  • the communication consumption analytics may be retrieved based on the received identifier.
  • the communication consumption analytics may be retrieved from a database of a communications provider associated with the communication device.
  • the communication consumption analytics may be retrieved from an agent installed on the communication device. The communication consumption analytics may be retrieved based on, e.g., the identifier of the communication device.
  • S220 may further include retrieving one or more images related to communication consumption by the communication device.
  • an image may include scanned or otherwise captured bills or other documents indicating communication consumption by the communication device and analyzing, by an optical recognition processor, the retrieved images to determine the communication consumption analytics.
  • Each communication consumption pattern may include quantitative representations of communication parameters and may be, but are not limited to, average communications usage, numbers of communications to or from particular geographic locations, a number of times a communication consumption limit is reached, a number of times blocking and/or throttling thresholds are reached, active times (e.g., between 8 AM and 1 1 PM), an amount of data throttled, bandwidth, latency, total price, unused communications (i.e., unused minutes, data, texts, etc.), and the like.
  • the communication consumption patterns may not include isolated incidents.
  • An incident related to a communication may be isolated if, e.g., it appears below a predefined threshold number of times in a particular time period. For example, a threshold for international phone calls may be 4 phone calls per year. Thus, if an average number of phone calls per year from Africa as indicated by the communication consumption analytics is 3 or fewer, the calls from Africa may not be determined to be a communication consumption pattern.
  • active times may be received from, e.g., a user of the communication device.
  • a user may indicate active times of between 7 AM to 9 PM every day.
  • the active times may be determined based on previous communications involving the communication device. Specifically, the active times may be determined based on beginning and/or end times of communications sent by and/or to the communication device, as well as one or more predetermined active time thresholds for particular time periods.
  • an active time threshold for the time period between 8:00 AM and 8:15 AM is 5 communications per month
  • the time period between 8:00 AM and 8:15 AM will not be determined to be an active time for a communication device sending and/or receiving an average of 3 communications between 8:00 AM and 8:15 AM per month.
  • this example 15-minute time period is merely utilized to demonstrate a sample active time threshold and does not limit the disclosure. Other threshold time periods may be utilized without departing from the scope of the disclosed embodiments.
  • the communication consumption patterns may be determined only for a time period immediately preceding the determination such as, but not limited to, a predetermined time period (e.g., 2 years prior), a time period following a particular event (e.g., since a purchase of the communication device, since beginning of a new communication program, etc.), and the like. Analyzing only recent communication consumption allows for reduced computing resource usage and more relevant communication consumption patterns, as communication consumption patterns may change over time.
  • a predetermined time period e.g., 2 years prior
  • a time period following a particular event e.g., since a purchase of the communication device, since beginning of a new communication program, etc.
  • the monitoring may include retrieving communications data from, but not limited to, an agent executed on or accessed by the communication device, a communications provider server, and/or a database associated with a communications provider.
  • the monitoring may include retrieving one or more images and analyzing, by an optical recognition processor, the images to identify the communications data.
  • S250 it is determined whether a monitored communication deviates from the determined communication consumption patterns and, if so, execution continues with S260; otherwise, execution continues with S280.
  • S250 may further include comparing one or more communication parameters in the communications data to the communication consumption patterns.
  • the communication parameters may include, but are not limited to, geographic locations of sender and/or recipients of the monitored communications, identifiers (e.g., phone number, email address, user name, etc.) of senders and/or recipients of the monitored communications, lengths of the monitored communications (e.g., a time period, a data size, a number of strings or characters, etc.), beginning and/or end times of communications (e.g., beginning at 1 :00 PM and ending at 1 :05 PM), and the like.
  • identifiers e.g., phone number, email address, user name, etc.
  • lengths of the monitored communications e.g., a time period, a data size, a number of strings or characters, etc.
  • beginning and/or end times of communications e.g., beginning at 1 :00 PM and ending at 1 :05 PM
  • a communication parameter may match a communication consumption pattern if, e.g., the communication consumption pattern represents that communication parameter.
  • a text message received at 3 AM may be determined to deviate from the communication consumption patterns.
  • a call from Germany may be determined to deviate from the communication consumption patterns.
  • the suspiciousness determination may be based on one or more predetermined suspicious attributes associated with suspicious communications.
  • the suspicious attributes may include, but are not limited to, identifiers of suspicious sources, suspicious actions, combinations of suspicious actions, and the like.
  • the suspicious attributes may be retrieved from one or more data sources (e.g., the data sources 140). Determining suspicious communications is described further herein below with respect to Fig. 3.
  • Each suspicious source identifier may be used to identify a sender and/or a receiver of a communication such as, but not limited to, a geographic location, a phone number, an email address, a user name, and the like.
  • a geographic location a phone number
  • an email address a user name
  • a particular phone number may be a suspicious source identifier. Accordingly, a call or text from that phone number may be determined to be suspicious.
  • Each suspicious action may be determined based on one or more communication parameters of the monitored data.
  • Example suspicious actions may include, but are not limited to, sending a communication having a length below a predetermined threshold, terminating a communication before a predetermined time threshold, sending a communication at a predetermined suspicious time, sending a communication using data above a predefined threshold (e.g., above 1 100 bits for an SMS message), and any other potentially suspicious activity demonstrated via communication parameters.
  • terminating a phone call having a time duration of less than 2 seconds i.e., calling and immediately hanging up
  • sending a SMS message between predetermined suspicious hours of 2 AM to 3 AM may be a suspicious action.
  • the suspicious communication is identified as a fraud attempt.
  • S270 may further include automatically mitigating the fraud attempt.
  • automatically mitigating the fraud attempt may include, but is not limited to, generating a notification indicating the fraud attempt with respect to the communication device and sending the notification to a communications provider associated with the communication device.
  • automatically mitigating the fraud attempt may include retrieving one or more electronic forms for reporting fraudulent communications to a communications provider associated with the communication device, and generating a completed form based on the fraud attempt.
  • the mitigation may be performed in real-time, thereby preventing, e.g., a communications limit (e.g., a throttling or other threshold) from being reached because of the fraud attempt.
  • a phone number of a communication device to be monitored is received. Based on the phone number, communication consumption analytics related to phone calls and text messages sent by and to the communication device are retrieved. Based on the communication consumption analytics, communication consumption patterns are determined. The determined communication consumption patterns indicate that active times for both phone numbers and text messages are between 9 AM to 9 PM every day and that the communication device only receives communications from the United States. [0065] Communications sent by and to the communication device are monitored by retrieving communications data from an agent executed by the communication device. Each of the monitored communications is compared to the communication consumption parameters to determine deviations.
  • a phone call initiated or attempted at 1 AM from the phone number 1 1 1 -222-3333 deviates from the communication consumption patterns and, specifically, the typical active times for the communication device.
  • suspicious attributes including suspicious source identifiers are retrieved.
  • One of the suspicious source identifiers is the phone number 1 1 1 -222-3333.
