Director of Gateshead-based telecommunications provider Eclipse Networks James Drake explains the latest telephone hacking scam better known in the industry as ‘phreaking’ and how to safeguard your business telephone lines. Businesses are constantly bombarded with instructions to safeguard their organisations against fraudulent activities; from steps to avoid identity theft to more complex solutions undertaken to protect IT systems.
However, there is one form of fraud, which is becoming more prevalent, and yet seems to have escaped many business leaders’ attention; Telephone System Dial Thru Fraud, or ‘phreaking’ as it is often referred, involves unauthorised access to telephone lines and subsequent unauthorised outbound calls, usually to international destinations and premium rate services.
I have seen the problems phreaking can cause, and crucially, the bills it can run up, which if not identified early enough can run into thousands of pounds, which the company unfortunate enough to experience is completely liable.
Any organisation with a phone system (often known as a PBX) can be targeted, meaning that a large percentage of the UK’s registered companies, charities and other not for profit organisations are at risk. The good news however, is that the risk of this fraud can be substantially minimised by following a straightforward best practice policy, which costs nothing, yet protects companies against a very real threat.
Phreaking began in the mid 1950s when the first phone switches were developed, and much like computer hackers, perpetrators have evolved their techniques to adapt to new technology.
Currently the most common method is for hackers to gain access via bypassing an organisation’s voicemail system, but other common methods include, hacking through a call put through by an operator or hacking through an auto attendant - an automated voiced system that answers incoming calls and diverts them to the relevant department in a company.
By following the advice below, organisations can reduce the risk of telephone hacking:
- Ensure that employees set up and guard voicemail PIN numbers carefully; these should never be written down, programmed into auto diallers or assigned to speed dials on mobile phones. Always use the maximum number of digits available when setting up access PINs and avoid combinations that allude to the extension number or location in particular.
- Remote access to voicemail should always be disabled as standard, but if vital to the day-to-day running of your organisation, remote workers should remain extra vigilant when dialling in.
- Change passwords at regular intervals, and always remove PIN numbers of authorised individuals when they leave the company.
- Place restrictions on long distance and premium rate calls. The more restrictions you place on expensive calls the more secure your system will be. Think about which employees really need access to premium rate calls, and which countries you do business with. From that, talk to your call and line provider about barring calls to all non-vital destinations. If you use an auto attendant system, speak to your system supplier about making it as secure as possible.
- To stop hackers getting into the system via operators, train your phone ‘gatekeepers’ such as receptionists, to spot suspicious incoming call patterns. Hackers may try any of the following; calling in and repeatedly asking for an invalid extension, calling in with wrong numbers, excessive call hang ups and asking employees what number or party they’ve reached, dead air calls - incoming calls where the caller remains silent and waits for a hang up. If your gatekeeper notices a pattern of any of the above, alert your call and line provider and system maintainer immediately.
Eclipse Networks are currently trialling a new system that limits the risk that phreaking poses. It works by analysing algorithms within the billing software to detect potential fraudulent patterns. If a pattern is detected, customers will be notified and measures will be taken to bar the offending calls. However, whilst systems like these will undoubtedly help protect businesses, there will never be a real substitute for remaining vigilant and educating staff about potential dangers, especially at holiday periods such as long bank holiday weekends, which hackers will see as prime target for illegal activity.
No comments:
Post a Comment