PBX Fraud: Stay Informed Against Fraudulent Calls
If a PBX system is not maintained and secured; it can be an easy target for those with a mind to commit long distance and international toll fraud. As the owner of your PBX system, it is your responsibility to take measures to protect yourself from this type of fraud. We have created this information guide to help you protect your business from PBX toll fraud.
How do they do it?
Typically unauthorized access is gained through the PBX’s maintenance port, voice mail (if voice mail can be accessed remotely) or the Direct Inward System Access (DISA) feature of a PBX. Some hackers call in on toll free lines intended for customer use; some use stolen calling cards; and some will even impersonate someone else to social engineer their way into your system.
Most PBXs today are software driven and, when configured improperly, can allow hackers to access the system remotely. PBX administrators usually manage the system using a PBX maintenance port by interconnecting from their remote service centers. By controlling this PBX maintenance port, hackers can change the call routing configuration, alter passwords, add or delete extensions, or shut down a PBX, all of which adversely impact business operations.
Some voicemail systems can be accessed remotely and programmed to make outbound calls. The hacker will search for voice mailboxes that still have active default passwords or have passwords with easy sequence combinations; i.e., 123456. Hackers use the outbound calling feature to forward calls to a “phantom” mail box that will give a dial tone. This allows them to make domestic or international calls from anywhere on your business account at your expense. Hackers can also gain access to your mailbox to listen to your messages, change your greeting or delete your messages.
DISA is a feature enabling remote users access to an outside line via a PBX with authorization codes. This is a very useful feature for employees who are on the road a lot or who frequently make long distance calls or international conference calls after business hours. By gaining access to this feature, hackers can access an outside line and make domestic or international toll calls at the expense of your business.
How can we avoid fraud?
As the owner of a telephone system, it is your responsibility to secure your system to prevent unauthorized access. Having a properly secured telephone system is the best way to prevent telephone hacking and mitigate the potential damage and resulting costs to your business. The following are some industry best practice guidelines that, if followed, could help reduce the risk of telephone hacking. You may have to consult your equipment vendor to assist in securing your system security efforts.
- Strengthen your passwords. Do not use default passwords with easy sequence combinations; i.e., 123456.
- Disable the external call forwarding feature in voice mail, unless it is absolutely required.
- Remove any inactive mailboxes.
- Check your recorded announcement regularly to ensure the greeting is indeed yours. Hackers tend to attack voice mailboxes at the start of weekends or holidays.
- Consider disabling the remote notification, auto-attendant, call-forwarding and out-dialing capabilities from voicemail if these features are not used.
- Consider restricting international or long distance destinations to which your company does not require access. Restrictions should also include 1-900 calls and 1010 casual dialing within the PBX/Voice Mail system. While you can request this of your phone company, you should also set these restrictions up in your phone system. It is important to understand that if your provider blocks international calls, this will not block calls to certain locations outside the U.S. but still within the “North American Numbering Plan” (i.e. they have an area code and are dialed like any other toll call). These locations include Canada, Puerto Rico, US Virgin Islands and other Caribbean countries such as Jamaica and the Bahamas.
- When an extension is no longer required, it should be canceled, along with associated features and access rights such as outbound toll and international dialing.
- Monitor your calls. Familiarize yourself with your company’s call patterns and monitor them regularly.
- Look for any suspicious call activity after hours, including weekends and public holidays.
- Keep your PBX in a secured location that can only be accessed by authorized personnel and verify any technicians’ identity that requests access to your PBX equipment.
When I get hacked, who is going to pay for the calls?
Your business, not your phone service provider, is responsible for all charges incurred on your system due to fraud (including toll fraud), abuse, or misuse of services, whether known or unknown, and whether or not your phone service provider takes any actions to stop or block Toll Fraud. The responsibility for the security of your PBX system is yours and you should take steps to protect your assets.
Why is identifying or stopping the fraudulent calls the customer’s responsibility?
Only the customer can differentiate legitimate calls from fraudulent ones. Your phone service provider does not have access or permission to work on your PBX, the vehicle that hackers use most to conduct their activities.
How do I provide continued protection from fraud for my business?
The better informed you are, the better protected you are from the risks. Stay on top of the current threats; establish and follow a policy on security, secure your system configuration, set-up a team approach to security and service & work with your equipment vendor. Do not let your business be taken by surprise. This is one disaster that is very predictable and equally preventable. Remember that you will likely be a victim of fraud attacks and that you, and only you, control the severity of these attacks. Hackers are much easier to stop from breaking in than they are to evict.