  • a notification is generated and sent to the telecommunications provider for the communication device, thereby prompting the telecommunications provider to remove the phone call from a monthly billing statement.
  • Fig. 3 is an example flowchart S260 illustrating a method for determining suspicious communications according to an embodiment.
  • the method may begin when, for example, a communication is determined to deviate from one or more communication consumption patterns associated with a particular communication device.
  • the suspicious attributes may be retrieved from, e.g., a database, one or more data sources (e.g., the data sources 140), and the like. In particular, retrieving the suspicious attributes from data sources may allow for use of the most up-to-date sets of suspicious attributes.
  • the suspicious attributes are associated with fraudulent activity and may include, but are not limited to, suspicious source identifiers, suspicious actions, combinations of suspicious actions, and the like. In an embodiment, the suspicious attributes may be predetermined. In another embodiment, the suspicious attributes may be determined based on previous fraudulent communications.
  • each suspicious attribute may be associated with one or more particular types of communication (e.g., a phone number may only be a suspicious attribute for phone communications).
  • Each suspicious source identifier is an identifier of a known or suspected sender and/or receiver of fraudulent communications such as, but is not limited to, a geographic location, a phone number, an email address, a user name, or any other identifier of a user and/or device communicating with the communication device.
  • a suspicious source identifier may be associated with an entity known to send fraudulent communications (e.g., an email address on a spam email list), with an entity that does not send particular types of communications (e.g., for a telephonic communication, an identifier suggesting that the caller is the IRS, since the IRS does not typically initiate calls with taxpayers), and the like.
  • entity known to send fraudulent communications e.g., an email address on a spam email list
  • an entity that does not send particular types of communications e.g., for a telephonic communication, an identifier suggesting that the caller is the IRS, since the IRS does not typically initiate calls with taxpayers
  • Each suspicious action is an action associated with fraudulent communications such as, but not limited to, dialing and then immediately hanging up a call, communicating outside of active hours for the communication device, sending a communication having a data size above a predefined threshold, and the like.
  • the suspicious actions may be expressed with respect to communication parameters such as, but not limited to, duration of communications, lengths of communications, times of communications, and the like.
  • one or more communication parameters associated with the communication is determined.
  • determining the communication parameters may include analyzing communications data associated with the communication.
  • only communication parameters related to the suspicious attributes may be determined. As an example, if known suspicious attributes for telephonic communications include particular phone numbers and calls lasting less than 5 seconds, the determined communication parameters may only include a phone number and a duration of the communication. Determining only particular relevant communication parameters allows for reduced usage of computing resources.
  • determining the communication parameters may further include retrieving one or more images featuring information related to the communication and analyzing, by an optical recognition processor, the one or more images to identify communications data in the images.
  • the determined communication parameters are analyzed.
  • the analysis may include, but is not limited to, comparing the determined communication parameters to the retrieved suspicious attributes.
  • the communication is determined to be suspicious if one or more of the communication parameters associated with the communication matches a respective suspicious attribute.
  • the communication is determined to be suspicious only if at least a predetermined number of the communication parameters match respective suspicious attributes. For example, a communication may only be determined to be suspicious if 3 or more of the communication parameters each match one of the suspicious attributes.
  • Fig. 4 shows an example block diagram of the fraud detection system 120 implemented according to one embodiment.
  • the fraud detection system 120 includes a processing system 410 coupled to a memory 415, a storage 420, an optical character recognition (OCR) processor 430, a network interface 440, and a communications analysis (CA) unit 450.
  • OCR optical character recognition
  • CA communications analysis
  • the components of the fraud detection system 120 may be communicatively connected via a bus 460.
  • the processing system 410 may be realized as one or more hardware logic components and circuits.
  • illustrative types of hardware logic components include field programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), Application-specific standard products (ASSPs), system-on-a-chip systems (SOCs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any other hardware logic components that can perform calculations or other manipulations of information.
  • the memory 415 may be volatile (e.g., RAM, etc.), non-volatile (e.g., ROM, flash memory, etc.), or a combination thereof.
  • computer readable instructions to implement one or more embodiments disclosed herein may be stored in the storage 420.
  • the memory 415 is configured to store software.
  • Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code).
  • the instructions when executed by the one or more processors, cause the processing system 410 to perform the various processes described herein. Specifically, the instructions, when executed, cause the processing system 410 to perform an on-demand authorization of access to protected resources, as discussed hereinabove.
  • the memory 415 may further include a memory portion 417 including the instructions.
  • the storage 420 may be magnetic storage, optical storage, and the like, and may be realized, for example, as flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVDs), or any other medium which can be used to store the desired information.
  • the storage 420 may store communication consumption patterns associated with one or more communication devices.
  • the OCR processor 430 may include, but is not limited to, a feature and/or pattern recognition unit (RU) 435 configured to identify communication consumption analytics in images. Specifically, in an embodiment, the OCR processor 430 may be configured to identify characters and/or strings related to communication consumption in images of, e.g., bills or other reports from a communications provider. Any of the identified characters and/or strings may be identified as the communication consumption analytics and/or communications data.
  • RU feature and/or pattern recognition unit
  • the network interface 440 allows the fraud detection system 120 to communicate with the communications provider server 150 and/or the communication device 130 for the purpose of, for example, retrieving communication consumption analytics, monitoring communication consumption by the communication device 130, and/or notifying the communication device 130 of fraud attempts and/or mitigation thereof.
  • the communications analysis unit 450 may be configured to retrieve communication consumption analytics, to analyze the communication consumption analytics, to determine communication consumption patterns, to monitor communication consumption by the communication device 130, and to identify fraud attempts based on deviations from the communication consumption patterns.
  • the communications analysis unit 450 may be further configured to automatically mitigate fraud attempts. To this end, the communications analysis unit 450 may be further configured to notify a communications provider of fraud attempts.
  • the various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof.
  • the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium consisting of parts, or of certain devices and/or a combination of devices.
  • the application program may be uploaded to, and executed by, a machine comprising any suitable architecture.
  • the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs"), a memory, and input/output interfaces.
  • CPUs central processing units
  • the computer platform may also include an operating system and microinstruction code.
  • a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A system and method for identifying fraudulent communication attempts for a communication device. In an embodiment, the method includes analyzing communication consumption analytics associated with the communication device to determine at least one communication consumption pattern of the communication device; monitoring communications associated with the communication device; determining, for each monitored communication, whether the monitored communication deviates from the at least one communication consumption pattern; and determining, for each deviating communication, whether the deviating communication is suspicious based on at least one predetermined suspicious attribute, wherein each communication determined to be suspicious is identified as a fraud attempt.

