Common Routes of Fraudulent Business Calls
- Voice Mail Systems - Systems that provide out-dial or through-dial capabilities are another popular avenue to fraudulent calls. By transferring out of a system, intruders can place long distance calls. Trespassers also look for default codes on mailboxes so they can change the codes and control the boxes.
- Private Branch Exchange (PBX)* - A DISA (Direct Inward System Access) permits convenient access to a PBX from a phone outside the business via an 800 number or other special access number so that authorized persons can bill long distance calls to the company's PBX. The DISA gives criminals this same opportunity, as well as the chance to set up a call-sell operation at the company's expense.
- Other - Impostors seek out passwords, authorization numbers and access codes by snooping around offices, calling businesses, even rummaging through dumpsters. Compromised numbers are sold or traded in the phone fraud underworld with the unsuspecting business owner picking up the resulting tab.
* A PBX is a private switch, either automatic or manually operated, serving extensions in a business and providing access to the public network.
MORAL: Protect passwords and access codes from unauthorized use.
Voice Mail CPE Tips
Tips for voice mail systems on customer's premises:
- Learn all you can about the features of your voice mail system.
- Make sure that out-dial or through-dial capabilities in your voice mail system are deleted or blocked to prevent unauthorized access to local, long distance and international services.
- Ask your vendor to perform system testing and maintenance on site instead of from the field.
- Your voice mail system should have a different three-digit prefix than your PBX.
- Never publish the remote access phone number that connects callers to your voice mail system.
- Assign PIN numbers randomly, using the maximum number of digits your system will accept. Periodically change PINs.
- Your system should be programmed to terminate access after the third invalid attempt.
- Remove all mailboxes from your system that are not in use. Examine records on a regular basis to highlight potential voice mail fraud.
- Immediately deactivate access codes and voice mail passwords of departing employees.
- Develop a plan to both prevent and react to voice mail fraud. Share this plan with your employees and make sure they know what to do if your system is invaded.
PBX Scam (9,0,#)
There has been a recent toll fraud scam involving PBX systems, which can lead to high long distance charges. In this scam the fraudster claims to be a telephone service technician performing a test on the line. He asks that you transfer him to an operator by pushing 9,0,# and then hang up. On some business systems, this can give the caller an outside line that can be used to make long distance calls. Toll charges will then be billed to the owner of the PBX as directly dialed calls. This cannot occur on residential phone lines.
Following are tips to combat PBX fraud:
- Be aware of unknown people asking your cooperation in testing the telephone line.
- Probe the caller for information such as employees ID number, supervisor's name, or call back number.
- Telephone service technicians will rarely ask for assistance in testing the lines of a PBX. Any such request should be done on a call back basis.
- Never transfer a call outside your PBX if you are unsure of the person's identity. Arrange a call back to that person's line.
- Telephone companies or law enforcement officials will never ask customers to be a part of a testing procedure. Telephone technicians can conduct tests without the customer's assistance.
- Contact your service provider immediately to report this activity.
Other PBX Tips
- Be alert to the overt signs of PBX abuse: repeated calls of short duration, unexplained increases in incoming or outgoing calls, sudden increases in 800 usage or changes in after-hours calling patterns.
- If practical, eliminate remote access to your PBX and replace it with telephone credit cards for authorized personnel. If you eliminate remote access, make sure the system is disabled when not in use.
- If eliminating remote access isn't an option, try implementing these suggestions to minimize your risk to toll fraud:
- If possible, limit the number of employees who use remote access
- Use an unpublished number for remote access lines instead of 800 numbers.
- A delayed electronic call response can provide added security. Your PBX should be programmed to wait at least five rings before answering a call.
- A steady tone used as a remote access prompt leaves your system vulnerable to perpetrators' automatic dialing programs. Use a voice recording or silent prompt instead of a tone.
- Tailor access to your PBX to conform to the needs of your business. Block access to international and long-distance numbers your company does not call. If this isn't practical, consider using "time-of-day" routing features to restrict international calls to daytime hours only.
- Whenever possible, limit remote PBX access to local calling during normal business hours. Be sure to restrict access after hours and on weekends.
- Delete all authorization codes that were programmed into your PBX for testing or servicing.
- Assign codes on a need-to-know basis. Advise employees to treat codes as they would credit card numbers. Never print codes on billing records.
- Assign the longest possible authorization numbers your PBX can handle. Select codes at random -- don't use telephone extension numbers, employee ID numbers, social security numbers, addresses or other common numerical sequences.
- Audit and frequently change all active codes in your PBX. Cancel unassigned access codes, especially those used by former employees.
- Consider implementing a barrier code system, an additional numeric password that adds a second level of security.
- Don't allow unlimited attempts to enter your system. Program your PBX to disallow access after the third invalid access or barrier code attempt.
- Carefully review all billing information to identify unauthorized calling patterns. Frequent reviews can save lots of money.
- Investigate toll fraud monitoring options that may be available from your local exchange company or interexchange carrier.
- Directories and business cards that list PBX access numbers should be shredded before being placed in the trash.
- Never give out technical information about your system to callers unless you're certain who's on the other end of the line.
- Educate employees about the dangers of phone fraud and what they can do to help prevent it.