Toll Fraud and Security: Why PBXs Get Hacked
Author: Kyle Wiedinger
Has this ever happened to you? You log into your PBX one morning to find failed login attempts from all corners of the world. If not, you’re among the lucky, as, sadly, this is a common occurrence. In this situation, you’re looking at a best-case scenario of inefficient security practices that allowed such intrusions to occur with minimal disruption. Worst case scenario offers a far bleaker picture: fraudulent activity that results in thousands of dollars of charges to your phone bill at the end of the month. This is known as toll fraud.
A multi-billion dollar a year illegal scheme, toll fraud funnels money primarily from SMB businesses to criminal organizations across the globe. While the actual methodology of this type of fraud has proven difficult to stamp out, there are some proactive (and easy) steps you can take to protect yourself and your business from the devastating financial ramifications.
Get in the mind of the hackers
Your first step in combatting this form of fraud is to understand how the hackers benefit. Toll fraud is most frequently centered around International Premium Rate Numbers (IPRNs), which are international numbers traditionally billed on a per-minute basis. Think: “call now and speak to X for $2/minute,” or something of the like. The high cost of termination for these phone calls is split between the terminating provider and the owner of the IPRN.
While these numbers have a valid, legitimate use, they are also the perfect launching pad for bad actors to rack up huge fees. Here, the fraudsters will first purchase the IPRN, then target vulnerable systems with the ultimate goal of pushing as many phone calls as possible through that number to generate revenue. Targeting what they deem is “low-hanging fruit,” hackers are always on the lookout for a PBX that they can easily break into before moving on to the next.
Employ cyber security practices
You don’t need to be a cyber security expert to take basic precautions that could save you or your customers thousands of dollars of fraudulent charges. It may seem like a no-brainer, but be sure to require secure login credentials. Couple that with a limit on login attempts with a resulting blacklist and you’re well on your way to securing your PBX. The truth is, systems are most commonly accessed as a result of weak passwords or users who neglect to set security rules.
Institute country-specific restrictions on calls
If you are doing business domestically, there is no reason to allow your users to dial internationally. If sweeping international call restrictions aren’t practical for your business, consider blocking calls to countries that are toll-free hotspots. Fortunately, 3CX, along with other PBXs, offer this functionality. 3CX also maintains a global blacklist that harvests the IP’s of bad actors from all over the world, automatically adding them to your PBX blacklist.
I would be remiss if I didn’t mention another noteworthy form of fraud, and that is Wangiri. We’ve all been on the receiving end of this one in the form of a phone call from an unknown number with an immediate hang-up as the phone rings. The fraudster is likely calling from an IPRN with the hope that you’ll call them back. What’s in it for them? Your callback generates revenue for the owner of the IPRN, in the same manner that traditional toll fraud works. The good news is this one is very easy to combat. Don’t return calls to unknown numbers or you might find yourself on the wrong side of a large phone bill.
PBX fraud does happen, but you are not powerless to stop it. With some simple security protocols and rules, blacklist functionality and common sense, you’ve got this covered.
For more information on preventing fraud, talk to one of our team members today.