Description

SYSTEM AND METHOD FOR IDENTIFYING FRAUDULENT COMMUNICATION
ATTEMPTS
CROSS-REFERENCE TO RELATED APPLICATIONS
[001] This application claims the benefit of U.S. Provisional Application No. 62/157,983 filed on May 7, 2015, the contents of which are hereby incorporated by reference.
TECHNICAL FIELD
[002] The present disclosure relates generally to electronic communications, and more specifically to identifying attempts to make fraudulent electronic communications.
BACKGROUND
[003] With advances in mobile computing technology, use of mobile devices has become increasingly widespread. Although mobile devices have adopted a variety of useful features, one of the primary benefits of mobile devices remains the ability to communicate and share data with other people around the world. In particular, mobile devices may be able to access telecommunications networks in order to deliver communications to other mobile devices.
[004] Communication providers and carriers are constantly competing to attract users to their respective services, suggesting various different and often complicated plans for meeting the users' needs. These plans typically relate to communication programs for providing communications as well as pricing structures indicating the cost of various types and durations of communications. Frequently, users pay more than they expected or needed to as a result of the opaque or otherwise confusing nature of their communications plans.
[005] Additionally, many users are targeted by fraudulent communications. These fraudulent communications may be conducted for various reasons such as, for example, extracting information for use in identity theft or other scams, initiating communications subject to premium charges (e.g., premium calls costing the customer several dollars per minute), obtaining remote access to a communication device (by, e.g., prompting a user of the communication device to download malicious software), and the like. Even if a communications customer does not fall for the scam, the fraudulent communication may be treated as legitimate by the communications provider and, therefore, the customer may be charged for a communication he or she did not actually wish to receive. Additionally, if the fraudulent communication causes a customer's data usage to exceed a throttling threshold, the fraudulent communication may result in throttling, thereby decreasing performance by the communication device.
[006] Existing solutions for resolving such issues involve manually calling or otherwise contacting the communications provider and seeking removal of the fraudulent communications from a communications statement (e.g., a billing statement indicating amounts of communications used). Such solutions may lead to inconvenience and/or frustration. In some cases, the customer may not succeed in removing the communication from the statement. In particular, it may be difficult for a customer to prove that the communication was fraudulent, or the customer may not even realize that a fraudulent communication has occurred.
[007] It would therefore be advantageous to provide a solution that would overcome the deficiencies of the prior art.
SUMMARY
[008] A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term "some embodiments" may be used herein to refer to a single embodiment or multiple embodiments of the disclosure.
[009] The embodiments disclosed herein include a method for identifying fraudulent communication attempts for a communication device. The method comprises: analyzing communication consumption analytics associated with the communication device to determine at least one communication consumption pattern of the communication device; monitoring communications associated with the communication device; determining, for each monitored communication, whether the monitored communication deviates from the at least one communication consumption pattern; and determining, for each deviating communication, whether the deviating communication is suspicious based on at least one predetermined suspicious attribute, wherein each communication determined to be suspicious is identified as a fraud attempt.
[0010] The embodiments disclosed herein also include a system for identifying fraudulent communication attempts for a communication device. The system comprises: a processing unit; and a memory, the memory containing instructions that, when executed by the processing unit, configure the system to: analyze communication consumption analytics associated with the communication device to determine at least one communication consumption pattern of the communication device; monitor communications associated with the communication device; determine, for each monitored communication, whether the monitored communication deviates from the at least one communication consumption pattern; and determine, for each deviating communication, whether the deviating communication is suspicious based on at least one predetermined suspicious attribute, wherein each communication determined to be suspicious is identified as a fraud attempt.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the disclosed embodiments will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
[0012] Figure 1 is a network diagram utilized to describe the various disclosed embodiments.
[0013] Figure 2 is a flowchart illustrating a method for identifying fraudulent communication attempts according to an embodiment.
[0014] Figure 3 is a flowchart illustrating a method for determining suspicious communications according to an embodiment.
[0015] Figure 4 is a schematic diagram of a fraud detection system according to an embodiment. DETAILED DESCRIPTION
[0016] It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
[0017] According to various non-limiting embodiments, the term "communications provider" refers to any entity providing communications services such as, but not limited to, the Internet, cable, satellite, telecommunications (e.g., landline or wireless telecommunications), combinations thereof, and any other entity providing electronic and/or computerized communications.
[0018] Additionally, according to some embodiments, "sending a communication" may refer to any attempted or successful communication transmitted by or to a particular communication device such as, but not limited to, sending an email to or from an email address associated with the communication device, initiating a telephone or video call with the communication device (e.g., regardless of duration of the call), sending a text message to or from a phone number associated with the communication device, sending a SMS or other message based on an identifier (e.g., a username) associated with the communication device, and any other initiation or attempt at communication.
[0019] The various disclosed embodiments include a method and system for identifying fraudulent communication attempts. In an embodiment, communication consumption analytics associated with a communication device are analyzed to determine one or more communication consumption patterns of the communication device. Communications by the communication device are monitored. Based on the monitoring, it is determined whether any of the monitored communications deviate from the communication consumption patterns. It is further determined, based on one or more attributes identifying suspicious communications, whether each deviating communication is suspicious. Each deviating communication that is determined to be suspicious is identified as a fraud attempt. [0020] Fig. 1 shows an example network diagram 100 utilized to describe the various disclosed embodiments. The network diagram 100 includes a fraud detection system 120, a communication device 130, a plurality of data sources 140-1 through 140-n (hereinafter referred to individually as a data source 140 and collectively as data sources 140, merely for simplicity purposes), and a communications provider (CP) server 150 communicatively connected via a network 1 10. The network 1 10 may be, but is not limited to, a wireless, cellular or wired network, a local area network (LAN), a wide area network (WAN), a metro area network (MAN), the Internet, the worldwide web (WWW), similar networks, and any combination thereof. In an embodiment, the communications provider server 150 may be communicatively connected to a database 160. In another embodiment, the database 160 may be communicatively connected via the network 1 10.
[0021] The communication device 130 may be a portable or non-portable device equipped with communications capabilities. The communication device 130 may be, but is not limited to, a mobile phone, a smart phone, a landline phone, a wearable computing device, a tablet computer, a laptop computer, a desktop computer, a smart television, and any other device capable of sending and/or receiving electronic or computerized communications.
[0022] In an embodiment, the communication device 130 may include an agent 135 configured to collect communications data based on detected communications and to generate communication consumption analytics based on the collected communications data. The agent 135 may be, but is not limited to, an application. An application executed or accessed via the communication device 130 may be, but is not limited to, a mobile application, a virtual application, a web application, a native application, and the like.
