Telecom Fraud Is Alive & Kickin
By Eric Klein, Vice President of Sales and Marketing, Humbug Telecom Labs
In the 1960s, fraudsters would trick the phone systems of AT&T into providing free calls by whistling high-pitched sounds into the handset. These relatively innocuous pranks would become known as phreak attacks.”
The reality of telecom fraud today is frighteningly different. In 2009, according to the CFCA, businesses of all sizes and carriers lost a combined $80 billion to telecom fraud. In April 2011 a small Perth, Australia, based company was hit with a AU$120,000 (US$ 117,439) attack, joining the ranks of thousands of other unsuspecting victims around the world. Telecom fraud attacks can financially cripple a business in as little as two days.
There are many kinds of attacks. The following threats represent but a handful:
PBX Dial-Through Most PBXs (voice servers) have an option for DISA (Direct Inward System Access), which enables an outside caller to call into the PBX and then make an outbound call at your expense. In one example, employees may call into the switchboard or their voice mail and make outgoing calls after inputting a password or pin. Although this feature may be turned off upon installation, hackers will try to break in and create their own mailbox, which will allow them to dial in and then make any calls they wish.
Calls to Known Fraudulent Numbers or Destinations Telecom fraud is a well-known problem, and like the Nigerian Bank Scam,” there are blacklists of phone numbers, area codes etc. that can be blocked or monitored if the right tools are at hand.
System Hacks Currently there are two types of attacks that can target an enterprises PBX:
- Hacking the PBX to gain unauthorized access. Creating a mailbox, as described above, or trying default or common passwords are two of many techniques. Fraudsters may also directly contact employees to ascertain useful information that can be used to harm the company.
- Hacking the PBX to gain access privileges, much like hacking a computer network. This attack type may include denial of service (DoS) attacks, brute force attacks, etc.
Internal Misconduct Telecom fraudsters are not always outside the confines of the organization. Internal Employee Fraud is a significant contributor to fraud affecting enterprises. Employees may use company phones to make premium number, personal and long-distance calls. In the worst-case scenario, employees may actively enable toll fraud.
Off-Hour Calls Calls originating from an organizations PBX may be the result of Internal Employee Fraud, unauthorized visitors, or remote hackers accessing the system. Most significant telecom fraud attacks are perpetrated when the enterprise is unmanned over weekends, bank holidays, religious holidays, etc.
What Can You Do to Protect Your Company?
Your best defense is to proactively watch for offenses. Proactively monitor and understand your traffic, dont wait until you get your phone bill to discover you have a problem. Use a real-time monitoring system that can alert you to suspicious activity like short repeat calls, traffic spikes, unusual call destinations, or changes in after-hours calling patterns.
Eric Klein is vice president of sales and marketing at Humbug Telecom Labs. He has more than 20 years experience in the telecom industry. In addition to his experience with MCI Communications (now part of Verizon) and Cellcom he has served as a grant reviewer for the U.S. Department of Commerce Broadband Initiatives (BIP) Program and Broadband Technology Opportunities Program (BTOP).
