Long Distance Fraud - Learn what YOU can do to protect your business from fraud.
Did you know that hackers can access your phone service and make long distance, even international calls, on your phone without your knowledge? All calls will be billed and you will be expected to pay for them.
- Types of Fraud
- Industry Best Practices for Protecting Phone Systems
- Learn about your telecommunications system
- Know the access paths that could open doors to fraud
- Monitor and analyze your systems information
- Know the signs of a security breach
- Secure your System(s)
Education - know the types of fraud that can occur.
It is important to know the different forms of long distance fraud that can occur, and what you can do to help protect yourself from unwanted calls and charges. This is an overview of the most significant telecommunication fraud threats that your business could face.
Voicemail Fraud: This is the most prevalent type of fraud and the most significant threat to businesses that use a PBX (Private Branch Exchange) phone system or Voice Mail. Hackers can gain access to your phone system and place Long Distance calls directly from your lines. Access to your system is most commonly gained through voice mail menus protected with only simple passwords (1111, 2222, 1234, etc.) or unchanged factory default passwords. Once inside your system, hackers use the system commands to gain dial tone and place calls that appear no different to your service or equipment provider than any other call originating from your business. Having a good password management policy and practice is a strong start towards protection.
Subscription Fraud: Criminals can open a phone service account using your personal information; name, address etc. They use this account to run up long distance charges and you receive the bill. It is important to safeguard your personal information. Service providers must also put forward their best effort to verify the information that is collected for new subscribers.
Clip on Fraud: Although this type of fraud is less common it does occur once in a while. Criminals illegally access the telephone cables either outside or inside the building and temporarily attach a phone to make long distance calls. Anybody seen accessing this infrastructure should be able to produce a valid photo ID from a service provider.
If you think you are a victim of long distance fraud you should:
- Immediately change your voice mail system passwords.
- Contact your equipment provider (Interconnect) to have them perform a system audit as soon as possible.
- Request to have your long distance or international calling capabilities suspended if possible as a stop gap measure until the audit is complete.
Remember that you are responsible for paying for all calls originating from, and charged calls accepted at your telephone, regardless of who made or accepted them.
Industry best practices for protecting your phone systems
This is a list of steps that you and/or your equipment provider should be taking to guard against long distance fraud. Please note that MTS can not anticipate all possible fraud scenarios and taking these steps may not guarantee your phone systems against a fraud attack.
- Learn about your telecommunications system:
- Talk to your equipment provider about telephony fraud and how they can help you to protect your system;
- Know the safeguards, the inherent defences and security features;
- Determine the vulnerabilities;
- Ensure your staff are educated on how to utilize the safeguards and avoid unintentionally disabling the systems security features.
- Know the access paths that could open doors to fraud:
- Direct Inward System Access (DISA);
- Voice-Mail System;
- Remote System Administration (Maintenance Ports);
- Direct Inward Dialing;
- Tie Trunks and Tandem Network Services;
- Monitor and analyze your systems information:
- Study call detail records and review billing records (Exception Reports may provide a warning sign);
- Know your employees' calling patterns and analyze them;
- Review voice-mail reports;
- Monitor valid and invalid calling attempts whenever possible.
- Know the signs of a security breach:
- Complaints that the system is always busy;
- Sudden changes in normal calling patterns such as increases in wrong number calls or silent hang-ups, night, weekend and holiday traffic, 800 and WATS calls, international calling, and odd calls (i.e. crank/obscene calls);
- Toll calls originating in voice-mail;
- Long holding times;
- Unexplained 900 (Chat Line) calls;
- High tolls for any unauthorized trunk extension.
- Secure your System(s):
- System configuration
- Restrict access to specific times (business hours) & limit calling ranges;
- Block all toll calls at night, on weekends and on holidays;
- Restrict call forwarding to local calls only;
- Block all 10XXXX calling from your PBX if this service is not necessary.
- Block, limit access or Require attendant assistance to overseas calls;
- Establish policies on accepting collect calls and providing access to outside lines;
- Educate switchboard operators and employees about con- artists who try to obtain calling access or transfers through a PBX;
- Secure equipment rooms (lock up all telephone system equipment & wiring frames);
- PBX (Private Branch Exchange) and DISA (Direct Inward System Access)
- Change default codes after installation of new equipment;
- Never publish DISA telephone numbers;
- Change your DISA access telephone number periodically;
- Issue a different DISA authorization code for all users and ensure DISA users do not write them down;
- Do not use sequential access numbers (1111, 2222, 1234, etc.);
- Use longer DISA codes (minimum 7-9 digits) and change the codes regularly;
- Disconnect telephone extensions that are not in use;
- Restrict DISA access at night, weekends and on holidays (prime time for fraud);
- Block or restrict overseas access;
- Program your system to answer with silence after five or six rings (hackers look for systems that answer with a steady tone).
- Identify invalid access attempts to your DISA and route them to an operator;
- Implement DISA ports that drop the line when an invalid code is entered;
- Program your PBX to generate an alarm when an unusual number of invalid attempts are made, and to disable the port after a set number of invalid attempts.
- Voice-Mail Systems
- Establish controlled procedures to set and reset passwords;
- Change passwords regularly, at least once per month;
- Use maximum length passwords for system manager box & maintenance ports;
- Prohibit the use of simple passwords (i.e. 222, 123, your last name, etc.);
- Limit the number of consecutive log-in attempts to five or less;
- Change all factory default passwords immediately upon being assigned a voicemail box;
- Block access to long distance trunking facilities, and collect call options on the auto attendant;
- Block or preferably Delete all inactive mailboxes;
- Limit your out-calling;
- In systems that allow callers to transfer to other extensions, block any digits that hackers could use to get outside lines, especially trunk access codes;
- Conduct routine reviews of the status of your system and system usage.
- Remote Access Ports
- Block access to remote maintenance ports and system administration ports;
- Use maximum length access codes and change them regularly.
- Use maximum length passwords and change frequently;
- Eliminate three-way calling on all extensions used with modems;
- Disconnect modems that are not in use.
- IP Routers
- Limit outside access to your router by blocking all unneeded ports (including port 5060);
- Do not allow access to your router from outside your VPN;
- Ensure router passwords are changed from factory default and are made as complicated as possible;
- Ensure you know all security features of your router and maximize their use;
- Know that call logging features are often bypassed with an IP router hack. Station level (desktop phone set) recording will NOT capture calls that are placed from within the router itself.
- System configuration
These recommendations do not contemplate every possible scenario but give you an overview of ways to secure your systems against commonly known types of long distance fraud.