[0023] In another embodiment, the communications provider server 150 may collect communications data related to communications by the communication device 130 and generate communication consumption analytics based on the collected communications data. The communications provider server 150 may store the collected communications data and/or communication consumption analytics in the database 160.
[0024] The communications data may indicate communication parameters such as, but not limited to, a duration of a call, a length of a voice message, a length of a text message, a data size of a communication. The communications data may also include metadata associated with a communication (e.g., metadata in a call detail record associated with the communication) indicating communications parameters.
[0025] The communication consumption analytics may include representations of communications consumption and, in particular, the communication parameters, such as, but not limited to, numbers of geographic locations of senders and/or recipients of communications (e.g. particular cities, states, countries, continents, etc.), beginning and end times of communications or communication sessions, numbers of communications occurring at particular time intervals (e.g., a number of calls occurring between 3 PM and 4 PM, a number of text messages sent between 12 AM and 1 AM, etc.), amounts of time spent on outgoing and/or incoming calls (e.g., duration in minutes), a number of messages sent to or from the communication device 130, time spent web browsing, an amount of data delivered, time spent roaming, and the like.
[0026] The data sources 140 may be web sources including, but not limited to, servers of communications providers. Each of the data sources 140 may include suspicious attributes associated with fraudulent communications. Each suspicious attribute may be, but is not limited to, a suspicious source identifier (e.g., a geographic location, name, user name, phone number, email address, etc.), a suspicious action (e.g., calling and immediately hanging up, communicating at a suspicious time, sending a communication having a length or data size below a predefined threshold, etc.), a combination of suspicious actions, and the like.
[0027] Each of the data sources 140 may optionally include an agent 145. Each agent 145 may be configured to crawl through its respective data source 140, to extract suspicious attributes associated with fraudulent communications, and to provide the extracted suspicious attributes to the fraud detection system 120. In another embodiment, the fraud detection system 120 may be configured to interact with the data sources 140 via an application programming interface (API).
[0028] In an embodiment, the fraud detection system 120 is configured to identify an attempt at a fraudulent communication (hereinafter a "fraud attempt") involving the communication device 130. Specifically, the fraud detection system 120 may be configured to monitor communications sent to and/or by the communication device 130 to identify deviations from communication consumption patterns representing typical communication tendencies associated with the communication device 130. Upon identifying a deviation from the communication consumption patterns of the communication device 130, the fraud detection system may be configured to determine whether the communication is suspicious and, if so, to identify the communication as a fraud attempt. To this end, in an embodiment, the fraud detection system 120 includes a communications analysis (CA) unit 126 configured to analyze communications data to identify deviating and/or suspicious communications.
[0029] In an embodiment, the fraud detection system 120 may be configured to begin monitoring the communications to and/or from the communication device 130 upon receiving a request from, e.g., the communication device 130, a user of the communication device 130, a communications provider (via, e.g., the communications provider server 150), and the like.
[0030] The monitoring may include, but is not limited to, retrieving communications data related to communications to and/or from the communication device 130. In an embodiment, the data may be retrieved via, but not limited to, the communications provider server 150 and/or the database 160, the agent 135, and the like. In a further embodiment, the fraud detection system 120 may be configured to retrieve images (e.g., of bills or other statements including information related to communications by the communication device 130) and to analyze, via an optical recognition processor, the retrieved images to identify communications data of communications sent to and/or by the communication device 130.
[0031] In an embodiment, the fraud detection system 120 may be configured to generate communication consumption analytics based on the monitored communications and/or to retrieve communication consumption analytics associated with the communication device 130. In a further embodiment, generating the communication consumption analytics may include, but is not limited to, analyzing communications data.
[0032] In another embodiment, the fraud detection system 120 is configured to retrieve communications data and/or communication consumption analytics associated with the communication device 130 using a received identifier of the communication device 130. In a further embodiment, the communications data and/or communication consumption analytics may be retrieved via the communications provider server 150 and/or the database 160.
[0033] In a further embodiment, the fraud detection system 120 is configured to receive an identifier associated with the communication device 130 and/or a user of the communication device 130. The identifier may be an indicator utilized to identify and extract communications data and/or communication consumption analytics of the communication device 130. Example identifiers may include, but are not limited to, a phone number of the communication device 130, an identification number associated with the communication device 130 and/or a user of the communication device 130, a name of a user of the communication device 130, a voice record of a user of the communication device 130, a social security number of a user of the communication device 130, a user name of a user of the communication device 130, an email address of a user of the communication device 130, combinations thereof, and the like.
[0034] In another embodiment, retrieving the communication consumption analytics may further include retrieving images including information related to the received identifier and analyzing the retrieved images to identify the communication consumption analytics. In a further embodiment, the fraud detection system 120 may be configured to cause an optical recognition processor (not shown in Fig. 1 ) to identify characters and strings in the retrieved images. The images may include, but are not limited to, images of billing statements or other documents featuring information related to communications by the communication device 130. Based on the identified characters and strings, the fraud detection system 120 may be configured to identify the communication consumption analytics.
[0035]The fraud detection system 120 may be configured to analyze the communication consumption analytics to determine one or more communication consumption patterns. Each communication consumption pattern may be a quantitative representation of a communication performance parameter such as, but not limited to, average communications usage, numbers of communications to or from particular geographic locations, a number of times a communication consumption limit is reached, a number of times blocking and/or throttling thresholds are reached, active hours (i.e., typical periods during which communications are sent to and/or from the communication device 130 such as, e.g., between 8 AM to 1 1 PM, between 5 PM to 10 PM and 6 AM to 12 PM, etc.), an amount of data throttled, bandwidth, latency, total price, unused communications (i.e., unused minutes, data, texts, etc.), and the like. The active hours may further depend on the day. As an example, active hours from Monday to Friday may be between 6 AM to 8 AM and 6 PM to 12 PM, while active hours on Saturdays and Sundays may be between 8 AM to 1 AM. The communication consumption patterns may be further represented as an average and/or per time period.
[0036] Optionally, isolated incidents may not be considered to be communication consumption patterns. An incident may be isolated if, e.g., that type of incident occurs below a predefined threshold in a given time period. As an example, if the communication device is used for a call with a person in England only once in a given year, that call with England may be considered as not being a communication consumption pattern.
