Private Branch Exchanges (PBX) are telephone systems used by small and medium businesses for internal and external communications. They are frequently targeted by criminals who exploit the technology by committing what is known as PBX fraud (also known as 'dial-through fraud’) – where the PBX is hacked into allowing calls to be routed through the system to high rate international/premium rate numbers.
The financial damage to a business can be significant, with reported losses in the UK exceeding £3 million since January 2012 and one large company claiming to have lost £2 million. It is thought that dial-through fraud is significantly under-reported, partly because of a lack of awareness or understanding of the issue. Attacks are generally prolonged and involve expensive telephone numbers being dialled hundreds or even thousands, of times, with the business left to pay the bill.
How PBX fraud works
Once an auto-dialler has been used to identify systems which are worth hacking, the criminal attacks the system in order to establish the pass code that will give them access to the PBX system itself. Features such as remote-access voicemail, message forwarding and call diversion can all be exploited to enable the illicit call dialling. In the case of voice over IP (VOIP) telephony, systems are generally compromised by malware or accessing an IP address connected with the PBX box to bypass the company’s firewalls.
· Your business accumulating substantial or even crippling phone bills without your knowledge
Preventing dial-through fraud
Conventional PBX systems
· Reduce the ability for your system, if compromised, to dial high rate numbers by:
· Restricting any destinations that should not normally be dialled such as premium rate, international or operators including directory enquiry services.
· Review available call logging and call reporting options.
· Regularly monitor for increased or suspect call traffic.
Restrict access by:
· Immediately setting up call logging on any system where fraud is suspected. This should be professionally programmed to ensure all call types are covered.
· Disabling voicemail from being to access outside lines. Take professional advice on how to set up voicemail securely on your system.
· Set up secure PINs to access voicemail remotely.
· Put suitable restrictions in place on any extension that must have access to an outside line via voicemail.
Avoid auto features:
· If your system has Direct Inward System Access (DISA), ensure it is completely disabled. To prevent someone calling in from outside the PBX to dial calls as if from one of the extensions.
· Set up any networked telephone exchanges very carefully to restrict hackers from breaking out from one site to another.
· Ensure interactive (menu driven) voice response and auto attendant options for accessing outside lines are removed.
· Be sure to take steps to ensure both the physical and technical security of your equipment.
· Seek advice from your system or managed service provider to help you secure your system. Some service providers have precautions in place such as monitoring unusual usage spikes, cutting off services if they exceed pre-agreed thresholds or disconnection in the event of their SIMs are connected to a computer, switchboard or the internet.
If you think you have been a victim of PBX fraud
Report it to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk. If you are in Scotland, contact Police Scotland on 101.
This page was compiled with the kind assistance of TUFF (Telecommunications UK Fraud Forum)