Toll fraud — the hijacking of a phone system to dial out to premium numbers in distant countries at several dollars a minute — costs companies more than US$4.7 billion a year, up nearly $1 billion from 2011. It affects mostly SMBs, according to a report in The New York Times.
The Communications Fraud Control Association verified those figures, but it currently does not break them down by how many victims are SMBs and how many are large enterprises, CFCA Executive Director Roberta Aronoff told the E-Commerce Times.
Major carriers, such as the companies that make up the CFCA, have sophisticated fraud systems in place to catch hackers, and they can afford to credit customers for fraudulent charges, noted the Times. However, SMBs often use local carriers, which lack such antifraud systems, and they sometimes insist their customers pay up for fraudulent calls.
There are no laws protecting phone customers from fraud like those that protect credit card users.
It’s Technology’s Fault
Blame the mess on Voice over Internet Protocol, aka VoIP, which routes calls over the Internet.
VoIP has all the problems Internet connections do: security and identity theft; eavesdropping; vishing, or VoIP phishing; call tampering; infection of VoIP networks with viruses and malware; denial of service attacks; and SPIT, or spamming over Internet telephony. Those are the top VoIP threats listed by Brighthub.
“VoIP systems are just one type of the many vulnerable systems installed at organizations today,” Jane Wright, a senior analyst at Technology Business Research, told the E-Commerce Times.
The Va-Va-Voom of VoIP
Using VoIP may cut costs. It can be cheaper to make long-distance or international calls, and it’s easier to add or remove users on a VoIP exchange.
Further, it’s easier to set up and take down a VoIP network than a regular one when staging or participating in a conference, exhibition or trade show.
Telephone companies reportedly are pushing businesses and consumers toward VoIP, because they won’t have to pay millions of dollars to replace their aging existing central office equipment.
Vectors of VoIP Attack
The use of SIP scripts — which attempt to register as a phone or trunk to a company’s Internet-facing PBX in order to call premium numbers overseas — is a common form of toll fraud.
Other attacks include hacking voice messaging or voice mail systems for the information they contain, and compromising soft phone services — virtual lines set up for legitimate users — to eavesdrop on phone calls and make unauthorized calls on the compromised line.
Defending Against Voice Pirates
“The best protection is ensuring that the phone company you use will protect you against fraudulent charges, which may mean going with one of the large firms, though that may be more expensive in other ways,” said Jan Dawson, chief analyst at Jackdaw Research.
“It’s a tradeoff that SMBs are going to have to consider,” he told the E-Commerce Times.
Companies should ensure authorized individuals can contact the phone system vendor and make changes to their accounts, recommends ShoreTel. They should audit the list of authorized users regularly.
The IP phone system platform should be configured to restrict international and directory assistance calls, or to require an authorization code for such calls.
IP phones must be protected behind a firewall and not used on public or untrusted networks.
Strong passwords must be used, and they must be updated every 90 days.
Finally, companies should subscribe to usage reports, ShoreTel recommends.
Alternatively, companies can subscribe to a fraud protection service like that from Humbug Labs, which charges $10 a month to provide pro analytics and fraud alerts for up to 10,000 calls a month, and goes up to $650 a month for large firms making up to 1 million calls a month.