[0037] Based on the monitored communications and the communication consumption patterns, the fraud detection system 120 is configured to determine whether any of the monitored communications deviate from the communication consumption patterns. To this end, the fraud detection system may be configured to compare the monitored communications to the communication consumption patterns. In an embodiment, the fraud detection system is configured to determine that a monitored communication deviates from the communication consumption patterns if the monitored communication does not match any of the communication consumption patterns. It should be noted that the communication consumption patterns are generated based on monitored communication data gathered over time.
[0038] For each deviating communication, the fraud detection system may be configured to determine whether the deviating communication is suspicious based on one or more suspicious attributes. The suspicious attributes may include, but are not limited to, suspicious source identifiers of entities known to make fraudulent communications, suspicious actions associated with fraudulent communications, combinations of suspicious actions, and the like. The suspicious attributes may be predetermined and/or may be determined based on previously identified fraud attempts. In an embodiment, the fraud detection system 120 is configured to identify each suspicious communication as a fraud attempt. [0039] In a further embodiment, the fraud detection system 120 may be configured to automatically mitigate fraud attempts. Automatically mitigating fraud attempts may include, but is not limited to, sending a notification to a communications provider associated with the communication device, generating one or more electronic forms required for requesting removal of the fraud attempt from a communications statement (e.g., a monthly billing statement indicating communications consumption for the month), and the like. The forms may be electronic documents capable of accepting structured and/or semi-structured data, or that may otherwise be filled out electronically. As an example, a retrieved form may be a carrier agreement in a PDF document featuring fillable fields. The electronic forms may be generated based, at least in part, on the identifier associated with the communication device 130. The fraud detection system 120 may be further configured to send the electronic forms for execution by a user of the communication device 130.
[0040] In another embodiment, the fraud detection system 120 may be configured to automatically block, in real-time, a fraud attempt. For example, the fraud detection system 120 may cause the communication device 130 to disconnect from a network. As a result, the fraud attempt is prevented entirely. In an embodiment, the blocking may include determining whether a communication is a fraud attempt based on communication parameters of the communication that do not require the communication to first be completed. For example, an identifier and/or time of the attempted communication may be utilized to determine whether a phone call is a fraud attempt even if the communication device has not yet answered the call.
[0041]The fraud detection system 120 typically includes a processing system 122 coupled to a memory (mem) 124. The processing system 122 may comprise or be a component of a processor (not shown) or an array of processors coupled to the memory 124. The memory 124 contains instructions that can be executed by the processing system 122. The instructions, when executed by the processing unit 122, cause the processing system 122 to perform the various functions described herein. The one or more processors may be implemented with any combination of general-purpose microprocessors, multi-core processors, microcontrollers, digital signal processors (DSPs), field programmable gate array (FPGAs), programmable logic devices (PLDs), controllers, state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
[0042] The processing system 122 may also include machine-readable media for storing software. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing system to perform the various functions described herein.
[0043] It should be understood that the embodiments disclosed herein are not limited to the specific architecture illustrated in Fig. 1 , and other architectures may be equally used without departing from the scope of the disclosed embodiments. Specifically, the fraud detection system 120 may reside in a cloud computing platform, a datacenter, and the like. Moreover, in an embodiment, there may be a plurality of fraud detection systems operating as described hereinabove and configured to either have one as a standby, to share the load between them, or to split the functions between them.
[0044] It should be noted that the embodiments described herein above with respect to Fig.
1 are discussed as utilizing fraud identifiers retrieved from a plurality of data sources 140 merely for simplicity purposes and without limitation on the disclosed embodiments. Fraud identifiers may be retrieved from a single data source (e.g., a storage including information related to communication programs provided by various communications providers) without departing from the scope of the disclosure.
[0045] It should further be noted that the embodiments described herein above with respect to Fig. 1 are discussed with respect to a single communication device 130 merely for simplicity purposes and without limitation on the disclosed embodiments. Communication consumption by multiple communication devices may be analyzed to identify deviations from communication consumption patterns by any of the communication devices. Further, communication consumption analytics may be retrieved from multiple communications providers (via, e.g., multiple databases and/or communications provider servers) without departing from the scope of the disclosure. [0046] It should be further noted that the embodiments described herein above with respect to Fig. 1 are discussed in relation to a user of the communication device 130 merely for simplicity purposes and without limitation on the disclosed embodiments. Any person having administrative privileges and/or payment responsibilities associated with the communication device 130 (e.g., a parent or guardian of a child using a communication device) may be utilized without departing from the scope of the disclosure.
[0047] Fig. 2 is an example flowchart 200 illustrating a method for identifying fraudulent communication attempts according to an embodiment. In an embodiment, the method may be performed by any computational system (e.g., the fraud detection system 120). The method may begin in response to, but not limited to, receipt of a request to identify fraud attempts.
[0048] At optional S210, an identifier associated with a communication device and/or with a user of the communication device is received. The identifier may be received from, e.g., the communication device. The identifier may be, but is not limited to, an identifier utilized by a communications provider to identify a customer associated with the communication device. Example identifiers may include, but are not limited to, a telephone number, an identification number, a name of a user of a communication device, a voice record, a user name, an email address, a social security number, combinations thereof, and the like.
[0049] At S220, communication consumption analytics associated with the communication device are obtained. In an embodiment, the communication consumption analytics may be retrieved based on the received identifier. In a further embodiment, the communication consumption analytics may be retrieved from a database of a communications provider associated with the communication device. In another embodiment, the communication consumption analytics may be retrieved from an agent installed on the communication device. The communication consumption analytics may be retrieved based on, e.g., the identifier of the communication device.
[0050] In an embodiment, S220 may further include retrieving one or more images related to communication consumption by the communication device. For example, such an image may include scanned or otherwise captured bills or other documents indicating communication consumption by the communication device and analyzing, by an optical recognition processor, the retrieved images to determine the communication consumption analytics.
[0051] At S230, based on the communication consumption analytics, one or more communication consumption patterns are determined. Each communication consumption pattern may include quantitative representations of communication parameters and may be, but are not limited to, average communications usage, numbers of communications to or from particular geographic locations, a number of times a communication consumption limit is reached, a number of times blocking and/or throttling thresholds are reached, active times (e.g., between 8 AM and 1 1 PM), an amount of data throttled, bandwidth, latency, total price, unused communications (i.e., unused minutes, data, texts, etc.), and the like.
