Action Fraud is warning that they continue to receive reports of businesses falling victim to “PBX Dial through fraud”. Action Fraud have issued the following to help you find out what it is and how to protect against it below:
What is PBX Fraud?
Private Branch Exchanges (PBX) are telephone systems used by businesses to communicate both internally and externally. Fraudsters target these systems to make calls to premium rate/international numbers. Victims are liable for the fraudulent transactions, which can cause significant financial harm or even bankruptcy.
Or in technical terms; a PBX is a telephone switching system that connects internal telephones, as well as connecting them to the Public Switched Telephone Network (PSTN), Voice over Internet Protocol (VoIP) providers and Session Initiation Protocol (SIP) Trunks. The PBX will often allow access to voice messaging systems.
How do the fraudsters get access and make money?
Depending on the type of system used there are a number of ways a hacker may gain access.
Incorrectly configured firewalls, poor security settings, lack of maintenance as well as the use of default passwords allow quick and easy access for the hackers.
Once access is gained, the criminals can exploit in-built services such as voicemail, call forwarding and call diversion to direct calls to a number of their choosing. This will often be to premium rate or international numbers.
In this fraud the criminal tends to make their money in two ways:
- Dialling premium rate numbers that are associated with international calling companies.
- Dialling international numbers through the compromised telephone system, most noticeably to Eastern Europe, Cuba and Africa.
In both instances the suspects will either have a share in the revenue generated by the calls or they will be paid for their hacking services in advance.
This type of fraud is most likely to occur when organisations are most vulnerable i.e. during times when businesses are closed but their telephone systems are NOT; for example in the early hours of the morning or over a weekend or public holiday.
There are some simple steps Action Fraud suggest will significantly reduce your risk of becoming a victim:
- If you still have your voicemail on a default PIN/password change it immediately.
- Use strong PIN/passwords for your voicemail system, ensuring they are changed regularly.
- Disable access to your voicemail system from outside lines. This is usually used for remote workers to access. If this is not business critical then disable it or ensure the access is restricted to essential users and they regularly update their PIN/passwords.
- If you do not need to call international numbers/premium rate numbers, ask your telecoms provider to place a restriction on your telephone line.
- Consider asking your network provider to not permit outbound calls at certain times e.g. when your business is closed.
- Ask your telecoms provider to alert you immediately if there is any unusual call activity taking place on your telephone lines.
- Ensure you regularly review available call logging and call reporting options, regularly monitor for increased or suspect call traffic.
- Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down.
- If you use a maintenance provider speak to them or ensure that the person responsible for the PBX understands the threats and ask them to correct any identified security defects.
- Consider consulting an IT telecoms professional to ensure your settings for your PBX systems are secure and the settings have been properly set up.
Source- Action Fraud, 2017.
For more information about our work, please visit www.safeinwarwickshire.com/cybercrime
Cyber Aware is a cross-government campaign, funded by the National Cyber Security Programme. They aim to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs).
Get Safe Online is the UK’s leading source of factual and easy-to-understand information on online safety. Their website offers advice on how you can protect yourself, your computers and devices, and your business against the likes of fraud, identity theft, viruses and other potential online problems.