April 22, 2022
Introduction
Theft of long-distance voice services (“Toll-Fraud”) can occur for small and large businesses alike. Whether your business uses line services attached to phones or a PBX (Private Branch Exchange), it is still vulnerable to Toll-Fraud. Tens of thousands of dollars of Toll-Fraud can occur in just days and sometimes hours depending on the size of your company’s telephone system. Businesses that take precautions against it most often deter bad actors, thereby avoiding the cost and inconvenience of addressing unauthorized phone system access.While GCI makes considerable effort to detect and inhibit fraud, bad actors continually adapt and create new approaches to committing fraud. The information provided below is intended to aid our customers in strengthening their defense on the parts of the system that are out GCI’s ability to control. We hope this information is helpful, but it is not necessarily comprehensive, and should not be taken to be a replacement for other security assessments or practices your business may wish to implement.
Common types of toll fraud
Unauthorized Voicemail Access
This occurs when perpetrators access your voicemail illegally by determining your access password and placing outbound calls from the system. Some voicemail systems allow this while others do not.
Unauthorized Call Forward/ Transfer
Similarly, if your PBX voicemail system is breached, often Call Forward or Call Transfer can be invoked by bad actors to send inbound calls to an unauthorized destination. In some cases, transferred calls can take place for several hours or days before detection.
Direct Inward System Access (DISA)
This telephone system feature allows an outside caller to dial directly into the telephone system and access all of the system’s features and functions. DISA is typically used by company employees to make long-distance and international calls over their company’s phone lines, which may be published. It is also the most common way Toll-Fraud is committed by unauthorized individuals. Often DISA port access is provided by way of a Toll Free number. If this Toll Free number gets into the wrong hands, Toll-Fraud can occur.
Social Engineering
A fraudster persuades a company employee to provide dial tone access — e.g. the fraudster pretends to be calling from a telephone company and asks an employee for help in getting an outside line (e.g. dialing a 1-900 number or transferring to 9011, which is often set up to get to an international number). The fraudster may also seek sensitive information such as PINs, passwords, social security numbers, credit card numbers, etc. Fraudsters may even attempt to convince company employees to accept chargeable (3rd party billed, collect) calls.
Fraud prevention techniques
The list below contains methods that can and should be employed to reduce fraud exposure, particularly if the international dialing feature is enabled for your business.
|
Passwords |
Change all phone system factory default passwords, including voicemail and system access. This should be done often. Every 60-120 days is recommended. |
|
Disable International Calling |
Ask GCI or your PBX maintenance provider to turn off international calling functionality if your company does not need it. Keep in mind that GCI provides two types of international calling capability: access to 011 (outside of North America) and 01 (Caribbean) calling areas. It is important to disable both international access codes on all appropriate telephone numbers. For customers who have a lot of telephone numbers, but only a few need international calling capability, ask GCI to disable the telephone numbers which do not require international calling. This reduces exposure to fraud. If you have a PBX and require some form of international calling, your system often will allow you to block certain country and city code combinations. Ask your PBX maintenance manager for further details about this functionality. |
|
Inappropriate Information Requests |
Educate your employees. If they receive suspicious calls requesting transfers or passwords, they should redirect the call to the phone system administrator or other knowledgeable individual. |
|
Voicemail Call Forward |
Be sure your phone system's voicemail Call Forward functionality has not been involuntarily activated. If it has, turn it off and change your passwords. |
|
Review Monthly Invoice |
Review voice service bills each month. Does the call detail show normal calling patterns? If not, be sure to contact your phone system administrator and GCI. |
|
Review Phone System Records |
Review the Call Detail Records from your phone system daily or weekly and look for unauthorized calls. |
|
Phone System Security Audit |
Consider having a phone system security audit done by an independent third party to identify potential vulnerabilities. |
|
Disable Former Employee Access |
Remove former employee access to the phone system - either block their service access or change the password settings on the phone system. |
|
Review International Calling Needs |
If your company needs international calling capabilities and your PBX supports access codes, require them for international calling purposes. If your company doesn’t require international calling capabilities, ask GCI to remove that functionality from your service. |
|
Voicemail |
If the voicemail on your phone system allows out-dialing functionality and your company doesn’t need it, turn it off. |
|
PBX Audit |
Do a PBX audit with your PBX vendor if you haven’t done so recently. |
|
Unauthorized activity |
If you suspect unauthorized activity, restrict access to your PBX to authorized administrators and call GCI immediately. |
|
PBX Lock-down |
Consider PBX lock-down activities such as: Place the PBX in a secure room for both business and after hours Install intrusion-detection alarms for the PBX room Store critical information and passwords securely; don’t display them publicly Provide remote access only to those who need it Keep anti-virus protection activated with voice packets encryption activated Disable or restrict unnecessary services or ports |
Password Protection
Creating and maintaining strong passwords for your devices and systems will help protect your account, and valuable information within your business. When creating a password, consider the following:
- Avoid using the word “password”, as well as personal identifiers such as your name, birthday, account name or company address.
- Create passwords longer than 8 characters.
- Use combinations of numbers and letters and include special characters.
- Avoid use of words. Interleave lower and upper case characters, numbers and/or special characters in words.
- Avoid sequential patterns such as ABCD and 1234.
Customer responsibility
GCI Business recognizes the potential for Toll-Fraud and strives to minimize the impact to customers should it occur. Nonetheless, as detailed in GCI Business Terms and Conditions, GCI Business does not bear responsibility for Toll-Fraud. Your company is responsible for securing its phone system and paying for any usage charges that may occur through fraudulent activity.
Links to informative sources
Links where you can better educate yourself or report an incident are provided below.
For additional GCI Business Help & Support, please visit gci.com/business/resources.