10-Step Health Check to Avoid Toll Fraud

26 Aug 2015

This is part of a series of articles showcasing how Mitel helps companies achieve their business communication objectives

How to protect your company from unwanted access and illegitimate charges

What keeps IT managers up at night? Security issues - and for good reason. When it comes to business communication systems, there are lots of reasons for concern - denial of service (DoS) attacks, eavesdropping, VoIP phishing (Vishing), and toll fraud.

Toll fraud, which is defined as any unauthorized use of a businesses telephone system and carrier services, cost victims $4.73 billion globally last year according to the Communications Fraud Control Association. It generally involves the hijacking of a phone system to make expensive international calls or calls to premium numbers overseas at several dollars a minute. The way it generally works is that the hackers dial into your system and gain access to outside lines, usually through a voice mail system or automated attendant. Using auto dialers, they call DID numbers until a voice mail or automated attendant answers, and use various techniques that help them guess the passwords for voicemail boxes and gain access. Once in, they can access outside lines and dial out to premium numbers (e.g. 900 numbers) such as psychic help lines that charge the callers over $1 a minute, and then receive a portion of these charges. The cost of these calls will then be charged to your company as if someone within your organization made the call. Most carriers have ways of spotting toll fraud and will notify the customer if they see unusual activity, but by that time, the damage has been done.

Companies of all sizes, and even the savviest organizations, can be targets. The hackers keep getting better at finding ways to break into phone systems. According to Ralph Willett, Senior Engineer, Wesley Clover Solutions, "If you have a toll free number it puts you more at risk. The more numbers you have into your system, the more voice mail systems, the more features you have may increase the risk, but this can all be controlled."

Perhaps the weakest and most vulnerable area is the business' voice mail system. Willett notes, "Voicemail is the easiest thing to attack - people don't change their voice mail or administrator's password. Hackers dial in and compromise the user's mailbox and uses this to dial out and make calls from there unless system is secured."

Jerry Sparling, VP of Customer Service and Quality, Mitel, explains, "Many customers use default passwords, which make them vulnerable to hacking. For example, it's common to use your extension number as your voice mail password, or to use the default 0000 for the administration access code to the system."

According to Sparling, "Everyone who doesn't follow best practices is at risk. Businesses in the hospitality industry are especially at risk, as many of them have older products and legacy PBXs that are 20 years old, and some of those installations didn't follow best practices."

So what can be done to prevent toll fraud? I spoke with three experts recently who shared some tips and best practices.

1. Change passwords - never use the default passwords for voice mailboxes, system administration, conference bridges, etc., and use passwords that aren't obvious or easy to guess, such as 1234. Enforce a policy of changing passwords on a regular basis, and when someone leaves the company, delete their mailboxes immediately, and block or delete all inactive mailboxes.

2. Determine what is necessary to conduct business and determine what level of restriction to apply to phones during normal and off business hours.Willett has written a detailed article posted on www.MitelForums.com on avoiding toll fraud, and suggests determining what features your business needs and what phones need them. He wrote, "Knowing what needs to be done in order to program any PBX with security in mind, a business must first determine what PBX features are required for its business environment as well as who will use these features. Each phone will have out dialing requirements based on the job function of the person using it. For example, the CEO of a company may require international calling to conduct business. This is generally not true of the lunch room phone or the copy room phone, therefore these phones should be classified differently." He recommends identifying which phones need to make long distance calls, require outbound access during off business hours, and need to make out-of-state or international calls, and then restrict these capabilities from the phones that don't require it. He adds, "When moving to the cloud, make sure whoever is doing this in the cloud is taking care of you. The same rules apply, so make sure whoever is doing the cloud understands what the restriction requirements are."

3. Programming and configuration of the system is key.It's important to preserve class of restriction and control access to trunks coming in and connecting to other trunks. Decide if users are allowed to forward calls off premises or to cell phones. Similarly, decide if you need an incoming trunk to access an outgoing trunk, and identify how to control it. For example, some users may forward their desk phone to their cell phone, or a secretary may transfer a call to the boss' home phone. Work with your carrier and with your vendor or reseller to restrict or block certain types of calls or trunk-to-trunk connections. The Canadian carrier ThinkTel suggests considering restricting call forwarding and call transfer features, especially to external numbers, and programing your phone system so that extensions can forward only to known numbers, and restrict all others, especially 901 or 90#.

4. Do a health check of your system regularly to monitor and analyze your systems. Work with your vendor or an outside consultant and go through a yearly audit to see if anything's been changed that might impact you.

5. Regularly check your voice mail and automated attendant systems, as this is the most vulnerable area that hackers can compromise and gain the ability to make external calls. Consider disabling the ability to make external calls from the automated attendant system. A misconfiguration in the auto attendant can be an easy target for the hackers, so it's important to check the system and its security parameters frequently to make sure it's working correctly. Determine whether your voice mail systems should be allowed to dial out of the PBX itself or dial international numbers, as this is where most problems occur.

6. Monitor calling patterns and review your call detail records. Check your voicemail reports, 800 number usage, monitor valid and invalid calling attempts, look for unexplained 900 number calls and chat lines. Also be on the lookout for changes in call patterns, such as a sudden increase in wrong number calls, silent hang ups, higher abandon rates, and an unusual amount of night/weekend/holiday traffic - if you get lots of calls on Friday at 2 AM, there's probably something going on.

7. Stay current - it's important to have the latest security release. Make sure your phone and voicemail systems are up-to-date and that all current patches have been installed.

8. Upgrade to a newer system that has increased security precautions built in. Older systems are much more vulnerable to being hacked, while newer systems and services were developed with security in mind. For example, Mitel's newer systems and services use 6-digit passwords for voice mail rather than the traditional 4-digit passwords, and will be increasing this to 8 digits in a new release. Mitel's latest systems also include mailbox lockout by default for new installations, which essentially locks out a user from the system if they enter an incorrect password more than three times.

9. Talk to your carrier and understand what kinds of service they have available to track and proactively notify you of unusual calling activity. It's important to be engaged with your carrier and ensure that your carrier is looking out for toll fraud.

10. Training and Education - in addition to training your technicians on how to avoid toll fraud, it's important to also educate your end users about what toll fraud is and how to prevent it. Mitel created toll fraud workshops for its partners, as well as knowledge-based articles and tools for customers, to help educate users and partners about avoiding toll fraud and ensuring security.

As Wesley Clover's Willett stated, "If you're not protected, it's a question of when, not if you'll be attacked." Mitel's Sparling adds, "The system is only as smart as the end user - if the user puts in 0000 for their password, you won't win the war. You have to be smart about how you install the PBX. The key to success is educating people." And Cam Puerzer, Director of Voice Services for RackForce notes, "Diligence and security are key. Keep vigilant."

This paper is sponsored by Mitel.