What is Telecom Fraud and How to Protect Yourself

What is Telecom Fraud?

Telecommunications fraud generally involves a third party making long-distance calls at the expense of a business. Forms of fraud involve:

PBX Fraud (DISA)

The majority of recent fraud cases have occurred around Private Branch Exchange (PBX) systems, by direct inward system access (DISA). Intruders gain access to businesses that use a PBX phone/voicemail system and use system commands such as an 800 number or other access number to gain a dial tone.

They place unlimited long-distance calls directly through these lines for unscrupulous operators reselling long-distance at a profit. These calls appear no different to the service or equipment providers than any other call originating from that business.

Voicemail Fraud

Voicemail fraud is the most prevalent type of fraud and the most significant threat to businesses that use a Private Branch Exchange (PBX) phone system or voicemail. An unauthorized third party can gain access to a business's phone system and place long-distance calls directly through these lines. They gain access most commonly through voicemail menus protected with only simple passwords (1111, 2222, 1234, etc.) or unchanged factory default passwords.

Once inside your system, an unauthorized third party can use the system commands to gain a dial tone and place calls that appear no different to your service or equipment provider than any other call originating from your business. Having a good password management policy and practice is a strong start towards protection.

Calling Card Fraud

An unauthorized third party steals a calling card or calling card number and then uses it to make calls.

Modem Fraud

An unauthorized third party can gain access to your Internet dialler if you access the Internet via a dial-up connection, and use your phone line to place long-distance calls.

How to protect your Business from Telecommunications fraud

While no telecommunication system can be made entirely free from the risk of fraud, diligent attention to system security can reduce the risk considerably. The following actions can limit the risk your business faces.

Remote System Access and Administration

Remote access allows callers from the public network to access your business's PBX system using an access code. For example, an off-premises executive may use it to dial directly into the PBX in order to make a long-distance call less expensively than with a credit card. It's also one of the primary avenues of illegal entry into your system. To lessen the vulnerability of your remote access system, use authorization codes or other passwords to control access and limit calling range after normal business hours or provide attendant intervention.

Smart Passwords and Access Codes

Never use default passwords or default access numbers for your system as they are easy to crack and almost everyone knows them. One of the most effective security measures is to select hard-to-break passwords and remote access codes. Use the maximum number of characters, mixing the pound sign (#), asterisk (*), and numeric digits (0-9).

Avoid passwords that contain the following:

• Predictable patterns, such as ascending or descending digits (7654321)
• Repetitive digits (5555555)
• The same digits as your extension number (or the reverse of your extension number)
• Numbers that align to or identify the owner (room number, employee ID number or even a social insurance number)

Tips to safeguard your DISA (direct inward system access) number:

• Never publish a DISA telephone number.
• Change DISA access telephone numbers periodically.
• Use longer DISA authorization codes: ideally 9 digits and never fewer than 7 digits.
• Issue an individual DISA authorization code for each user.
• Warn DISA users not to write down authorization codes.

Frequently Change Passwords and Access Codes

It's a good idea to change passwords and access codes at least four times a year for both switch (software based/remote access) and hardware-based voicemail systems and automated attendant services. Always change or remove authorization codes when authorized users leave the company, especially when technicians depart. Do not write down remote access codes or passwords, or program them into auto-diallers.

Controlling Long-Distance Calling

• Prohibit or restrict calls to countries you do not do business with
• Consider block all calls to the Caribbean, a popular calling destination for telethieves and call resellers
• Limit international calling to only those employees who need to place international calls. Limit calls to domestic area codes if calls to these states are not permitted
• Put time-of-day restrictions into effect, such as prohibiting or limiting outbound calling at night and on weekends
• Restrict 800 access from non-essential areas that are known toll-fraud centers

Protect Your Voicemail System

Prevent unauthorized third parties from connecting to your voicemail system and accessing private bulletin board messages, creating their own mailboxes, or accessing the PBX system by taking the following measures:

• limit the voicemail to internal calling only
• remove mailboxes immediately when an employee leaves the company
• avoid spare mailboxes before they are needed

Restrict Automated Attendants

After remote access and voicemail, automated attendants are the most common entry point for unauthorized third parties. Automated attendants answer a company's telephone, but can also serve as an open door to telecom fraud. Hackers enter the automated attendant function, then dial the 91XX or 9011 extension. On many PBX and voicemail systems (with dial-out capabilities left active), these extension numbers connect to outside long-distance lines. To reduce automated attendant fraud, restrict or block access to long-distance trunks and local dial capabilities. In particular, block access codes such as 9XXX and possibly even the 8XXX fields or install a "verify extension field" capability, if available. Review the recommendations in the "Smart Passwords and Access Codes" section.

Monitor and Analyze Your Systems

Continuous monitoring of your company's calling patterns will help you to identify fraud at an early stage and minimize loss. It's a good idea to regularly monitor your PBX, voicemail, automated attendant and 800 call detail records. Learn to spot patterns such as an increase in after-hours calls, calls to countries you don't do business with, multiple short duration inbound calls (especially after working hours).Watch for numerous incoming calls on your 800 lines followed shortly thereafter by a surge in long duration outbound 800 calls, which may indicate that an unauthorized third party has entered your phone system through your 800 lines and is dialling out.