Guest Blog

What is VoIP Fraud?

Posted on July 10, 2018   by Rachel Anderson

Today’s guest blog comes from 2600hz, whose flagship offering, Kazoo, gives telecom providers modern user interfaces, advanced carrier management, and all of the benefits that come with a team of highly trained telecom engineers. VirtualPBX works closely with 2600hz to deliver solutions to their range of customers across the U.S. and around the world.

By definition VoIP fraud is the unauthorized use of paid communications services, charged to someone without their knowledge, whether it be service provider or customer. VoIP system providers take extensive measures to protect your business from various forms of data breach, but there are still gaps in security that make your business vulnerable to those searching for a way in. A single fraud event can cost a business anywhere from $3,000 to $50,000+, and often occurs more than once claiming thousands of stolen dollars. Stopping an attack from happening requires securing your system using a proactive approach.

Examples of VoIP Fraud:

There are several ways that your business may be affected. Some schemes are more simple, such as device fraud. Others require an “Oceans 11” type heist skill that involves creating fake companies, manipulating contracts, and Pulitzer prize like storytelling.

Device & Call Fraud

Device Fraud is the most simple and most popular form of VoIP fraud. An automation is set up to scan for vulnerable endpoints. Vulnerable endpoints are those still using their default usernames and passwords making them the easiest to access for an intruder. Most UI’s change this automatically on set up, but in the occurrence of a error, that end point becomes a means to pump calls to a secondary account and gives the intruder full control of those devices.

Call Fraud gets a bit more creative. Call forwarding fraud involves tricking a person into dialing *72, which is the most common call forwarding activation key, this gives access to accept third party and collect calls while diverting all calls actually indented for the end user and sending the bill to that business. The attacker in these cases would usually auto dial until an end users picks up, and then spin a story such as “I was just in an accident, my phone is dying, please contact my wife, boss, lawyer, etc… the number is *72 XXX-XXX-XXXX” until they find a person that agrees to help.

Another call feature that can be used against you is voicemail callback. For this, an intruder scans for default VM passwords and changes the recording to “Yes, I accept the charges” or a similar phrase to send collect calls to the system and collect the charges made to your account. A complete hack of the system can be done as well if the intruder knows what they are doing. They would then program your call forwarding feature to send all calls to international numbers owned by them and bill your service provider for the charges.

To protect your company from device and call fraud, always encourage employees to change default passwords on devices, accounts, and voicemail inboxes if it is not done automatically or by you. It is advised to use a combination of words such as Correct Horse Battery Staple instead of the standard: Pa55word!?, 6aseb@ll, Qweasd123. Turn off all features that are not in use, such as call forwarding, voicemail callback, and blocking of international calls, as those idle features are easiest to target.

Set Limitations and Access to Carriers

As a VoIP Provider, picking the right carrier is as important as the phone system itself. The best carriers provide analytics monitoring, alerts and logging. Since you are ultimately responsible for the traffic generated by your system, delegating fraud detection and mitigation to your upstream is not the wisest course of action. It’s important to know how to set limitations and access to carriers and know how to monitor carrier utilization.

Examples of explicit inbound/outbound rules:

• Block inbound network traffic you do not want
• Route high-rate calls via alternate more fraud-enhanced routes
• KAZOO blocks high rate areas by default
• Limit number of simultaneous calls
• Select backup routes which come into effect when other routes fail
• Choose carrier priorities for all outbound services or by service individually
• Select different set of routes, depending on the type of number being dialed
• Limit the types of call the account can make, for example: US Toll Free, US Toll, Emergency Dispatcher, International, US DID, Carribean

Prepay can be effective in preventing the possible consequences of unlimited network access. By setting an amount limit, in case of an attack, an intruder can only gain the amount you have prepaid, stopping them from draining your account and causing bottomless damages. Careful when setting up an account, automatic recharge is convenient, but does not prevent the account from continuing to be drained once the original pre-paid amount is exhausted.

