Fraud is nothing new, but the advent of cloud communications technology has escalated the possibilities and the risk to your bottom line. I have literally received email spam from… myself! In particular, fraudsters like to target all things telecom, with toll fraud – also known as VoIP fraud – being one of the most common.
According to the Communications Fraud Control Association (CFCA), telecom fraud of all types was estimated to be nearly $40B in 2021 and it continues to increase. Much of this loss is absorbed by individual companies and consumers. In the case of toll fraud, it’s the companies whose systems are compromised that must pay the price.
So what is toll fraud, and how can you protect yourself?
What is Toll Fraud?
Toll fraud involves using someone else’s phone equipment or service to place long distance calls, typically internationally, to premium rate numbers (such as 900 numbers in the U.S.). This could be employees, cleaning crews, or other off-hours personnel making personal calls, but the bigger financial hit is from black hat hackers who automate the process.
Thieves may monitor your calling activity for a couple of weeks, using software to look for weak spots and finding your calling patterns. Then they make a bunch of rapid, concurrent outbound calls from your numbers at a time when you’re least likely to notice, most likely late at night, on a weekend, or a holiday. These calls are routed through dubious carriers in specific U.S. states or countries who split the profit with the thief.
The targets can be either VoIP or PBX systems. The hackers and the carriers are usually in places with lax telecommunications laws, language barriers, and uncertain cross-border regulations. Just a few we’ve seen frequently are Somalia, Lithuania, Zimbabwe, and the Caribbean, among others. It’s quick and easy work with few repercussions.
Due to the number of carriers and variety of routes a call can take, carriers have strict agreements to enforce payment. Providers will tell you up front that you are liable. And unfortunately, many companies don’t know they’ve been hacked till they get their phone bill – at which point, you may have spent thousands.
What Can You Do to Stop Them?
So what’s a company to do? Fortunately, there are multiple ways to stop hackers in their tracks.
1. Ensure that security is as tight as possible. Use complex passwords, change them frequently (never leave the default password!), and limit access. Have a security plan, and educate your employees about best practices. While these seem obvious, these are common ways in which hackers find vulnerabilities. And, make sure you have a SIP firewall in place.
Use traffic authentication. Hackers can often steal userids and passwords relatively easily. When you use IP authentication, however, they can fake an IP address one way but not both; so if the fraudulent IP server sends something out, the response will go to the real IP server and raise a flag.
2. Utilize a program like Bicom’s sipPROT that monitors your calling 24/7, dynamically blocking and unblocking IP addresses when they come under attack. If you are a SaaS company, these programs can also be part of your value prop, as can a good provider that monitors your calling patterns.
3. Call blocking by location, rate, and/or time of day:
- Set up a geographically-based block, allowing you to stop calls to places where you don’t do business and there are high rates of fraud. Blocks can be very granular by country, region, state, rate center, NPA (area code) & NXX, and with some providers such as Commio, you can block or unblock in real-time.
- Additionally, fraudsters use higher rate areas for maximum revenue but you can block calls by rate in several ways, such as per minute per segment.
- You can also block calls by the time of day. If you’re a 9-5 company, for example, no one needs to be dialing out in the middle of the night and probably not on weekends.
4. Create notifications to stay on top of your call spend and where it’s going. These can be soft or hard limits; with the former, for example, the system will keep you updated on how your daily spend is going; with the latter, you can determine your maximum spend, get notified when it’s exhausted, and see where the calls are going.
5. If your telephony system isn’t completely VoIP, switch it over. While it might seem logical that a VoIP system would be more vulnerable, due to its greater connectivity, PBX systems are typically easier to hack due to the older technology.
6. Answering systems offer hackers several ways in. If your company uses an auto attendant to answer the phone and direct traffic via an automated menu, hackers will look for unassigned numbers or test the star key (*) and hashtag (#). Frequently these options will provide a back door into the system. Instead, set these up to replay the menu or hang up.
Similarly, voice mail systems can be hacked and serve as an entry point. Hackers will focus on unused mailboxes to avoid detection, so remove unused boxes and delete boxes when an employee leaves.
7. If you provide a SaaS platform, don’t give customers more than they need, such as international calling capabilities when business is local. And, ensure that your customer agreements strictly limit your liability; if you can’t control all aspects of their security, you shouldn’t carry the risks.
How Can Your Provider Help?
A provider isn’t liable, but they’re certainly invested in customer satisfaction and success. It should be in a provider’s best interest to keep your communications safe from fraud. For example, Commio’s intelligent call routing (LCR) is architected to minimize risk, and we monitor traffic around the clock for anomalies, shutting off service when fraud is detected. We also provide tools to help you create blocks to shut down fraud.
Before you choose a provider for your cloud communications, talk to them about security. How do they handle it? What protections do they have in place? How can they advise you? And what’s your liability?
Toll fraud is lucrative so it won’t stop any time soon. Even as technology advances and closes the security holes, hackers are already looking for new ways in. Stay up to date on the latest advancements, and work with your provider – we’re here to help. Hackers won’t go away, but with a little vigilance you can minimize or even avoid the damage.