October 23, 2019

Toll Fraud Explained

Recently, business voice mailboxes have been an easy target for hackers due to outdated or unsupported PBXs. PBX, or private branch exchange, is a private telephone network that is used within an organization. Hackers gain access and reroute business’ mailboxes to other countries, resulting in toll fraud, and exuberantly high long-distance and international charges. While the 3CX Phone System is built to handle attacks such as these, thanks to its built-in Anti-Hacking Modules and the ability to restrict calls by country code, older PBXs are susceptible to these extremely expensive attacks.

What Exactly is Toll Fraud?

Simply put, toll fraud occurs when untrusted parties place calls through your PBX, at your expense. Typically, this happens overnight, when offices are closed, and calls are placed in bulk to various international destinations. Then, a large bill arrives at the end of the month, which must be paid.

Since the early ages of PBXs, free international calling has been the target of phone hacks. One might think that it’s something of the past with communication costs having drastically decreased; however, in the modern age of VoIP telephony, a global threat of organized crime has arisen to make big profits in an industrial manner.

Usually, a hacker compromises a PBX in order to establish calls to premium international numbers. Their motivation is an indirect financial gain, as they will dial thousands of numbers in an automated manner from premium services under his control, in order to get paid commissions per call or per time spent on the line. This is also known as International Revenue Sharing Fraud (IRSF). Another common way to profit more directly is the simple resale of stolen credentials on the Dark Web for whoever wants a cheap route to dial out.

The 3CX Phone System has many built-in security features and default settings that prevent such abuses; however, administrators sometimes disable safeties without understanding the risks associated, which can lead to problems.

Here are the common mistakes to avoid:

  1. Weak Passwords or PINs (i.e. 0000, 1111, 1212, 1234)
  2. Unsupported, unpatched, or outdated PBX hardware and software
  3. Unsupported, unpatched, or outdated PBX host hardware and software (Windows XP, Server 2003, Server 2008)
  4. System settings not properly configured

4 Steps You Can Take to Prevent Toll Fraud

Although there are several ways in which toll fraud can be committed, PBX hacking is most likely.  By using some of the following proactive measures, you can protect your PBX and prevent toll fraud.

1. Use strong passwords

Although it may seem obvious, passwords are one of the best weapons you can use in the battle against toll fraud.  If you’ve picked a simple password that includes your name, other public information, or kept the factory-set default password for your PBX, you’re putting yourself at risk.

First, foremost, and most importantly, always reset the default password on your PBX.  When you create a new one, be sure to include a combination of lower- and upper-case letters, special characters, and numbers.  You should also ensure that your password is at least 8 characters long. Do NOT use simple passwords/PIN for voicemail boxes (i.e. 0000, 1212, 1111, 1234).

Change your PBX’s password whenever an employee who previously had access leaves your company.  (It’s not personal – it’s just best practice.)

2. Set up a firewall

Session Initiation Protocol (SIP) is often used to create firewalls that help to protect VoIP phone systems from fraud.  A SIP-based firewall, which inspects both voice and data packets as they pass through your network, can be used as a filter for fraudulent calling.

3. Implement international calling restrictions

Many VoIP phone systems can be configured to restrict international calling entirely or allow secured access.  If your business makes a lot of international phone calls, consider adding an extra layer of security, such as an authorization code that must be input before placing an international or long-distance call. If you’re not sure how to add this extra precaution, contact Business Information Group, Inc. for assistance.

4. Review your call logs regularly

Another simple, yet important step in preventing toll fraud. Most VoIP phone system interfaces allow you to track incoming and outgoing calls; be sure to look at these on a weekly, if not daily, basis. Additionally, if your business is primarily domestic, any international call should be a red flag.  Businesses that do make numerous long-distance calls should be aware of the countries where toll fraud most often occurs.

Taking these steps to prevent toll fraud could save your company from potential attacks, and ultimately save you from paying an unwarranted phone bill. If you’re worried your PBX may be at risk of attack, contact BIG today to secure your phone network.