Other Fraud Schemes

Even if you use all the methods listed above to try and protect your business, there are still companies that are in the business of ripping people off. In every industry, where there is a will there’s a way, and new forms of commiting fraud are invented every day. Some are more amusing than other, like in this case, where a woman continues to get strange phone calls that find her eavesdropping on the life of complete strangers.

Fake companies are often formed to deceit business into using their service. The most popular tactic involves creating a faux business resembling the name of a well known company, making the difference hard to spot for unsuspecting users. Those persons will often go as far as creating fake bank receipts and offer you fake IP addresses, as well as simply using your services under a fake business name and never paying.

It cannot be stressed enough to do your research on any company you do business with. Reviews and information can be found on almost any business with a quick search of the internet. When working with contracts, always have a lawyer look over the details and when in doubt, don’t hesitate to get professional help. There are also several community websites such as VoIP Fraud that help the conversation of fraud going and warn people of known businesses/people who are a risk.

Final Notes

With the advancements in technology, your business is more at risk than ever. In 2016, 1 in every 937th call made was fraudulent, and increase from 1 in 2000 just the year before. Instead of a reactive approach, which inevitably will cost you money, following and taking the smallest safety precautions could save you thousands of dollars and the reputation of your business. Work with a company that keeps their platform updated, frequently monitor your account, and stay up to date on emerging technologies and safety tactics, to be a step ahead of fraud.

Useful Resources:

• Gimlet Reply All Podcast #104 The Case of the Phantom Caller
• VoIP Fraud
• VoIP Blacklist
• List of Toll-Free Calling Pests

VirtualPBX Guest Blog: Best Practices In Securing Unified Communications

Posted on June 21, 2018   by Dan Quick

For our Partner Blog Series we like to highlight the relationships we have with our peers and business partners from across all areas of the telecommunications industry. We know that when it comes to relationships, the whole really is greater than the sum of the parts. That’s why we want to share with you the wisdom, experience, and perspective of the companies we work with.

For this edition of the VirtualPBX Partner Blog Series, we tap into the decades of network security experience of Sorell Slaymaker from Unified IT Systems. Sorell is an expert in the areas of risk assessment, network configuration, and general data security best practices in the cloud communications space. He has written extensively on these topics and today contributes the following guidelines for securing unified communications.

Best Practices In Securing Unified Communications

Unifed Communications (UC) applications can be the hardest to secure within an enterprise. UC clients, APIs, and services need a full security suite to ensure an enterprise stays secure. Too many enterprises attempt to apply standard application security measures to UC applications, which limit what users can do and still leaves enterprises exposed to the complex UC security challenges. Security managers and architects understand standard web applications, but not all the nuances of UC, and UC managers and architects lack the sophisticated security understanding.

Framing the Challenges of UC Security

One example is when Cisco’s Webex reported a critical security vulnerability that needed an immediate patch. An authenticated, remote attacker could execute arbitrary code on a targeted system due to insufficient input validation by the Cisco WebEx clients. The risks to a company if their UC system(s) is not secure include:

1. Loss of Data – UC is more than voice and video, there is a lot of data associated with Web conferencing and file sharing.
2. Back Doors – Bad actors can bypass standard security controls to gain access to private networks.
3. User Tracking – Using Meta-data regarding the communication to track who is talking to whom, when, and where, even if the media is encrypted.
4. Blackmail – Recording private conversations and threating to make the information public.

Increasingly Common Risks

UC combines telephony, video, chat, email, and presence together into one unified communications system. As the technology has become more complex and more accessible from the public internet, the security threat has increased. In many ways, it’s easier than ever to attack business communications. Companies must be diligent to protect their communications as they are vital to business operations.

