Imagine getting to work and seeing an invoice from your voice provider that your company ran up a $122,000 phone bill in a single weekend! But nobody was in the office at that time. Surely this was a mistake. Unfortunately, fraudsters had intruded your company’s internet protocol (IP) network private branch exchange (PBX) and rerouted 11,000 international calls in just 46 hours to Latvia and Somalia. Now, you’re stuck with covering the bill.
Phone calls transmitted over the internet, such as Voice over Internet Protocol (VoIP), SIP trunking and Unified Communications, are popular among businesses today because of their low cost, portability and feature-rich capabilities. However, these types of internet-based systems also create more inroads for attacks.
Typically, telephone fraudsters gain unauthorized access through vulnerable PBX systems to make international and long-distance calls, listen to voice mail or monitor conversations. Victims unknowingly allow the hackers to “sell” the use of their telephone system to others or allow them an opportunity to maliciously reprogram the system.
In the scenario above, fraudsters are simply breaking into the IP network PBX without the intent to pay. A weak password on the PBX, such as 1234 or 0000, is often the culprit for easy access. Once inside a telephone system, they route calls to premium-rate destinations, and often get a kickback compensation from a dishonest pre-paid calling card provider or web-based phone service.
Telecom fraud also affects carriers and wholesale aggregators. For example, if the network of one of their call center customers is hacked, fraudsters can run up enormous bills by routing calls to carriers in Cuba through their telephone system without the call center ever knowing it.
Telecom Fraud is Widespread
According to a Communications Fraud Control Association (CFCA) 2017 Global Fraud Loss Survey, the total global fraud loss was estimated to be $29.2 billion annually. The survey also noted the top 5 countries where phone fraud terminates were Cuba, Latvia, Lithuania, United Kingdom and Tunisia. Other top destinations include Chad, Jamaica, Somalia, Bosnia-Herzegovina and Algeria.
How big is the problem? Let’s look at some of the malicious schemes.
Top 10 Fraud Methods:
- $2.03 B – Subscription Fraud (Identity)
- $1.94 B – PBX Hacking
- $1.94 B – IP PBX Hacking
- $1.93 B – Subscription Fraud (Application)
- $1.75 B – Subscription Fraud (Credit Muling/Proxy)
- $1.66 B – Abuse of Service Terms & Conditions
- $1.66 B – Account Take Over
- $1.47 B – Internal Fraud / Employee Theft
- $1.38 B – Phishing / Pharming
- $1.38 B – Payment Fraud
Top 10 Fraud Types:
- $6.10 B – International Revenue Share Fraud (IRSF)
- $4.27 B – Interconnect Bypass (e.g. SIM Box)
- $3.26 B – Arbitrage
- $3.02 B – Theft / Stolen Goods
- $2.39 B – Premium Rate Service
- $2.10 B – Device / Hardware Reselling
- $1.35 B – Domestic Revenue Share (DRSF)
- $1.30 B – Wholesale Fraud
- $1.27 B – Friendly Fraud
The top 5 fraud types accounted for 65% of all fraud losses.
The Bare Minimum You Should Do
As a telecom service aggregator, Magna5 regularly monitors its customers’ call traffic patterns around the clock to detect and prevent fraud. Whenever there’s a spike in high-velocity calling to international countries, we can detect the fraud in milliseconds and block them. However, the best prevention strategy is a combination of measures to limit a fraudster’s access to your calling network, in addition to setting limits and restrictions.
Check out our Fraud Awareness and Prevention (PBX) resource. These guidelines can go a long way in averting telephone fraud and discovering vulnerabilities in your systems. They cover:
- Education – Familiarize yourself with the dangers of telephone hacking and financial exposure and educate your staff using PBX on security procedures. Take time to evaluate your current settings and disable any features not in use.
- Authorization Code and Password – Do not use default codes and passwords that come with prefigured PBX and voice mail systems. Change and update them regularly, using random, lengthy passwords.
- Direct Inward System Access (DISA) – Establish secure DISA codes and limit the DISA access number and authorization codes to only employees that have a real need for it. Ensure the first few digits of the access number are different from the voice line.
- Voice Mail – Disable the external call-forwarding feature in voice mail and remove any locked or inactive mailboxes. Set up restriction filters and apply them to voice mail ports/DNs.
- Toll Call – Restrict/block international or long-distance destinations to which your company does not require access. Block 1-900, 1-976, 1010XXX and 101XXXX casual dialing within the PBX/voice mail system.
This is just a sample of preventive measures. The Fraud Awareness and Prevention (PBX) resource also covers much more, including extensions/handsets/systems, VoIP systems, ongoing monitoring and equipment room access. Be sure to read the full list of best practices for your PBX system, voice mail and VoIP system.
When it comes to combatting telecom fraud, there’s no such thing as “playing it safe.” The best approach is to implement a proactive fraud prevention strategy that removes network risk exposures and makes it harder for fraudsters to gain access to customer or carrier accounts. Teaming with a trusted managed services provider that features proactive security monitoring can bring another set of eyes to help avert phone fraud before it happens.