Is Your Business A Target For Toll Fraud?
Your monthly business phone bill comes in the mail. As soon as you open it you realize something is up. While unfolding the bill you pull apart a six-page list of long distance calls to toll numbers from all over the world. You find a total at the end of a laundry list of charges: your company owes $19,470. And you don’t know why.
Toll Fraud is one of the most common and costly security threats for businesses with an On-Premise VOIP network on a shared high-speed Internet.
It works like this: hackers hijack your phone system to repeatedly call long distance toll numbers that charge by the minute. The owner of the long distance number - usually the hacker or an affiliate - charges your company for using the toll line.
These fraudulent calls are sometimes made gradually to accumulate money over a long period of time or they’re placed rapidly to make as much money as possible in one shot. Most instances of toll fraud involve an offshore toll-number, making it hard to identify exactly who is involved.
The most vulnerable targets remain small-medium size businesses that are new to managing their own VOIP. They either don’t have the IT experience and staff to properly secure and maintain the network, or they’re unaware of the risks altogether having recently switched from a landline system. Whatever the reason, many networks are consistently left unprotected. By the time most companies realize that something is wrong with their phone expenses, it’s too late—the network security has been compromised.
How to minimize the risk of Toll Fraud.
As the VOIP industry grows so will the incentive for hackers. While providers are always working on improving security, internal company standards will still play a role in the performance of an On-Premise VOIP. In fact, the most valuable security measures are the standard practices of deploying and managing an internal VOIP network.
Fraudsters often gain access to a network through one of the following mistakes:
- Use of default or generic passwords
- Use of default firewalls
- Weak or no encryption
‘Out-of-the-box’ installation and configuration using default settings is an invitation to intruders. Network security must be planned out like every other aspect of your voice and data communications.
Start with General Network Security
This is a big problem for a small-to-medium sized business that implements their VOIP without a strong IT staff. An out-of-the-box VOIP system will not be properly configured to resist various attacks. Stateful firewalls and secure ISPs are necessary for preventing toll fraud and many other threats. Networks should also be segmented to limit the damage of any one security breach.
Virtual Private Networks (VPN) and Dedicated Internet Access (DIA) also dramatically limit the opportunities for hackers. Your data is vulnerable on the public access high-speed Internet and shared networks, providing multiple weak points in your security.
Updates are really important for general security. Out of date software, hardware and applications can present an easy hole into your system. Frequently check for updates and use them, especially if they outline new security features.
Encryption & Passwords
Many VOIP hacks take advantage of how frustrating it can be to implement and manage an encryption policy. When companies opt out of a strong and systematic encryption, hackers get in easier. Both internal and external communications should be encrypted so that any sensitive or critical information is difficult to intercept and use.
Careless passwords are another easy way for hackers to get in. Companies should have a business-wide standard for passwords to prevent employees or network technicians from choosing something insecure. Employees should have to create 6-10 digit passwords, avoiding obvious combinations or words (eg. ‘12345678,’ or their last name, company name or office number). Also, request (or demand) that employees change their passwords once every couple of months. System administrators should do the same.
Call Blocking & Monitoring
A good strategy to prevent toll fraud is to understand and predict fraud trends. One approach is to block calls to and from certain countries and numbers that are associated with toll fraud. In most cases, this will reduce the chance of fraud without interfering with regular phone operations. Your company’s call patterns should be clear after a month or two of operations. With this information, you can actively compare your call data over time to make sure your billing is regular. Look for irregular figures including after hour, overnight and long distance calls.
Improperly secured on-premise networks are susceptible to everything from harmless ‘hobbyist’ hackers to sophisticated and monetized schemes. Moving your voice communications to the Internet poses new problems and responsibilities that have to be approached internally. Compared to mission-critical operations and productivity functions, It’s easy to overlook security and too often only becomes a priority once the damage has been done.