Companies formerly relied on their internal network being secure and required external users to use a VPN solution to get in. This strategy may no longer work for all businesses because:

1. No network is secure – It is been proven that the top vector for attacks come from inside the enterprise network.
2. BYOD – (Bring Your Own Device) UC from personally owned devices including employees, contractors, partners who do not have a VPN or MDM client software protections.
3. Speed – Users want to immediately start communicating versus having to wait for a VPN tunnel to be established.
4. Public UCaaS – Hosting UC externally at a 3rd party using internet network connectivity is common, especially with the rise of freemium solutions.
5. WebRTC – Supporting standardized clientless UC anywhere and everywhere.

Overcoming Common Challenges

While large businesses can often dedicate substantial resources toward securing their communications, SMB’s need simple and cost-effective solutions. Failure to secure UC can lead to information and data theft. UC is hard to secure for the following reasons:

1. Peer-to-peer – WebRTC and proprietary UC stacks allow one device to talk directly to another without going through a centralized service and security stack. All other applications are client/server based, where a security stack can reside at the server.
2. Bi-Directional – Sessions can be established in both directions due to the call/calling nature of UC versus a web application where a user establishes the session request. A home router, for instance, has a simple firewall rule that states all TCP & UDP sessions must be initiated from within the home network and why to get a Skype call, the home user first must be logged into Skype.
3. UDP Transport – Unlike TCP that has sequence numbers and specific ports for different types of applications, UDP has neither. Different vendors open up a range of UDP ports and UC sessions cycle through the range of ports. The range of ports must be bigger than the peak number of concurrent UC users.
4. Multiple services – Voice, video, chat, data – UC uses a range of services, each with their own TCP/UDP port. With conferencing, there can be hundreds of users interacting both inside and external to the organization.
5. Jitter Sensitivity – Jitter is the variation in latency, and jitter above 20ms will result in the effective loss of real-time voice/video traffic. With video conferencing, there can be instantaneous spikes in network traffic that are 100x the norm. Firewalls and other security appliances have trouble processing a lot of UC traffic without causing jitter. The primary reason why UC was the last major application to use virtualized infrastructure at scale is due to this.
6. Remote control – Co-browsing and taking remote control of an end-device are some of the enhanced features of UC suites. Many vendors use this to circumvent VPN and other types of supported enterprise remote access.
7. APIs – The digital world is about getting and sharing data through APIs. Set up a secure, encrypted session and information goes in and out of an organization. The challenge is that some of this data can be private, confidential, and/or regulated data that require enterprise governance and compliance.
8. Too Many Proprietary Appliances – Legacy PBX, voice mail, conferencing systems use proprietary hardware with non-common operating systems. These appliances are subject to known security vulnerabilities.

Finding the Solutions for Every System

While this list can be overwhelming, there are best practices to follow regarding security UC. These include:

1. Encrypt Everything – It is no longer good enough to just encrypt data at rest, data and communication in motion must be encrypted because users and applications can be anywhere and everywhere. Use 256-bit encryption on sensitive data and communications. For instance, using 128-bit encryption still allows someone to understand if it is a male or female talking, what language, how long the conversation is and the interaction amount between users.
2. Adopt Zero Trust Architecture – Zero Trust means that nothing on the network, resource, or application is trusted. A deny all policy, with a whitelist that is integrated with the identity and access management systems. Use anomaly detection to alert when something abnormal is occurring.
3. Ensure Identity – Great security starts with great identity and access management. Multi-factor authentication, least privilege access, and good logs to account for who accessed what are industry best practices that are not always applied to UC. Password management for voice mail and other services should be multi-factor and require 2-factor tokens for system administrators. The password reset process should also be rigorous.

Really all proxy services need to be examined, as well. While web and email proxies are common and SBCs act, as one of their functions, as a voice proxy. Be sure to add chat/presence and video proxies. Unfortunately, these proxies are proprietary. A few examples Microsoft has their Edge & Reverse proxies, Cisco uses Expressway. These proxies provide the following features:

• Packet Inspection – Unencrypt each session and inspect the signaling packets and scan each packet and stream.
• Secure Firewall Transversal – Set up specific TCP ports to go through a firewall and handle the NAT required at both layer 3 and layer 5.
• Log & Alarm – Gather a log of all sessions and generate real-time alerts when there are anomalies such as a spike in traffic, malware detection, multiple session failed attempts, etcetera.
• DLP – When required, record the session – Important for screen share logging.

