The cost of telecoms fraud is currently estimated to be almost double that of credit card fraud, but with businesses keen to protect against brand damaging stories, few get to hear about the crimes and more importantly how to combat them.
Here in the UK, there remains a growing and costly risk to the security of business communications that is largely being ignored. Many businesses are still falling prey to telephone system fraud and many will not yet have realised.
The problem only really comes to light when an unexpectedly high telephone bill arrives and by then it’s too late. Hackers have already accessed the phone system of the target business and run up huge bills, generally for overseas phone calls, without anyone being aware.
The crime is toll fraud and because the system owner is contractually obliged to pay the bill, whatever the amount, there is little chance of redress if your system is hacked. There is also little chance of catching the criminals, which explains the growth in activity.
The phone fraudsters are adopting new approaches, just like their phishing counterparts to make detection and prevention more difficult. A recent trend that has come to light, is for fraudsters to make many small frequent attacks that are unlikely to trigger alarms or hit credit limits, with the thefts able to go unnoticed for a long time.
The crime has become more sophisticated, transforming from a low-level crime committed by technically proficient individuals proving their skills to an organised fraud netting criminals, huge profits.
The worry for SME’s is that criminals are now turning to smaller organisations, which are seen as easier targets, with lower security standards. There has been huge publicity to encourage businesses to secure their data networks, but the telephone system remains something of a blind spot, with even cloud-based systems just as vulnerable to attack.
Your passwords need changing
Even the largest organisations can struggle to manage their phone system effectively. The setting and regular changing of voicemail passwords is often overlooked and for smaller firms, it can be worse, with no-one detailed to manage the system.
Unfortunately, users will typically pick easy to remember passwords or PINs to protect their voicemails and these will often be guessed by hackers, who are often only seeking to steal minutes; but a lot of them in a short period.
Phone systems can be remotely accessed to allow system administrators to change the configuration and alter settings. This is convenient, but there is growing evidence that some unscrupulous installation engineers are configuring hidden ‘backdoors’ into the systems and even employees are coerced into revealing passwords for money, to allow undetected access.
Once a fraudster has gained access to a system it is relatively easy to set up a call forwarding feature. It allows anyone in the UK to call the compromised system at a local or national rate and the call will be forward to a foreign destination at the expense of the organisation that owns the hacked system.
Hackers also target obsolete extensions on a host system, crack the voicemail code and force the system to dial international premium rate phone numbers, typically owned by organisations in league with the hackers.
Education and prevention are key. There is a lot that can be done to secure phone systems and significantly reduce the risk of being defrauded. The first step is making everyone within your organisation aware of the threat and the potential consequences.
The next step and one that must be repeated regularly, is the changing of passwords and ensuring they are robust and hard to hack. A good idea if you never or rarely make overseas calls is to ask your service provider to bar calls to international numbers and country codes – this will undoubtedly lessen the damage should a system be hacked.
The same is true for premium rate numbers, which are unlikely ever to be called from a business phone, so get them excluded.
Some of the features of phone systems like call forwarding are a benefit, but a security audit will highlight weaknesses within the system and its set-up. If you’ve never had an audit, speak to us and we’ll help you determine the useful features and those that are not used and present a risk.
If you’ve not made the move yet, consider switching to a cloud-based business VoIP service. These are cost-effective and provide monitoring capabilities, account controls, offer built-in security and fraud-detection capabilities, all of which will help keep you safe from hackers.
But whatever you do, don’t ignore the problem or your next bill might take your breath away.
Terry Faria, Telecommunications Manager, Quiss Technology plc