VoIP fraud is on the rise, particularly post-2020. With every pro comes a con, and in the case of pandemic-proof communications, the con is susceptible technology. That’s not to say that your VoIP system is a hacker’s paradise, just that any software-based technology is vulnerable unless you actively protect it. (If you haven’t yet read our VoIP Security Checklist blog, we highly recommend taking a look. It outlines five steps for a solid baseline to strengthening your VoIP system against malicious actors.)
When did you last comb through your phone bill for anomalies? Probably not since you paid for minutes on a brick mobile or had a landline extension in your room. Fraudsters know this and take advantage of it. Among the many forms of VoIP fraud a favorite is to rack up expensive long-distance calls when they know you’re not paying attention, taking a cut of the profits and leaving you to foot the bill.
Like computer viruses, VoIP hacks often happen long before you see signs of infiltration. Fraudsters get into your system and then wait to act until they learn your schedule. You’re less likely to notice abnormal call volume or pricey premium rate numbers at 3 am than at 3 pm.
Technology is on their side in this situation, too. A normal employee might make a few dozen calls each day, but hackers can rack up thousands of calls while you’re sleeping. We’ve discussed detecting computer viruses and even mobile device malware, but how do you check your entire phone system for fraud?
Most of our detection tips fall into the healthy habits category. If you keep tabs on your usage and bills (read: anything that gives you data on your phone system) religiously enough, you’ll create mental baselines that help you pinpoint oddities faster over time.
Use analytics to your advantage! If you know your highest call volume hours or at least the time frames in which you expect to see higher activity, off-hours calls will jump out at you. Fraudsters usually save their exploits for times when fewer eyes are watching. If you see usage spike when your team is sleeping or rising in ways that don’t match up with other tracking metrics, fraudulent activity may be occurring
The fastest way to make money through VoIP fraud is to go after premium-rate numbers, especially expensive long-distance calls. Even if international calls are normal for your business, keep an eye on them the same way you do general usage. The bill will add up in no time, so a vigilant monitor should catch increased volume fairly quickly.
Call detail records are your friend! When you see calls that strike you as longer or more expensive than they ought to be, pull the CDRs to double-check they’re on the up-and-up.
We need sleep sometimes. And if tracking call data is one of many hats you wear, implementing an automated alert system will help you catch call activity outside expectations. Consider it your safety net for when the healthy habits you built up in tips 1 to 3 miss anything. This helps with analyzing CDRs in particular—especially if your alerts work in real time to catch activity that goes over the limits you set.
The best offense is a strong defense, right? Our security checklist linked at the top of this blog is heavy on strong defensive actions that help you prevent fraud in the first place. It includes our usual roundup of cybersecurity tips: strong passwords, firewalls, limiting permissions, etc. Let’s dive into some specifics for VoIP fraud prevention.
We all know about email phishing, but how aware are your employees of vishing? Vishing is voice phishing; it’s the same as phishing but through the phone. Run some workshops on known loopholes, like authentication exploitation, which comes with a hefty price tag.
Your office is likely aware that it’s wise to stay on top of software updates, but don’t forget the hardware! Your VoIP desk phone connects to the Internet just as well as your iPhone, so why would you only update the latter? Unpatched bugs are a highly exploitable vector.
VoIP phones have a web interface, where you can manage settings and accounts registered to the device, as well as download a backup of the configuration. The latter comes complete with unencrypted user credentials. It’s a great tool when you need it, but we recommend turning off the interface when you’re not poking around the settings. It’s one of the most vulnerable entryways to your phone system because hackers don’t need to be in your LAN to access it. They can get in remotely as long as they have the phone’s IP address, and even if you did change your password from the factory default, most phones don’t limit login attempts. So anyone with the IP address and key cracking software can access this valuable data if you leave the interface up while not in use.
If you can’t disable international calls, set up strong outbound call rules or even restrict international capabilities from your carrier. Depending on the volume of international calls you make, whitelist or blacklist specific countries to limit exploitation. Use a custom international code instead of the default.
Just because you’re part of a shared responsibility security model doesn’t mean you can’t end up with the short end of the stick. Get written agreements on fraud liability so that you don’t end up in a messy lawsuit with AT&T like one small business owner in Massachusetts did. Even though the telco dropped the case, they insisted they were perfectly within legal boundaries to collect payment and interest from the hacked business owner.
VoIP fraud isn’t new, but it is on the rise. The Communications Fraud Control Association (CFCA) reported $28.3 billion lost in 2019 from telecom fraud. That was before the entire world started living through video conferencing, so feel free to let your mind run wild with 2020 estimates. Then go work on protecting your VoIP system with the tips outlined in this blog.