For WebRTC, a WebRTC Gateway with ICE, STUN and TURN services used as appropriate. To add to this list, with the use the Communication Platform as a Service (CPaaS), all API’s should also have a proxy so an enterprise can enforce governance and compliance of all data going in and out of the organization.

1. Securing the UC appliances – Scanning on a regular basis and applying vendor security patches immediately, plus turning off unused services. While this may seem obvious, many enterprises fail to do this as their UC infrastructure does not always reside in the security managed part of the data center.
2. Log & event monitoring – Every large enterprise has Security Information and Event Management system. The UC systems should tie into this.
3. Audit – While all large enterprises and government agencies get 3rd party audits of their critical or sensitive transactions, this is rarely done for interactions. Getting a 3rd party to audit UC security and interactions is an emerging best practice.
4. Training – No matter how secure your systems are, users can be lazy and not take security seriously. If they or the people they are talking to are on an unsecured session, confidential, private, or regulated information should not be shared.

Hackers are becoming like spies and getting more sophisticated and targeting employees, contractors, and partners to help them infiltrate an organization. Everything in an organization needs to be locked down tightly, including UC applications. And for IT security professionals, a security breach into systems that you are responsible for will more than likely result in you updating your resume.

So what do you think? Does your enterprise already conduct all of these steps to protect itself from bad actors and security breaches? Do you think there are other critical steps that we didn’t cover here? Let us know by joining the conversation on Facebook or Twitter, and we’ll make sure to include it in future editions of the VirtualPBX Partner Blog Series!

Guest Blog: How to Name Your Business For Long-term Success

Posted on April 19, 2018   by Dan Quick

For our Partner Blog Series we like to highlight the relationships we have with our peers and business partners from across all areas of the telecommunications industry. We know that when it comes to relationships, the whole really is greater than the sum of the parts. That’s why we want to share with you the wisdom, experience, and perspective of the companies we work with.

This edition of the Partner Blog Series comes to us from Grant Polachek of Squadhelp.com, the online community crowdsource solution for branding challenges. Here he covers some of the key considerations for identifying, naming, and positioning your brand.

A strong brand name is the cornerstone of any business. When launching a new business, a strong name can help you attract and connect with customers. It can lead to buzz, increase recall, and encourage referrals, as a name that is hard to say, spell, or recall is also hard to share. A great business name helps you across many key communication and marketing goals. Moreover, a superior name serves as the foundation of your brand and can have exponential effects throughout the lifetime of your business.

When the owners of a small business use a great name, they are likely to attract more customers from their marketing and advertising than their competition who is using a flat, uninteresting name. And no one wants to be the business that causes this awkward situation:

“Your business is doing great. What did you do?” – “Oh, there’s a local agency that helped me with our marketing … but I can’t remember the name of the firm right now.”

With this in mind, follow these guidelines to develop your owner amazing consulting name ideas and finding a great name that will help you succeed.

OnPoint is a great example of a pragmatic, easy-to-remember name. It demonstrates one of the key principles of the firm, helping clients build strong strategies and stay ‘on point.’ The name easy super easy to remember, and you’ll immediately know the essential principle of their consulting strategy.

Where Do You Want to Go?

Honing creative process – think about the brand that you’re trying to build, and determine some core concepts essential to your success. Ask yourself, What do I want people to know about my business immediately? Here are some common answers:

• It is High-End
• It is Modern
• It is Unique
• It is Fun

Build On What You Need

Now that you’ve decided on a central direction, create a one or two sentence statement to keep your naming efforts laser focused. Here are some examples:

• We’re looking for a modern name that helps to guide our key needs – connectivity, reach and growth.
• We need a name that’s descriptive and captures the values of the company – that we can offer excellent business-building services.
• We want to create a name that evokes strength and makes us the best option for even more experienced standards.
• We need a stylish and timeless name that will immediately make someone think of improving their business.

