What keeps IT managers up at night? Security issues—and for good reason. When it comes to business communication systems, there are lots of reasons for concern—denial of service (DoS) attacks, eavesdropping, VoIP phishing (Vishing), and toll fraud.
Toll fraud, which is defined as any unauthorized use of a businesses telephone system and carrier services, cost victims $4.73 billion globally last year according to the Communications Fraud Control Association. It generally involves the hijacking of a phone system to make expensive international calls or calls to premium numbers overseas at several dollars a minute. The cost of these calls will then be charged to your company as if someone within your organization made the call.
Companies of all sizes, and even the savviest organizations, can be targets. The hackers keep getting better at finding ways to break into phone systems.
“If you have a toll free number it puts you more at risk. The more numbers you have into your system, the more voice mail systems, the more features you have may increase the risk, but this can all be controlled.” —Ralph Willett, Senior Engineer, Wesley Clover Solutions
Perhaps the weakest and most vulnerable area is the business’ voice mail system. Willett notes, “Voicemail is the easiest thing to attack—people don't change their voice mail or administrator’s password. Hackers dial in and compromise the user’s mailbox and uses this to dial out and make calls from there unless system is secured.”
Jerry Sparling, VP of Customer Service and Quality at Mitel, explains, “Many customers use default passwords, which make them vulnerable to hacking. For example, it’s common to use your extension number as your voice mail password, or to use the default 0000 for the administration access code to the system.”
“Everyone who doesn't follow best practices is at risk." —Jerry Sparling, VP of Customer Service and Quality, Mitel
According to Sparling, "Businesses in the hospitality industry are especially at risk, as many of them have older products and legacy PBXs that are 20 years old, and some of those installations didn't follow best practices.”
So what can be done to prevent toll fraud? I spoke with three experts recently who shared some tips and best practices.
1. Change passwords—never use the default passwords for voice mailboxes, system administration, conference bridges, etc., and use passwords that aren’t obvious or easy to guess, such as 1234. Enforce a policy of changing passwords on a regular basis, and when someone leaves the company, delete their mailboxes immediately, and block or delete all inactive mailboxes.
2. Determine what is necessary to conduct business and determine what level of restriction to apply to phones during normal and off business hours. Willett has written a detailed article posted on www.MitelForums.com on avoiding toll fraud, and suggests determining what features your business needs and what phones need them.
Willett wrote, “Knowing what needs to be done in order to program any PBX with security in mind, a business must first determine what PBX features are required for its business environment as well as who will use these features. Each phone will have out dialing requirements based on the job function of the person using it. For example, the CEO of a company may require international calling to conduct business. This is generally not true of the lunch room phone or the copy room phone, therefore these phones should be classified differently.”
Willett recommends identifying which phones need to make long distance calls, require outbound access during off business hours, and need to make out-of-state or international calls, and then restrict these capabilities from the phones that don’t require it. He adds, “When moving to the cloud, make sure whoever is doing this in the cloud is taking care of you. The same rules apply, so make sure whoever is doing the cloud understands what the restriction requirements are.”
To get all 10 tips, read the full original article 10-Step Health Check to Avoid Toll Fraud by Blair Pleasant on UC Strategies.