[0052] In an embodiment, the communication consumption patterns may not include isolated incidents. An incident related to a communication may be isolated if, e.g., it appears below a predefined threshold number of times in a particular time period. For example, a threshold for international phone calls may be 4 phone calls per year. Thus, if an average number of phone calls per year from Africa as indicated by the communication consumption analytics is 3 or fewer, the calls from Africa may not be determined to be a communication consumption pattern.
[0053] In an embodiment, active times may be received from, e.g., a user of the communication device. As an example, a user may indicate active times of between 7 AM to 9 PM every day. In another embodiment, the active times may be determined based on previous communications involving the communication device. Specifically, the active times may be determined based on beginning and/or end times of communications sent by and/or to the communication device, as well as one or more predetermined active time thresholds for particular time periods. For example, if an active time threshold for the time period between 8:00 AM and 8:15 AM is 5 communications per month, then the time period between 8:00 AM and 8:15 AM will not be determined to be an active time for a communication device sending and/or receiving an average of 3 communications between 8:00 AM and 8:15 AM per month. It should be noted that this example 15-minute time period is merely utilized to demonstrate a sample active time threshold and does not limit the disclosure. Other threshold time periods may be utilized without departing from the scope of the disclosed embodiments.
[0054] In an embodiment, the communication consumption patterns may be determined only for a time period immediately preceding the determination such as, but not limited to, a predetermined time period (e.g., 2 years prior), a time period following a particular event (e.g., since a purchase of the communication device, since beginning of a new communication program, etc.), and the like. Analyzing only recent communication consumption allows for reduced computing resource usage and more relevant communication consumption patterns, as communication consumption patterns may change over time.
[0055] At S240, communications sent by and/or to the communication device are monitored.
In an embodiment, the monitoring may include retrieving communications data from, but not limited to, an agent executed on or accessed by the communication device, a communications provider server, and/or a database associated with a communications provider. In a further embodiment, the monitoring may include retrieving one or more images and analyzing, by an optical recognition processor, the images to identify the communications data.
[0056] At S250, it is determined whether a monitored communication deviates from the determined communication consumption patterns and, if so, execution continues with S260; otherwise, execution continues with S280. In an embodiment, S250 may further include comparing one or more communication parameters in the communications data to the communication consumption patterns. The communication parameters may include, but are not limited to, geographic locations of sender and/or recipients of the monitored communications, identifiers (e.g., phone number, email address, user name, etc.) of senders and/or recipients of the monitored communications, lengths of the monitored communications (e.g., a time period, a data size, a number of strings or characters, etc.), beginning and/or end times of communications (e.g., beginning at 1 :00 PM and ending at 1 :05 PM), and the like.
[0057] In a further embodiment, it is determined that a communication deviates from the communication consumption patterns if any of the communication parameters does not match any of the communication consumption patterns. A communication parameter may match a communication consumption pattern if, e.g., the communication consumption pattern represents that communication parameter. As an example, if communication consumption patterns associated with the communication device indicate that active times for the communication device are between 8 AM and 10 PM, a text message received at 3 AM may be determined to deviate from the communication consumption patterns. As another example, if communication consumption patterns do not indicate that the communication device has previously received a call from Germany, a call from Germany may be determined to deviate from the communication consumption patterns.
[0058] At S260, upon determining that the monitored communication deviates from the communication consumption patterns, it is determined whether the deviating communication is suspicious and, if so, execution continues with S270; otherwise, execution continues with S280. The suspiciousness determination may be based on one or more predetermined suspicious attributes associated with suspicious communications. The suspicious attributes may include, but are not limited to, identifiers of suspicious sources, suspicious actions, combinations of suspicious actions, and the like. In an embodiment, the suspicious attributes may be retrieved from one or more data sources (e.g., the data sources 140). Determining suspicious communications is described further herein below with respect to Fig. 3.
[0059] Each suspicious source identifier may be used to identify a sender and/or a receiver of a communication such as, but not limited to, a geographic location, a phone number, an email address, a user name, and the like. As an example, Nigeria may be a suspicious source for a particular communication device. Accordingly, IP addresses associated with Nigeria may be suspicious source identifiers, and an email from a device assigned such a Nigerian IP address may be determined to be suspicious. As another example, a particular phone number may be a suspicious source identifier. Accordingly, a call or text from that phone number may be determined to be suspicious.
[0060] Each suspicious action may be determined based on one or more communication parameters of the monitored data. Example suspicious actions may include, but are not limited to, sending a communication having a length below a predetermined threshold, terminating a communication before a predetermined time threshold, sending a communication at a predetermined suspicious time, sending a communication using data above a predefined threshold (e.g., above 1 100 bits for an SMS message), and any other potentially suspicious activity demonstrated via communication parameters. As an example, terminating a phone call having a time duration of less than 2 seconds (i.e., calling and immediately hanging up) may be a suspicious action. As another example, sending a SMS message between predetermined suspicious hours of 2 AM to 3 AM may be a suspicious action.
[0061] At S270, upon determining that the deviating communication is suspicious, the suspicious communication is identified as a fraud attempt.
[0062] In an embodiment, S270 may further include automatically mitigating the fraud attempt. In an embodiment, automatically mitigating the fraud attempt may include, but is not limited to, generating a notification indicating the fraud attempt with respect to the communication device and sending the notification to a communications provider associated with the communication device. In a further embodiment, automatically mitigating the fraud attempt may include retrieving one or more electronic forms for reporting fraudulent communications to a communications provider associated with the communication device, and generating a completed form based on the fraud attempt. In yet a further embodiment, the mitigation may be performed in real-time, thereby preventing, e.g., a communications limit (e.g., a throttling or other threshold) from being reached because of the fraud attempt.
[0063] At S280, it is determined whether additional monitored communications should be analyzed for deviations and, if so, execution continues with S250; otherwise, execution terminates.
[0064] As a non-limiting example, a phone number of a communication device to be monitored is received. Based on the phone number, communication consumption analytics related to phone calls and text messages sent by and to the communication device are retrieved. Based on the communication consumption analytics, communication consumption patterns are determined. The determined communication consumption patterns indicate that active times for both phone numbers and text messages are between 9 AM to 9 PM every day and that the communication device only receives communications from the United States. [0065] Communications sent by and to the communication device are monitored by retrieving communications data from an agent executed by the communication device. Each of the monitored communications is compared to the communication consumption parameters to determine deviations. In particular, it is determined that a phone call initiated or attempted at 1 AM from the phone number 1 1 1 -222-3333 deviates from the communication consumption patterns and, specifically, the typical active times for the communication device. Upon determining the deviation, suspicious attributes including suspicious source identifiers are retrieved. One of the suspicious source identifiers is the phone number 1 1 1 -222-3333. Accordingly, it is determined that the 1 AM phone call is suspicious based on the identifier of the caller, and the 1 AM phone call is identified as a fraud attempt. A notification is generated and sent to the telecommunications provider for the communication device, thereby prompting the telecommunications provider to remove the phone call from a monthly billing statement.