A lot of people dive into their naming project head first without taking the appropriate time to set the stage for success, hoping that “creativity” and “inspiration” will swoop in and provide an amazing outcome. This is a big mistake. A systemic and strategic approach will result in a much more effective outcome.

Here is an example of a brand name that really evokes feelings of being popular, vibrant, and well known. It’s a memorable name, a hip name, and definitely something that will get people talking.

Why Do You Do It?

Now it’s time to put pen to paper (fingers to keyboard … stylus to tablet). However you like to work, it’s time to brainstorm ideas.

• Research your competition – Understanding the companies you’re competing against is an important aspect of developing effective name ideas. One of the major decisions you’ll want to make when naming your company is, Do I want to fit in or stand out from my industry?
• Develop an Inspiration Deck – You can find inspiration for your business name ideas in so many places. Take a drive around town writing down your favorite names that you find, get a list of successful brands across any industry you can imagine using your go-to search engine, or explore winning brand names ideas from crowdsourced branding contests. Building a list of inspiration is a well respected copywriting technique, and it will certainly help you develop great business name ideas as well.

What Your Name Needs

From a technical naming standpoint there are some important principles that you want to keep in mind:

• Is it easy to say? Unfortunately, you may have to pass on a meaningful name if it’s difficult to say.
• Is it easy to hear? Try this thought experiment. If you’re standing in loud bar and told someone your name, would they be able to understand you?
• Is it easy to spell? Simple misspellings such as Lyft, Flickr, Xero can work really well for a brand. But names that are very hard to spell will hinder your marketing and communication efforts.
• Is it appealing? Is your name pleasant to see and hear? Many times, in a quest to be unique or edgy, companies will select a name that lacks appeal with the target market. Consumers should like how your name looks and sounds. If they do, it’s much more likely that they’ll want to learn more about your business and talk to friends about your brand.

Also make sure you never use obscure names: Can your name only be understood by a few people? Don’t go for an obscure name that only a handful of your target audience will be able to recall quickly. While a small number of your customers may appreciate an obscure name that only they understand, the rest will be confused and move on.

When searching through business name ideas, you might be surprised and inspired by an outside the box approach like When searching through business name ideas, you might be surprised and inspired by an outside the box approach like Fifth & Flow. This modern, high-end naming convention for a yoga studio is wonderfully unexpected.

What is Your Brand?

A great business name will always be less appealing than your competition’s mediocre brand. It’s very hard to look at a list of names and get excited about them. One, two, or three words on a page can often feel flat.

The ability to bring a name to life in your mind is critical to the naming process. Imagine the story. Visualize the logo. See it on your products and packaging. Without envisioning your brand, you’ll have trouble getting behind any of the business name ideas that you’ve generated.

The Hard Stuff

Developing business name ideas is only the beginning of the process. There are important name validation steps that you’ll definitely want to complete before deciding on your business name.

Running into legal issues after finally deciding on a business name can be devastating to your business. In order to reduce your risk of run-ins with another company’s legal teams or issues with Trademark filing, it is important to check for Trademark Risk before making a final decision on your name. consider that you may be infringing on someone else’s trademark. Depending on your experience with the Trademark process, you can perform this due diligence of your own. However, it’s often best, especially when the consequence could be a receiving a cease-and-desist letter, to have your potential business name ideas checked out by a licensed professional.

It’s All For You

Though you may be eager to begin marketing and operating your business, taking the time to ideate an effective name is an important component of developing your brand’s image. By using these straightforward tips you will have a much easier time coming up with a name that is capable of helping you succeed!

Grant Polachek is the Director of Marketing at Squadhelp.com, helping entrepreneurs and marketers develop brand name ideas, create strong brands, and grow faster through a disruptive crowdsourcing process.