As we continue to see increasing numbers of telephony fraud occurrences, we frequently remind our clients to consider minimum requirements on telephony security. Telephony fraud can happen through hacking of servers to clone individuals, or hacking of the telephone system itself. The latter is known as Phreaking.
What is Phreaking
Hackers attacking your voice network like they would (and do) attack your data network. Instead of flooding your server with outbound emails, they flood your telephone system with outbound calls. Your phone bill will cover the cost of those calls. This is an exercise to create revenue for the hackers though, so they don’t want you to know you have been hacked. In the worst case scenario, your telephone system will be making calls constantly throughout nights and weekends, using every trunk line you have available, calling international revenue sharing numbers (think an overseas premium rate number). The owner of those numbers makes revenue from incoming calls, and you have a substantial phone bill at the end of the month. The smallest hack we have seen cost the client £4,000. The worst hack we have seen came to £300,000.
The average cost of Phreaking in the UK is £10,000.
Phreaking generates more revenue annually than credit card fraud. It is a global problem run by organised crime syndicates, linked to illegal drug distribution and terrorism. They employ highly skilled engineers who constantly look for new ways to circumvent measures the industry takes to stop them, and for these reasons it is worth looking again at how your business is protected.
The UK is the world’s third most targeted country for this type of fraud.
How Does it Happen?
Nearly always through voicemail. If the hackers can control a mailbox, they will reprogram it to forward all incoming calls straight out to an international revenue sharing number. Then all calls made to the direct number on that voicemail box will forward the calls out on your telephone lines, costing you money. The hackers can target the systems themselves, but that is much harder to gain access through as internal IT staff and system maintainers are generally more aware of security risks and prevention measures.
How Do I Know if I Have Been Hacked?
Normally outside of working hours, you may hear a handset ringing repetitively, perhaps the display showing a blocked or international number, but no voicemail being left. Each time the voicemail answers the call, hackers are running through password options to see if they can break into the mailbox. If you answer the call, the caller will hang up without talking, or you may just hear a series of beeps.
A concern would be that you may already be hacked, just not ‘switched on’ yet. Some Phreaking processes would chain a number of systems together, forwarding one system to another, with the last in the chain bearing the brunt of the costs. When that telephone system is discovered and closed down, the next telephone system picks up the international calls. This method makes the fraud harder to trace, and provides a constant revenue stream to the hackers. We have taken on a number of clients for maintenance and discovered they have already been hacked, the telephone system already exposed, waiting to bump up to the front of the queue.
Who is Liable for Costs Associated with Phreaking?
In the eyes of your line provider, calls made on your telephone lines are your responsibility and as such, you are liable for the debt. Insurance companies tend not to cover this type of fraud, though we certainly recommend asking them. The culprits are not traceable and the international numbers can’t be interrogated to find the financial beneficiary (organised crime will operate out of countries our laws cannot extend into). Your line provider will hold you responsible for the debt, as your line provider will in turn have the same liability to Openreach. This principle is supported by Ofcom.
What Measures Should We Take to Prevent This Happening?
Never leave a voicemail password as default. Some security conscious telephone system manufacturers force you to change the voicemail password on first use.
Keep your telephone system software level up to date. It comes with enhanced security features.
Update your IT security policy to include telephony. Consider changing voicemail passwords as often as you change desktop passwords. On staff leaving employment, change their voicemail password as you do with their desktop access password.
Ask your line provider what measures they employ to identify fraudulent activity on lines, such as checking the usage levels every 24 hours and looking at the usage/cost variance. If your line provider cannot provide this, please speak to us.
Consider moving to VoIP or SIP trunks for your primary line type. Some SIP trunk providers offer a maximum daily call spend and have the option of emailing alerts when reached, or blocking further calls that day. If your line provider cannot provide this, please speak with us.
Invest in a telephony firewall. These have the ability to disconnect external calls that could be considered fraudulent (for example, injecting a DNA into the incoming call and seeing if that same call then becomes an outbound call). They are very customisable and feature customer defined whitelists.
Be aware that no system can be considered 100% effective, even with a telephony firewall, but every business should take steps to minimise the risk.
If you are concerned about the security levels of your telephone system, please speak with one of our fraud specialists about how to maximise your protection.