Toll fraud is a critically overlooked area of cybercrime. While the likes of hacking, phishing and malware attacks enjoy a high profile, and are front of mind for network security in business, there often seems to be a lack of recognition that toll fraud nowadays even counts as cyber crime.
With the evolution of VoIP and then UC, however, communications systems have increasingly converged with IT and data networks. Nowadays, internet protocol in particular is used for everything from reading the news to sending emails, making purchases to making telephone calls. All of these activities share the benefits IP offers of low cost, flexibility and convenience. But they also share the same vulnerability the internet information highwayman who use the accessibility to IP to steal money and information from users.
Toll fraud used to be mainly targeted at telephone service providers. Pre-IP hackers, or ‘phreakers’, would trick public exchanges into making expensive long distance calls at cheap or toll-free local rates by mimicking the dial tones used to route calls. They would then sell this service to people who wanted to make long distance or international calls, charging less than what the service providers made, but still making a tidy profit.
Nowadays, any VoIP system is a target. The objective is to essentially hack into a company’s phone system and use it to place unsolicited calls, again usually of the long range and expensive variety. These calls are then sold as a service. Typical methods of hacking a VoIP system include:
- Using SIP scripts to gain access through an open port, which then launch an authentication attack, making repeated high tariff calls automatically on a cycle.
- Back door entry hacks through a user’s voicemail, often simply by guessing or breaking the PIN code. Once compromised, a VoIP extension can be used at will by the hackers.
- Listening in on wireless communications to capture authentication information for softphones. With these details, hackers can recreate the softphones and put them to their own uses.
The problem with VoIP toll fraud is, once a single extension has been hacked, it can easily be used to replicate extra channels, so fraudulent use multiplies very quickly. Huge bills can be run up very quickly, and not only that, the criminals can access sensitive information, such as contacts directories and personal or customer details left on recorded calls.
So prevalent is the problem that, compared to the $2.4bn global credit card fraud racks up each year, toll fraud accounts for $4.96bn.
So, what can be done to minimise the risk? Here are five steps to take to reduce your exposure to toll fraud.
1. Integrate Communications with IT Security
Given the prevalence of IP-based communications, phone security really should fall under the remit of your IT network security. Review your digital security policy and if it does not already do so, amend it to cover your VoIP and UC systems, with specific attention to data protection and toll fraud.
2. Review Access Protocols
How do users get onto the phone system and access features such as voicemail and so on? What is your company’s policy on password renewal? Has everyone updated passwords from the defaults that were given out when the system was installed? Cybercriminals look for weak entry point security as the first way into any digital network, so put them off by strengthening your protocols.
3. Restrict Class of Service
This is a simple one – if your company does not need to make international calls, block them, or at least set up an extra layer of access authentication to protect the service. Speak to your VoIP provider to ask if this can be done on the system you are using.
4. Don’t Rely on Standard Security Layers
Features like Session Border Controllers, media gateways and VLAN are often talked up as providing the levels of security your need for a VoIP system. However, they do little to protect against application-level vulnerabilities, so cannot be relied upon as a done deal. Enhanced protection is a matter for your digital security policy, and something to take up with your vendor or service provider.
5. Use a Call Analytics Platform with Fraud Detection.
Many call reporting platforms, such as Tollring’s iCall Suite, use call activity modelling to pick up on unusual patterns and flag up concerns. These systems will pick up on calls made out of office hours and to high tariff destinations not usually called, giving a business rapid insight to act on quickly.
As always, we would love to hear your opinions in the comments section below, and why not share this article on social media and invite friends and colleagues to join in too?
If you’re thinking of buying Call Reporting & Analytics, or still deciding whether your business needs it, please take a look at our comprehensive, independent buyer’s guide.
Call Analytics Series Sponsors
