Let's Talk Telecom

Telecom fraud, also known as communications fraud or toll fraud, is a serious threat which can have devastating consequences to businesses. Communications fraud in 2017 is estimated to have cost over $29 billion globally, according to the Communications Fraud Control Associations in their most recent report. Nearly $4 billion alone was caused by PBX or IP-PBX hacking. Bringing it closer to home: I work with a local business who was targeted twice between September and October of 2018. The second instance resulted in charges of nearly $30,000 over a single weekend.

What is toll fraud?

Toll Fraud occurs when your phone system is re-programmed to route incoming calls to an offshore destination that charges you a toll for every minute of talk time (in some cases, nearly 50 cents per minute). Next, these same perpetrators place as many calls as they can to your business, forcing your phone system to connect them to the toll charging destination. Depending on the severity of the attack, your business can end up owing hundreds, thousands, or tens of thousands of dollars in a very short amount of time.

How does toll fraud happen?

Typically, premise-based phone systems (PBX’s) are externally accessible so that they can be administered remotely by phone vendors, IT managers, etc. Older phone systems provided an administrator voicemail box that could be accessed over the phone, or via remote modem access to the system programming software. Newer phone systems such as an IP-PBX allows access via the public internet and a web browser. In all cases, hackers exploit a system vulnerability, such as a weak password, outdated user accounts that were not properly deleted, or by accessing an unsecured PBX via the Internet.

What to expect if you are a victim of toll fraud?

If your business phone system is compromised, YOU are ultimately responsible for any toll charges that are incurred, so you want to act quickly to make your system secure again. You may discover that you were hacked when you receive your phone bill, or you may be notified by your phone line service provider shortly after it occurs.

First, notify your phone line service provider and ask them to immediately block these calls (if they haven’t begun to block them already). Next, notify your phone vendor and ask them to secure your system. All user accounts should have robust passwords, any unused subscribers should be deleted, and the phone system should be restricted from external web access (or only permitted through a VPN).

Once you have properly secured your PBX, you may request a credit from your phone line service provider. Many companies will provide relief of some kind — especially if this is a first-time occurrence — in exchange for affirming that you’ve secured your phone system. This credit may be for a fixed dollar amount, or for a percentage of the fraudulent charges. For a more extreme case where the charges are in the tens of thousands, your phone company may be willing to negotiate down the amount you’re obligated to pay.

How to prevent toll fraud

If your company does not need to call outside the United States, ask your phone vendor AND your phone service provider to prohibit all international calling. In doing so, you are doubly restricting these calls through both your phone system and the phone lines themselves. This is the single most important step you can take to protect your business. However, if your company requires international calling capability, you should implement strong passwords for all user accounts, including voicemail boxes, soft phones, and admin portals. You should also remove any unused accounts and restrict external access to only what is necessary.

And finally, consider moving your phone service to the cloud. The cloud inherently has safeguards in place to protect you, such as multi-factor authentication and the use of secure data centers. Another key benefit is that a cloud-service provider typically manages both the phone system as well as the phone lines, so not only do they monitor everything more closely, but they’re also empowered to take swift action should anything suspicious occurs.

Note: This article was originally published on LinkedIn on April 4, 2019.