When small business owner Bob Foreman opened the phone bill for his company it totaled a stunning $166,000! Bob’s firm, Foreman Seeley Fountain Architecture, had become the latest victim of phone system hacking and fraud. The Communications Fraud Control Association estimates that this type of phone scam has raked in almost $5 billion dollars globally in the last year. And it is growing exponentially.
I own a telephone answering service and I have become very concerned that many of my clients have switched to Internet based phone systems without truly understanding the vulnerabilities they have created. Therefore, I want to provide a “plain-English”, non-technical explanation of what those risks are and specific steps for dealing with them.
If your phone system is connected to the Internet (ex. Voice-Over-IP service or SIP phones) you have created a potential pathway for hackers. If they succeed in accessing your system they can take over and engage in several forms of mischief:
- Fraud: They can make calls to foreign, and sometimes domestic, phone lines that they have leased themselves from shady phone companies. They get a percentage of the charges on each call. Using auto dialers they can make thousands of calls in only a few days. A recent article in the NY Times chronicled Mr. Foreman’s battle with his phone company over paying the whopping bill he received after this type of fraud.
- Eavesdropping: Hackers can also use their access to listen to voicemail messages and monitor conversations. Their activities could potentially reveal sensitive information that may fall under regulatory guidelines and represent a serious security breach.
- High-Jacking: They can sell the use of your phone system to other criminals.
- Vandalism: Hackers are sometimes just thrill-seekers who can delete information or disable your phone system just to show that they can.
How Can You Protect Yourself?
The first step is to take all the same security precautions that you use to protect your computer network to protect your phone system. Don’t assume that the phone company or the IT company that you used to install it provided adequate safeguards. Remember, your business is ultimately on-the-hook for the cost of any calls that originated from your phone system, even if they were made by a hacker. Below are some best practices that you should question your vendor about.
- Firewall: Your phone system needs to sit behind a strong firewall. Ideally, the firewall should include intrusion detection to flag patterns that could allow you to recognize that you are under attack, or worse yet, that a hacker has gained access to your phone system.
- Administrative Remote Access: Be sure you actually need to allow off-premises administrative access to your phone system. Be aware that this opens up another potential point of attack. If you do allow it, remote access should be done through a VPN (virtual private network) connection so the log-in screen is not publically visible and a third party can’t monitor the password you type in (ex. man-in-the-middle attack). You also need to use a very strong password. Microsoft provides an online password tester.
- Voicemail Web Portal: Remote access to voicemail is another area of vulnerability. If hackers get into your voicemail, they can control almost everything in your phone system. Don’t ever allow employees to leave default passwords in place. Hackers actually share lists of these passwords. Virtually all businesses fall under some type of regulatory privacy guidelines (ex. PCI, HITECH, HIPAA, GLB Act, etc.). You have violated those guidelines by simply failing to change default passwords for your system and you may be subject to serious fines. Ideally, you also want employees to use a two factor authentication (ex. extension number and password).
- Control Outside Traffic: Block all outside IP addresses from accessing your phone system except those that you have authorized.
- Default Ports: Use non-standard ports for your phone system and disable automatic responses to pings (tests by hackers).
- Lockout Periods: Limit the number of attempts someone can make to enter a password.
- Housekeeping: Do not keep extensions active for former personnel or positions. Immediately cancel their extensions including any features, access rights, codes and passwords.
The second step is equally important and it won’t cost you a dime. No one can guarantee that a hacker won’t get past your defenses. Therefore, it is very important to minimize your risk exposure, and potential expense, it they do. Consider blocking all of the following features in your phone system and with your telephone/Internet carrier.
- International Calls: Block the ability to make international calls or enable only select countries.
- Remote Dial In: This is a feature that allows an employee to call into your phone system from another location and then dial out to an outside number. This is exactly the feature that a hacker wants to use. Block it.
- 900 Numbers: 900 services allow callers to connect to phone numbers that start with 1-900 for pay-per-call services. Pay-per-call services include live and pre-recorded services like adult chat lines, vote casting, psychic consultations, horoscopes, soap opera updates, games, donations processing, sports scores, weather forecasts, translation, and medical, legal or government services. The charge per minute can be whatever the provider wants it to be (ex. $10/minute).
- Casual Dialing: This gives someone dialing out through your phone system the option of using any long distance carrier they choose regardless of the one you have designated. Again, this is exactly what a hacker wants and you should block it.
The best way to protect yourself is to be an educated buyer. There is too much at stake for you to assume that a vendor has taken basic precautions or has disabled features that might put you at risk. Get the answers to your questions in writing, so if there is a problem later, there is no question about the security measures your phone system vendor and telephone/Internet carrier agreed to put in place.
This blog was written by Laurie Leonard, the President of SUITE 1000, a U.S. based national telephone answering service, inbound call center and outsourced call center service. Her company has specialized in handling legal intake, sales leads, email lead response, appointment scheduling, customer service and help desk calls for over 20 years.