[0066] Fig. 3 is an example flowchart S260 illustrating a method for determining suspicious communications according to an embodiment. In an embodiment, the method may begin when, for example, a communication is determined to deviate from one or more communication consumption patterns associated with a particular communication device.
[0067] At S310, one or more suspicious attributes is retrieved. The suspicious attributes may be retrieved from, e.g., a database, one or more data sources (e.g., the data sources 140), and the like. In particular, retrieving the suspicious attributes from data sources may allow for use of the most up-to-date sets of suspicious attributes. The suspicious attributes are associated with fraudulent activity and may include, but are not limited to, suspicious source identifiers, suspicious actions, combinations of suspicious actions, and the like. In an embodiment, the suspicious attributes may be predetermined. In another embodiment, the suspicious attributes may be determined based on previous fraudulent communications.
[0068] In an embodiment, only suspicious attributes relevant to the communication with the communication device may be retrieved. To this end, each suspicious attribute may be associated with one or more particular types of communication (e.g., a phone number may only be a suspicious attribute for phone communications). [0069] Each suspicious source identifier is an identifier of a known or suspected sender and/or receiver of fraudulent communications such as, but is not limited to, a geographic location, a phone number, an email address, a user name, or any other identifier of a user and/or device communicating with the communication device. For example, a suspicious source identifier may be associated with an entity known to send fraudulent communications (e.g., an email address on a spam email list), with an entity that does not send particular types of communications (e.g., for a telephonic communication, an identifier suggesting that the caller is the IRS, since the IRS does not typically initiate calls with taxpayers), and the like.
[0070] Each suspicious action is an action associated with fraudulent communications such as, but not limited to, dialing and then immediately hanging up a call, communicating outside of active hours for the communication device, sending a communication having a data size above a predefined threshold, and the like. The suspicious actions may be expressed with respect to communication parameters such as, but not limited to, duration of communications, lengths of communications, times of communications, and the like.
[0071] At S320, one or more communication parameters associated with the communication is determined. In an embodiment, determining the communication parameters may include analyzing communications data associated with the communication. In another embodiment, only communication parameters related to the suspicious attributes may be determined. As an example, if known suspicious attributes for telephonic communications include particular phone numbers and calls lasting less than 5 seconds, the determined communication parameters may only include a phone number and a duration of the communication. Determining only particular relevant communication parameters allows for reduced usage of computing resources.
[0072] In a further embodiment, determining the communication parameters may further include retrieving one or more images featuring information related to the communication and analyzing, by an optical recognition processor, the one or more images to identify communications data in the images.
[0073] At S330, the determined communication parameters are analyzed. The analysis may include, but is not limited to, comparing the determined communication parameters to the retrieved suspicious attributes. [0074] At S340, based on the analysis, it is determined whether the communication is suspicious. In an embodiment, the communication is determined to be suspicious if one or more of the communication parameters associated with the communication matches a respective suspicious attribute. In a further embodiment, the communication is determined to be suspicious only if at least a predetermined number of the communication parameters match respective suspicious attributes. For example, a communication may only be determined to be suspicious if 3 or more of the communication parameters each match one of the suspicious attributes.
[0075] Fig. 4 shows an example block diagram of the fraud detection system 120 implemented according to one embodiment. The fraud detection system 120 includes a processing system 410 coupled to a memory 415, a storage 420, an optical character recognition (OCR) processor 430, a network interface 440, and a communications analysis (CA) unit 450. In an embodiment, the components of the fraud detection system 120 may be communicatively connected via a bus 460.
[0076] The processing system 410 may be realized as one or more hardware logic components and circuits. For example, and without limitation, illustrative types of hardware logic components that can be used include field programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), Application-specific standard products (ASSPs), system-on-a-chip systems (SOCs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any other hardware logic components that can perform calculations or other manipulations of information.
[0077]The memory 415 may be volatile (e.g., RAM, etc.), non-volatile (e.g., ROM, flash memory, etc.), or a combination thereof. In one configuration, computer readable instructions to implement one or more embodiments disclosed herein may be stored in the storage 420.
[0078] In another embodiment, the memory 415 is configured to store software. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing system 410 to perform the various processes described herein. Specifically, the instructions, when executed, cause the processing system 410 to perform an on-demand authorization of access to protected resources, as discussed hereinabove. In a further embodiment, the memory 415 may further include a memory portion 417 including the instructions.
[0079] The storage 420 may be magnetic storage, optical storage, and the like, and may be realized, for example, as flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVDs), or any other medium which can be used to store the desired information. The storage 420 may store communication consumption patterns associated with one or more communication devices.
[0080] The OCR processor 430 may include, but is not limited to, a feature and/or pattern recognition unit (RU) 435 configured to identify communication consumption analytics in images. Specifically, in an embodiment, the OCR processor 430 may be configured to identify characters and/or strings related to communication consumption in images of, e.g., bills or other reports from a communications provider. Any of the identified characters and/or strings may be identified as the communication consumption analytics and/or communications data.
[0081] The network interface 440 allows the fraud detection system 120 to communicate with the communications provider server 150 and/or the communication device 130 for the purpose of, for example, retrieving communication consumption analytics, monitoring communication consumption by the communication device 130, and/or notifying the communication device 130 of fraud attempts and/or mitigation thereof.
[0082]The communications analysis unit 450 may be configured to retrieve communication consumption analytics, to analyze the communication consumption analytics, to determine communication consumption patterns, to monitor communication consumption by the communication device 130, and to identify fraud attempts based on deviations from the communication consumption patterns. The communications analysis unit 450 may be further configured to automatically mitigate fraud attempts. To this end, the communications analysis unit 450 may be further configured to notify a communications provider of fraud attempts. [0083] It should be understood that the embodiments described herein are not limited to the specific architecture illustrated in Fig. 4, and other architectures may be equally used without departing from the scope of the disclosed embodiments.
[0084] The various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units ("CPUs"), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such a computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
[0085] All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiment and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosed embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.

