What traffic thresholds indicate AIT fraud?

Key AIT detection thresholds: >50 calls per hour to a single international destination, >£500 daily international spend per customer (reseller customer baseline), >90% answer rate to premium destinations (normal is 30-40%), calls outside business hours to high-risk prefixes (Cuba +53, Somalia +252, Latvia +371 premium ranges).

How quickly must AIT incidents be contained?

Industry best practice under Ofcom GC C1: detect within 15 minutes, contain within 30 minutes, customer notification within 1 hour, Ofcom notification within 24 hours for major incidents (>£10,000 or >1,000 calls). Failure to contain promptly may constitute failure to take 'reasonable steps' under GC C1.

When must I report AIT to Ofcom?

Report to Ofcom when: financial loss exceeds £10,000, more than 1,000 fraudulent calls originated, fraud involves CLI spoofing of UK public services, or you identify a new fraud vector not on industry watchlists. Use the Ofcom enforcement contact form or email enforcement@ofcom.org.uk.

What evidence must be retained for AIT incidents?

Retain for minimum 3 years: CDR records showing fraud traffic, alert timestamps and response actions, containment decision logs, customer communications, Ofcom/TUFF notifications, post-incident review documents. Store in tamper-evident format for regulatory evidence.

Operational SOP

AIT Prevention Standard Operating Procedure

Step-by-step fraud detection and response for UK communication providers under Ofcom GC C1.

By Andrew James-Smith | Updated February 2026 | Reference Document

What You Learn

✓ Authority Induced Transaction prevention
✓ SOP implementation steps
✓ Staff training requirements
✓ Risk mitigation protocols

Who It's For

• Sales managers
• Compliance teams
• Training staff
• Customer-facing operations

← Back to GC C1 Fraud Prevention Guide

Bottom Line Up Front

AIT (Artificial Inflation of Traffic) is the #1 cause of Ofcom enforcement against communication providers. This SOP covers: detection thresholds (>50 calls/hour trigger), response times (contain within 30 mins), escalation matrix, and Ofcom reporting requirements. Failure to implement "reasonable steps" under GC C1 risks fines up to 10% of turnover.

Detection Thresholds

Configure your traffic monitoring system to alert on these thresholds. Values are calibrated for typical telecom reseller customer profiles:

>50

Calls/hour to single destination

Normal: 5-10 for contact centres

£500

Daily international spend

Per customer, reseller baseline

>90%

Answer rate to premium

Normal: 30-40% for legitimate

15 min

Maximum detection time

From fraud start to alert

High-Risk Destination Prefixes

Prefix	Country	Risk Type	Action
+53	Cuba	IRSF revenue share	Alert + credit check
+252	Somalia	IRSF revenue share	Alert + credit check
+371 900	Latvia premium	Premium rate fraud	Block by default
+882	Satellite	High cost termination	Require pre-approval
+870	Inmarsat	High cost termination	Require pre-approval
+881	Global Mobile Satellite	High cost termination	Require pre-approval

Response Procedure

Within 15 minutes of alert

Acknowledge and Triage

Acknowledge alert in monitoring system (creates timestamp evidence)
Pull last 60 minutes CDRs for affected CLI/customer
Classify: False positive / Suspicious / Confirmed AIT
If >£1,000 exposure already: escalate to Step 2 immediately

Within 30 minutes

Containment

Block outbound international for affected CLI range
Set account credit limit to £0 pending review
If PBX compromise suspected: disable SIP credentials
Preserve CDR evidence (export to secure storage)
Do not delete or modify any records

Within 1 hour

Customer Notification

Phone call to account holder (logged)
If PBX hack: advise immediate password change, vendor contact
Email confirmation of restrictions applied
Provide incident reference number
Do not discuss liability at this stage

Within 24 hours

Documentation and Reporting

Complete incident report template (see below)
Calculate total financial exposure
If >£10,000 or >1,000 calls: notify Ofcom
Submit to TUFF (Telecoms UK Fraud Forum) intelligence sharing
Update internal fraud blacklist

