According to the 2011 Global Fraud Loss Survey conducted by Communications Fraud Control Association (CFCA), the top two fraud types in the Telecommunication industry are Subscription Fraud and Compromised PBX System Fraud (circa $10 billion in combined dollar loss). While PBX fraud has been around for many years it has only taken centre stage as businesses and service providers begin to feel the pinch.
Subscription fraud is perhaps the mother of all frauds, targeting operators indiscriminately, but PBX fraud is fast catching up. Unlike subscription fraud however, PBX system fraud is not perpetrated by petty criminals in possession of false identities. It is actually committed by technologically sophisticated criminals or criminal groups in collusion with insiders and vendors who hack into an organisation’s PBX system for massive personal gain. These criminals seldom care being detected, let alone prosecuted, and are coming up with innovative techniques to exploit the vulnerabilities in these systems.
PBX systems open up a number of vulnerabilities that let hackers take advantage. For instance, unchanged administrator or system passwords from factory settings, week voicemail passwords, poorly configured controls etc can easily be wrecked with a bit of perseverance and technical know-how. Once unauthorised access is gained into the PBX system, the fraudster can place local or international calls at your expense, sell calls to other criminals and rack up huge expenses in just a few hours. Well, if you read the fine print carefully, the career or the service provider makes it clear that you will be responsible for the expenses in case the PBX system has been compromised.
Gaining access to the administrative ports of the system, the fraudster gains total control and can do a myriad of things to bring your organisation to its knees. Imagine if all your extensions are deleted, your voicemails hacked, personal greetings changed and racked hundreds of thousands of dollars in calls; imagine if this can be perpetrated across all your branch offices and the money cannot be easily recovered or perpetrators traced; it’s sure to send shivers down your spine, in particular if you are a small business.
A number of steps can be taken to protect the PBX system. For example, setting complex passwords for the administrative ports, rotating the passwords periodically, removing factory set passwords, removing test or inactive mailboxes, asking users to maintain strong PINs to gain access to their voicemails, restricting international calls, restricting international destinations and setting a realistic credit limit with the service provider are just a few ways to protect your system from damages.
With an IP based PBX you can also collect call detail records and check for anomalies in real time to reduce the impact of fraud even if the PBX is compromised. A number of these preventive steps don’t cost a lot and can be done with little help from the manufacturers and service providers.
PBX fraud can have debilitating effects, in particular if you are a small business, but at the same time they are equally preventable. A strong security policy, sound PBX controls and configuration, user education and continuous system monitoring is strongly recommended to curtail this menace.
