What is VoIP Fraud?
Today’s guest blog comes from 2600hz, whose flagship offering, Kazoo, gives telecom providers modern user interfaces, advanced carrier management, and all of the benefits that come with a team of highly trained telecom engineers. VirtualPBX works closely with 2600hz to deliver solutions to their range of customers across the U.S. and around the world.
By definition VoIP fraud is the unauthorized use of paid communications services, charged to someone without their knowledge, whether it be service provider or customer. VoIP system providers take extensive measures to protect your business from various forms of data breach, but there are still gaps in security that make your business vulnerable to those searching for a way in. A single fraud event can cost a business anywhere from $3,000 to $50,000+, and often occurs more than once claiming thousands of stolen dollars. Stopping an attack from happening requires securing your system using a proactive approach.
Examples of VoIP Fraud:
There are several ways that your business may be affected. Some schemes are more simple, such as device fraud. Others require an “Oceans 11” type heist skill that involves creating fake companies, manipulating contracts, and Pulitzer prize like storytelling.
Device & Call Fraud
Device Fraud is the most simple and most popular form of VoIP fraud. An automation is set up to scan for vulnerable endpoints. Vulnerable endpoints are those still using their default usernames and passwords making them the easiest to access for an intruder. Most UI’s change this automatically on set up, but in the occurrence of a error, that end point becomes a means to pump calls to a secondary account and gives the intruder full control of those devices.
Call Fraud gets a bit more creative. Call forwarding fraud involves tricking a person into dialing *72, which is the most common call forwarding activation key, this gives access to accept third party and collect calls while diverting all calls actually indented for the end user and sending the bill to that business. The attacker in these cases would usually auto dial until an end users picks up, and then spin a story such as “I was just in an accident, my phone is dying, please contact my wife, boss, lawyer, etc… the number is *72 XXX-XXX-XXXX” until they find a person that agrees to help.
Another call feature that can be used against you is voicemail callback. For this, an intruder scans for default VM passwords and changes the recording to “Yes, I accept the charges” or a similar phrase to send collect calls to the system and collect the charges made to your account. A complete hack of the system can be done as well if the intruder knows what they are doing. They would then program your call forwarding feature to send all calls to international numbers owned by them and bill your service provider for the charges.
To protect your company from device and call fraud, always encourage employees to change default passwords on devices, accounts, and voicemail inboxes if it is not done automatically or by you. It is advised to use a combination of words such as Correct Horse Battery Staple instead of the standard: Pa55word!?, [email protected], Qweasd123. Turn off all features that are not in use, such as call forwarding, voicemail callback, and blocking of international calls, as those idle features are easiest to target.
Set Limitations and Access to Carriers
As a VoIP Provider, picking the right carrier is as important as the phone system itself. The best carriers provide analytics monitoring, alerts and logging. Since you are ultimately responsible for the traffic generated by your system, delegating fraud detection and mitigation to your upstream is not the wisest course of action. It’s important to know how to set limitations and access to carriers and know how to monitor carrier utilization.
Examples of explicit inbound/outbound rules:
- Block inbound network traffic you do not want
- Route high-rate calls via alternate more fraud-enhanced routes
- KAZOO blocks high rate areas by default
- Limit number of simultaneous calls
- Select backup routes which come into effect when other routes fail
- Choose carrier priorities for all outbound services or by service individually
- Select different set of routes, depending on the type of number being dialed
- Limit the types of call the account can make, for example: US Toll Free, US Toll, Emergency Dispatcher, International, US DID, Carribean
Prepay can be effective in preventing the possible consequences of unlimited network access. By setting an amount limit, in case of an attack, an intruder can only gain the amount you have prepaid, stopping them from draining your account and causing bottomless damages. Careful when setting up an account, automatic recharge is convenient, but does not prevent the account from continuing to be drained once the original pre-paid amount is exhausted.
Other Fraud Schemes
Even if you use all the methods listed above to try and protect your business, there are still companies that are in the business of ripping people off. In every industry, where there is a will there’s a way, and new forms of commiting fraud are invented every day. Some are more amusing than other, like in this case, where a woman continues to get strange phone calls that find her eavesdropping on the life of complete strangers.
Fake companies are often formed to deceit business into using their service. The most popular tactic involves creating a faux business resembling the name of a well known company, making the difference hard to spot for unsuspecting users. Those persons will often go as far as creating fake bank receipts and offer you fake IP addresses, as well as simply using your services under a fake business name and never paying.
It cannot be stressed enough to do your research on any company you do business with. Reviews and information can be found on almost any business with a quick search of the internet. When working with contracts, always have a lawyer look over the details and when in doubt, don’t hesitate to get professional help. There are also several community websites such as VoIP Fraud that help the conversation of fraud going and warn people of known businesses/people who are a risk.
With the advancements in technology, your business is more at risk than ever. In 2016, 1 in every 937th call made was fraudulent, and increase from 1 in 2000 just the year before. Instead of a reactive approach, which inevitably will cost you money, following and taking the smallest safety precautions could save you thousands of dollars and the reputation of your business. Work with a company that keeps their platform updated, frequently monitor your account, and stay up to date on emerging technologies and safety tactics, to be a step ahead of fraud.