Within 5 working days

Post-Incident Review

Root cause analysis: how did fraud bypass controls?
Review and update detection thresholds if needed
Brief operations team on lessons learned
Update customer onboarding checks if pattern identified
File review document for GC C1 compliance evidence

Escalation Matrix

Response Levels by Severity

Severity

Criteria

Escalation

Low

<£100 exposure, single customer, known pattern

NOC team resolve, log only

Medium

£100-£1,000 exposure, or unknown pattern

NOC + Fraud Lead review within 2 hours

High

£1,000-£10,000 exposure, or multiple customers

Fraud Lead + Operations Director within 1 hour

Critical

>£10,000 exposure, CLI spoofing of public services, or >1,000 calls

MD + Legal + Ofcom notification within 24h

Incident Report Template

# AIT INCIDENT REPORT

Incident Reference: AIT-[YYYY]-[###]
Date Detected: [DD/MM/YYYY HH:MM]
Date Contained: [DD/MM/YYYY HH:MM]
Date Closed: [DD/MM/YYYY]

## AFFECTED ENTITY
Customer Account: [Account ID]
CLI Range: [01onal/07xxx xxx xxx]
Service Type: [SIP Trunk / Hosted PBX / Mobile]

## FRAUD DETAILS
Total Calls: [Number]
Total Duration: [Minutes]
Destinations: [List countries/prefixes]
Financial Exposure: £[Amount]
Actual Loss: £[Amount]

## DETECTION
Alert Type: [Threshold / Manual / External report]
Detection Time: [Minutes from first fraud call]
Detection Method: [CDR analysis / Real-time monitor / Customer report]

## RESPONSE
Containment Time: [Minutes from detection]
Actions Taken: [Block / Suspend / Credential reset]
Customer Notified: [Yes/No] [Time]
Ofcom Notified: [Yes/No/N-A] [Reference]
TUFF Submitted: [Yes/No] [Date]

## ROOT CAUSE
Attack Vector: [PBX hack / Credential theft / Insider / Unknown]
Control Failure: [Detection gap / Response delay / None]

## REMEDIATION
Threshold Changes: [Description or N/A]
Blacklist Updates: [Prefixes added]
Process Changes: [Description or N/A]

Prepared By: [Name]
Reviewed By: [Fraud Lead]
Date: [DD/MM/YYYY]
                

Ofcom Reporting Requirements

Trigger	Reporting Channel	Deadline
Loss >£10,000	enforcement@ofcom.org.uk	24 hours
>1,000 fraudulent calls	enforcement@ofcom.org.uk	24 hours
CLI spoofing of emergency services/govt	enforcement@ofcom.org.uk + Action Fraud	Immediate
New fraud vector discovery	TUFF intelligence sharing	48 hours
Suspected organised crime	Action Fraud (0300 123 2040)	Immediate

Evidence to include: Incident reference, CDR summary, timeline of detection/response, containment actions, financial exposure, suspected attack vector.

AIT Prevention Standard Operating Procedure

What You Learn

Who It's For

Detection Thresholds

High-Risk Destination Prefixes

Response Procedure

Acknowledge and Triage

Containment

Customer Notification

Documentation and Reporting

Post-Incident Review

Escalation Matrix

Response Levels by Severity

Incident Report Template

Ofcom Reporting Requirements

Related Guides

Related Pages

GC C1 Fraud Prevention

Ofcom Compliance Checklist

Regulatory Risk Assessment

What You Learn

Who It's For

Detection Thresholds

High-Risk Destination Prefixes

Response Procedure

Acknowledge and Triage

Containment

Customer Notification

Documentation and Reporting

Post-Incident Review

Escalation Matrix

Response Levels by Severity

Incident Report Template

Ofcom Reporting Requirements

Related Guides

GC C1 Fraud Prevention

Compliance Checklist 2026

UK Telecom Compliance

Related Pages

GC C1 Fraud Prevention

Ofcom Compliance Checklist

Regulatory Risk Assessment