This week is International Fraud Awareness Week, which presents a good time to share a reminder about telecom fraud and how to safeguard business operations. The holiday season and November in particular, has some of the highest reports of telecom fraud taking place.
For many, the holidays are a time for relaxation and taking time off from work. However, with fewer people in the office to monitor phone lines and network activity, the holiday season is also the opportune time for fraudsters to strike.
The financial impact of telecom fraud is overwhelming. According to a global survey of telecom fraud loss conducted by the Communications Fraud Control Association, telecom fraud can cost organizations and carriers in the industry more than $29.2 billion a year.
In addition to the immediate economic impact telecom fraud can have on a business, these companies are also at risk of falling victim to the aftermath of security breaches including damage to customer relationships and company reputation. The combination of the financial and loyalty losses can put some companies out of business.
With the threat of telecom fraud looming, it is important for business decisions makers to know how to detect and stop fraud instances before they occur. Below are five common types of telecom fraud professionals should be wary of before leaving the office on holiday, as well as all year round.
- Premium route fraud. Through this type of telecom fraud scammers develop specially designed scripts and monitor for open ports within an enterprise’s telecom system to hack into. They then redirect calls initiated from within the PBX-controlled network to a premium route or numbers controlled by the attacker. In many cases, these routes are to international destinations or numbers that do not have designated fees or “rate decks.” Further, hackers usually attack after hours or when they know people will be out of the office to prolong the duration of the calls and increase the revenue they can gain from their attack.
- Identity fraud and caller ID spoofing. Here hackers impersonate a business or individual and misattribute calls from their account. This fraud is also called caller ID spoofing, which can make it look like the hacker is calling from a victim’s bank, a government office, local number or a reputable private company. Identity fraud also includes voicemail hacking. Another subset of caller ID spoofing and identify fraud is robocalling, which occurs when a computerized auto dialer delivers a pre-recorded message, often under the guise of a false identity. Victims can be tricked into providing credit card information or additional personal information to the hacker.
- Inbound toll-free abuse or fraud. This fraud occurs when hackers places a call and then play unrecognizable audio on the line, forcing the call recipient to stay on the line longer while they try to understand the caller, which extends the call length and resulting costs.
- Black/grey routes: In this type of fraud, fraudsters steal and resell SIP trunking accounts to provide inexpensive calls to specific countries or destinations with strict route laws. For example, black and grey titles relate to the legality of a route or call between a source and the destination. Black routes are illegal on both ends, where grey routes are legal for one country, but illegal on the receiving or alternative end.
- Subscription fraud. Like identify fraud, under subscription fraud hackers gain control of a customer’s billing relationship with a carrier. The hacker can then create new subscriptions or make purchases on a user’s account. Often, the victim will get locked out of their account because the hacker changes the password and security settings to obtain total control.
How businesses can safeguard against telecom fraud
With such a diverse range of fraud schemes at their disposal, hackers may appear to have the advantage. However, business can avoid falling victim to attacks such as these by working closely with their carriers and communication service providers to quickly detect and stop threats before they can deliver serious damage.
Here are four simple but effective best practices to ensure the best protection.
- Conduct an annual security audit. If a business operates one or more PBX systems on public IP addresses, it’s critical to conduct an annual security audit of the system(s) to ensure that fraud controls are still aligned with traffic patterns. These check-ins are imperative to protect the account(s) from fraudsters roaming the web looking for easy targets.
- Set and define calling parameters. This includes setting a maximum default rate for outbound calls and creating call limits in a destination whitelist – to further avoid the grey and black route fraud. By setting a maximum outbound rate, the business has total control to block any calls that try to connect to a destination outside of the approved parameters. These parameters may differ for every company and can be altered as calling needs and traffic patterns change. The destination whitelist acts as an exception to the rulebook, explicitly defining the destinations that can be called, regardless of predefined outbound rates. Defining countries on this list will set security parameters that prevent charges from accruing if there is a breach or the network is hacked.
- Enable IP-based authentication for outbound calls. If a company’s phone system has a static IP address, consider setting up verification filters for outbound calls to further secure the account. This will restrict access to telephony resources from internal IP address, allowing only people with the correct authorization to place calls or send messages on the network. If the network requires multiple mobile users logging on from dynamic IP addresses, consider creating a blacklist of IP addresses that have been identified as potential hackers.
- Deactivate unused mailboxes, extensions and calling features not in use. Ever heard the phrase “out of sight out of mind?” Hackers certainly have, and they use ignored accounts to their advantage. Be sure that the email addresses and tools in place are being used. If they aren’t in use consider them a red target and get rid of them to avoid potential liabilities.
As we approach this holiday season, businesses should be proactive in taking a multi-layered approach to protecting against fraudulent telecom activity.
Being proactive and vigilant in the fight against telecom fraud will help protect and secure a company’s ability to keep day-to-day operations running smoothly, while also keeping customer relationships and corporate reputation intact in the long term.