Claims

CLAIMS What is claimed is:
1 . A method for identifying fraudulent communication attempts for a communication device, comprising:
analyzing communication consumption analytics associated with the communication device to determine at least one communication consumption pattern of the communication device;
monitoring communications associated with the communication device;
determining, for each monitored communication, whether the monitored communication deviates from the at least one communication consumption pattern; and determining, for each deviating communication, whether the deviating communication is suspicious based on at least one predetermined suspicious attribute, wherein each communication determined to be suspicious is identified as a fraud attempt.
2. The method of claim 1 , wherein each suspicious attribute is any of: an identifier of a suspicious source, and at least one suspicious action.
3. The method of claim 2, wherein determining whether the deviating communication is suspicious further comprises:
determining a source identifier of a sender or of a receiver of the deviating communication; and
matching the determined source identifier to the at least one suspicious attribute, wherein the deviating communication is determined to be suspicious if the determined source identifier matches any of the at least one suspicious attribute.
4. The method of claim 1 , wherein determining whether each monitored communication deviates from the at least one communication consumption pattern further comprises:
comparing at least one communication parameter associated with the monitored communication to the at least one communication consumption pattern.
5. The method of claim 1 , wherein analyzing the communication consumption analytics further comprises:
receiving an identifier associated with the communication device; and
retrieving the communication consumption analytics based on the received identifier.
6. The method of claim 5, wherein retrieving the communication consumption analytics further comprises:
retrieving at least one image based on the received identifier; and
analyzing, by an optical recognition processor, the at least one image to determine the communication consumption analytics.
7. The method of claim 5, wherein monitoring the communications associated with the communication device further comprises:
retrieving at least one image based on the received identifier; and
analyzing, by an optical recognition processor, the at least one image to identify at least one communication parameter associated with each monitored communication.
8. The method of claim 1 , wherein each communication consumption pattern is a quantitative representation of previous communications associated with the communication device.
9. The method of claim 1 , further comprising:
upon identifying a fraud attempt, sending a notification to a communications provider associated with the communication device, wherein the notification indicates the fraud attempt.
10. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 1 .
1 1 . A system for identifying fraudulent communication attempts for a communication device, comprising:
a processing unit; and
a memory, the memory containing instructions that, when executed by the processing unit, configure the system to:
analyze communication consumption analytics associated with the communication device to determine at least one communication consumption pattern of the communication device;
monitor communications associated with the communication device;
determine, for each monitored communication, whether the monitored communication deviates from the at least one communication consumption pattern; and determine, for each deviating communication, whether the deviating communication is suspicious based on at least one predetermined suspicious attribute, wherein each communication determined to be suspicious is identified as a fraud attempt.
12. The system of claim 1 1 , wherein each suspicious attribute is any of: an identifier of a suspicious source, and at least one suspicious action.
13. The system of claim 12, wherein the system is further configured to:
determine a source identifier of a sender or of a receiver of the deviating communication; and
match the determined source identifier to the at least one suspicious attribute, wherein the deviating communication is determined to be suspicious if the determined source identifier matches any of the at least one suspicious attribute.
14. The system of claim 1 1 , wherein the system is further configured to:
compare at least one communication parameter associated with the monitored communication to the at least one communication consumption pattern.
15. The system of claim 1 1 , wherein the system is further configured to: receive an identifier associated with the communication device; and
retrieve the communication consumption analytics based on the received identifier.
16. The system of claim 15, wherein the system is further configured to:
retrieve at least one image based on the received identifier; and
analyze, by an optical recognition processor, the at least one image to determine the communication consumption analytics.
17. The system of claim 15, wherein the system is further configured to:
retrieve at least one image based on the received identifier; and
analyze, by an optical recognition processor, the at least one image to identify at least one communication parameter associated with each monitored communication.
18. The system of claim 1 1 , wherein each communication consumption pattern is a quantitative representation of previous communications associated with the communication device.
19. The system of claim 1 1 , wherein the system is further configured to:
upon identifying a fraud attempt, send a notification to a communications provider associated with the communication device, wherein the notification indicates the fraud attempt.
PCT/US2016/030981 2015-05-07 2016-05-05 System and method for identifying fraudulent communication attempts WO2016179391A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562157983P 2015-05-07 2015-05-07
US62/157,983 2015-05-07

Publications (1)

Publication Number Publication Date
WO2016179391A1 true WO2016179391A1 (en) 2016-11-10

Family

ID=57218416

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/030981 WO2016179391A1 (en) 2015-05-07 2016-05-05 System and method for identifying fraudulent communication attempts

Country Status (1)

Country Link
WO (1) WO2016179391A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6914968B1 (en) * 1999-08-05 2005-07-05 Vtech Communications, Ltd. Method and apparatus for telephone call fraud detection and prevention
US20090083184A1 (en) * 2007-09-26 2009-03-26 Ori Eisen Methods and Apparatus for Detecting Fraud with Time Based Computer Tags
US7978901B1 (en) * 2006-12-15 2011-07-12 First Data Corporation Centralized processing of checks for distributed merchant locations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6914968B1 (en) * 1999-08-05 2005-07-05 Vtech Communications, Ltd. Method and apparatus for telephone call fraud detection and prevention
US7978901B1 (en) * 2006-12-15 2011-07-12 First Data Corporation Centralized processing of checks for distributed merchant locations
US20090083184A1 (en) * 2007-09-26 2009-03-26 Ori Eisen Methods and Apparatus for Detecting Fraud with Time Based Computer Tags

Similar Documents

Publication Publication Date Title
US10797974B2 (en) Enterprise server behavior profiling
CN110798472B (en) Data leakage detection method and device
US20240121256A1 (en) Method and system for preventing illicit use of a telephony platform
CN102694900B (en) Phone call intercepting method and device
US10938844B2 (en) Providing security through characterizing mobile traffic by domain names
CN105577602B (en) Data push method and device based on open application programming interface
US9106603B2 (en) Apparatus, method and computer-readable storage mediums for determining application protocol elements as different types of lawful interception content
Wijnberg et al. Identifying interception possibilities for WhatsApp communication
CN110995695A (en) Abnormal account detection method and device, electronic device and storage medium
CN103415004B (en) A kind of method and device detecting junk short message
US9191354B2 (en) Maintaining and updating notification registration information
CN113727351B (en) Communication fraud identification method and device and electronic equipment
WO2014194827A1 (en) Method and device for mobile terminal to process visualization graphics code
US20230300126A1 (en) Computer-based systems configured for one-time passcode (otp) protection and methods of use thereof
CN108696626A (en) The treating method and apparatus of invalid information
CN114168423A (en) Abnormal number calling monitoring method, device, equipment and storage medium
CN111104462B (en) Task distribution method, device and system based on blockchain
CN108924840B (en) Blacklist management method and device and terminal
WO2016037489A1 (en) Method, device and system for monitoring rcs spam messages
CN106897619B (en) Mobile terminal malware perception method and device
WO2016179391A1 (en) System and method for identifying fraudulent communication attempts
CN106408425A (en) Social information cautioning method, apparatus and cautioning server
US10698959B1 (en) Social warning system
Osho et al. Mobile spamming in Nigeria: An empirical survey
US20190158989A1 (en) System and method for facilitating communications between inmates and non-inmates

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16790083

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16790083

Country of ref document: EP

Kind code of ref document: A1