+ 2019 Articles
- MiFID II
- Choosing an Ethernet Provider
- Meet the Partner Service Team – Kim Liwag, Partner Coordinator
- BLOG – Mistakes with IP addresses can have serious consequences
- 5 Considerations When ‘Moving to the Cloud’
- Meet the Partner Service Team – James Davis, Partner Team Leader
- Five considerations when upgrading to an IP phone system
- Who is big in the cloud?
- Meet the Partner Service Team – Tom McManus, Partner Account Manager
- Five considerations when upgrading your internet connection
+ 2018 Articles
- The Dark Side of the Internet of Things
- Tis the season to get your PBX hacked. Get wise about preventing PBX fraud.
+ 2017 Articles
Tis the season to get your PBX hacked. Get wise about preventing PBX fraud.
Long holiday breaks are prime time for criminals carrying out PBX fraud. As many businesses close down for up to a week over Christmas this gives them plenty of time to hack into a PBX and then run up huge telephone call bills that they hope won’t be discovered and stopped until the New Year.
The typical method of making money for PBX fraudsters is to make thousands of calls to International Premium rate numbers from someone else’s PBX that then share the call revenue with the person who rents the number. There are many countries where regulatory control of Premium rate numbers is poor and the criminals know that it is difficult to track and prosecute them across International borders.
The usual checks that should be made with a PBX still apply – making sure you have secure passwords and PINs, removing default passwords and PINs, making sure the PBX can only be reached from authorised places particularly if it is an IP or cloud based telephone system.
However over Christmas you may want to consider taking some additional steps that could stop you becoming the victim of phone system fraud:
- If no one is in the office over Christmas that needs to make International calls consider barring all International and Premium rate calls for the period or at least restricting the facility to individual extensions of staff that will be in. Also consider barring access to directory enquiry numbers who will happily put calls through to destinations that a caller would otherwise not be able to dial themselves.
- If your business must be able to make International calls then consider restricting this to certain countries. We maintain a list of High Risk destination counties that are repeatedly used by fraudsters which we can share on request.
- Ensure that extensions cannot be forwarded to International numbers – one favourite exploit is to program an extension to divert to the target Premium rate number and then repeatedly call that extension. The revenue gained from the Premium number greatly exceeds the cost of dialling it and often the number is dialled from other PBXs that have been compromised.
- Ensure that when people connect through to your voicemail system there is not an option to dial out.
- Some PBXs provide remote access for staff to dial through and the Direct Inwards System Access (DISA) facility need to be secured and restricted to legitimate users to prevent “dial through fraud”. Ensure if this facility is not needed on your PBX it is disabled and if it really must be used consult with the vendor or maintenance company on how to secure it.
- Now is a good time to audit all the extensions and mailboxes on your system and remove ones that are not currently used.
Spitfire offers its partners free PBX fraud prevention training, what we often find is that with modern IP based PBXs they are either installed by IT people who understand IP security well but have not considered “dial through frauds” or by traditional PBX engineers who do not have a full understanding of IP security and the gap in the middle is where the exploits happen.