| Protect your PBX and Voice-Mail Systems |  |
| Businesses having PBX or voice-mail systems at their premises need to
protect themselves from long-distance fraud. Businesses are generally liable for all calls
which originate or pass through their systems, even if those calls are fraudulently placed
by other parties. When such fraud does occur, the cost to the business can be substantial. Risk of toll fraud can not be completely eliminated, but businesses can take the following steps to greatly reduce their risk: |
|
 |
Understand how criminals commit toll fraud through PBX and voice mail systems. |
|
Secure your system against toll fraud. |
|
Understand the signs of toll fraud. |
|
Have a plan in the event that toll fraud occurs. |
| Businesses having PBX or voice-mail systems at their premises need to protect
themselves from long-distance fraud. Businesses are generally liable for all calls which
originate or pass through their systems, even if those calls are fraudulently placed by
other parties. When such fraud does occur, the cost to the business can be substantial. Understand how criminals commit toll fraud through PBX and voice mail systems: Some of the criminals' methods are as follows: |
 |
They go through your trash searching for access and authorization codes. |
|
They use your company's internal telephone directory to contact your employees. Posing as the company's telecom manager or as a telephone company employee, they might request authorization codes, system configurations, etc., or they might convince your switchboard operator or receptionist to place long distance calls for them. |
|
They might gain access through your Direct Inward System Access (DISA) ports. |
|
They might use remote access and maintenance ports to reconfigure your PBX or voice-mail system. |
|
They might gain access through your 1-800 numbers, so you pay for their incoming as well as their outgoing calls. |
|
They might gain access through your voice-mail system. |
|
Once they have accessed the system, they place outgoing calls which are billed to your company. They may also use your tie trunks to reach other cities. |
|
They may take over your voice-mail system for use in other illegal operations (drug dealing, prostitution, etc.). |
| Secure your system against toll fraud: |  |
| System configuration: |
|
Depending on company requirements, consider: 1. Blocking toll calls after regular business hours, 2. Blocking or restricting overseas calls at all times, 3. Restricting call forwarding to local calls only. |
|
Delete inactive voice mailboxes and inactive telephone extensions. Disconnect modems when not in use. |
|
Configure the system to generate alarms for suspicious activity (numerous invalid access attempts, unusually large volume of overseas calls, etc.). |
|
Block remote access to maintenance ports and system administration ports. |
|
Voice-mail systems that allow callers to transfer to other extensions should be configured to prevent callers from reaching outside lines or tie trunks. |
|
Block three-way calling on lines associated with modem ports. |
| Password and Access Control (to voice mail, DISA ports, maintenance ports, etc.): |
|
Change all factory default passwords at the time of installation. |
|
Use at least 6 to 8 digits in access codes, passwords, etc. Prohibit trivial passwords such as 666666 or 654321. Use maximum length passwords for system management and maintenance ports. |
|
Initiate password changes regularly, either by configuring the system to force password changes, or by requiring employees to initiate password changes at regular intervals. |
|
Each user should be assigned a unique access code. DISA port access codes should be non-consecutive. |
|
When an employee leaves the company, immediately block further use of their access codes. Do not reassign their codes to new employees. |
|
Establish security procedures for lost, stolen or compromised access codes. |
|
Configure dial-in ports to disconnect callers when invalid access codes are entered. |
|
After a predefined number of invalid attempts to access a specific voice mailbox, disable the password. |
|
Route invalid DISA access attempts to your switchboard operator. Program DISA ports to automatically disable after a predefined number of consecutive invalid attempts. |
|
Program DISA ports to answer with delay (after 4 to 6 rings), and to answer with silence (hackers look for lines which answer with a steady tone). |
| Security Issues: |
|
Secure telephone equipment rooms and wiring frames and limit access to authorized personnel. |
|
Require positive ID checks from suppliers and maintenance personnel. Keep a log of anyone provided access to the equipment. |
|
Regularly review call detail records, billing records and voice mail reports for irregularities. |
|
Treat call detail reports, system documents (manuals, configuration records, etc.) and internal telephone directories as restricted information. |
|
Advise employees of the risk that criminals will attempt to con them to obtain confidential information, or to gain access to outside lines. |
|
Establish security procedures, train employees, and require compliance. |
| Understand the signs of toll fraud: |
|
Sudden changes in normal calling patterns, |
|
Incoming 1-800 / 1-888 lines or outgoing lines are busier than can be explained, |
|
Increase in calls to "wrong numbers"; or calls where the caller just hangs up, |
|
Increase in crank calls or obscene calls, |
|
Increase in traffic outside of normal business hours, |
|
Increase in calls to destinations of interest to hackers - overseas destinations, 900 and 976 numbers, etc., |
|
Sharp increase in foreign language callers (associated with overseas calling), |
|
Calls of unusually long duration, |
|
Unexplained changes in system software parameters, |
|
Changes to voicemail greetings, or users unable to access their voicemail, |
|
Toll calls from voice mail boxes or unused extensions. |
| Have a plan in the event that toll fraud occurs: |
 |
No measures are 100% effective. Companies should never assume that it
would be impossible for thieves to commit toll fraud through their PBX or voice mail
system. Companies should establish emergency procedures to be followed in the event of toll fraud or suspicion of toll fraud. These procedures should be in place before a fraud situation arises so time isn't wasted deciding what to do while thieves rack up charges against your long distance bill. Planning ahead also results in more informed and appropriate decisions. |
| Emergency procedures might include the following: |
|
Shut down the PBX or voice-mail system immediately. |
|
Change all passwords. |
|
Immediately report the problem to your telephony company and your equipment supplier. |
|
Advise all staff of the situation. |
|
Call the police. Although some firms prefer not to refer these problems to police for fear of negative publicity, prosecutions do provide a great deterrent to thieves. |
|
Gather evidence. |
 |
Web site last updated November 17, 2000 - all rights reserved.