• Sales: 
    020 7501 3333
  • |
  • Partners: 
    020 7501 3150
  • |
  • Support: 
    020 7501 3030
  • |
  • Support: 
    0800 319 6262
Home > Tis the season to get your PBX hacked. Get wise about preventing PBX fraud.

Tis the season to get your PBX hacked. Get wise about preventing PBX fraud.

Long holiday breaks are prime time for criminals carrying out PBX fraud. As many businesses close down for up to a week over Christmas this gives them plenty of time to hack into a PBX and then run up huge telephone call bills that they hope won’t be discovered and stopped until the New Year.

The typical method of making money for PBX fraudsters is to make thousands of calls to International Premium rate numbers from someone else’s PBX that then share the call revenue with the person who rents the number. There are many countries where regulatory control of Premium rate numbers is poor and the criminals know that it is difficult to track and prosecute them across International borders.

The usual checks that should be made with a PBX still apply – making sure you have secure passwords and PINs, removing default passwords and PINs, making sure the PBX can only be reached from authorised places particularly if it is an IP or cloud based telephone system.

However over Christmas you may want to consider taking some additional steps that could stop you becoming the victim of phone system fraud:

  1. If no one is in the office over Christmas that needs to make International calls consider barring all International and Premium rate calls for the period or at least restricting the facility to individual extensions of staff that will be in. Also consider barring access to directory enquiry numbers who will happily put calls through to destinations that a caller would otherwise not be able to dial themselves.


  1. If your business must be able to make International calls then consider restricting this to certain countries. We maintain a list of High Risk destination counties that are repeatedly used by fraudsters which we can share on request.


  1. Ensure that extensions cannot be forwarded to International numbers – one favourite exploit is to program an extension to divert to the target Premium rate number and then repeatedly call that extension. The revenue gained from the Premium number greatly exceeds the cost of dialling it and often the number is dialled from other PBXs that have been compromised.


  1. Ensure that when people connect through to your voicemail system there is not an option to dial out.



  1. Some PBXs provide remote access for staff to dial through and the Direct Inwards System Access (DISA) facility need to be secured and restricted to legitimate users to prevent “dial through fraud”. Ensure if this facility is not needed on your PBX it is disabled and if it really must be used consult with the vendor or maintenance company on how to secure it.


  1. Now is a good time to audit all the extensions and mailboxes on your system and remove ones that are not currently used.

Spitfire offers its partners free PBX fraud prevention training, what we often find is that with modern IP based PBXs they are either installed by IT people who understand IP security well but have not considered “dial through frauds” or by traditional PBX engineers who do not have a full understanding of IP security and the gap in the middle is where the exploits happen.

    Enquire now about your chosen product

    Please complete your details below and we will contact you shortly to confirm availability and pricing.

    To view our Privacy Policy please click here.

    Thank you for your enquiry, one of the team will be in touch shortly.

    Spitfire uses cookies to improve your experience whilst you’re visiting our website and to make sure that any advertising is relevant to you. By continuing to use our site you are consenting to our use of cookies. Find out more about cookies including how to opt out here.