There could be a nasty surprise in store for businesses that took a long Christmas/New Year break. Their next phone bill could reveal that fraudsters were busy at work when everyone else was taking it easy, resulting in losses that can run into thousands of pounds.

It’s the result of Dial Through Fraud (DTF) where hackers gain access to a PBX voicemail system or VoIP network and then exploit its vulnerabilities to make national and international calls at a company’s expense. Holiday periods – such as Easter and Christmas – are a favourite time for fraudsters as they know that call traffic monitoring is likely to be less vigilant over several days.

And the economic downturn has seen a growth in activity, according to the Telecommunications United Kingdom Fraud Forum (TUFF). When they surveyed their membership late last year, Communications and Service Providers reported that 98% of businesses that were hit by hackers also suffered from DTF.

TUFF CEO Jack Wraith comments: “The incidence of hacking into small business exchanges has seen a rise in the past year and the level of this activity would indicate that small to medium businesses who operate their own office telephone exchanges are not securing their equipments against the activities of hackers. In many cases this results in the small business having to pick up very large telephone bills from their communication suppliers. In our survey one case of hacking resulted in a bill for £95,000 over a very short period of time.”

TUFF’s view is that many companies remain unaware that DTF could happen to them and as a consequence they’re still not doing enough to protect their assets. At BT Wholesale we’re keen to help you and your customers to guard against the risks and losses, so here are 16 simple and pragmatic steps to take:

1. Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used consider using strong authentication such as smartcards/tokens.
2. Restrict any destinations that should not normally be dialled: for example, premium rate, international, operator and directory enquiry numbers.
3. Review your PBX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
4. Bar voicemail ports for outgoing access to trunks if possible. Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
5. If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
6. Lock surplus mailboxes until allocated to a user.
7. If DISA is not used then disable it completely.
8. Restrict access to equipment: eg, your comms room and master terminals.
9. Only give the appropriate and minimum level of system access required to carry out a task.
10. Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance, including resetting password defaults.
11. Keep all internal information such as directories, call logging reports, audit logs confidential and destroy them securely if no longer required.
12. Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers. Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
13. Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
14. Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.
15. Make sure you have the right terms and conditions reflected in your contracts with your PBX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.
16. Share fraud intelligence. Fraudsters often move from one Provider to another, impacting us all. Pass on the news so that other CPs can be proactive and act before they become the next target. Encourage your business customers to talk to you about unusual call traffic patterns too.

GET MORE >

Like to join TUFF in the fight against fraud? Visit their website here: www.tuff.co.uk

Buying calls services from us? Contact your account management team to find out how we can help you with call traffic monitoring tools.