PBX Fraud Protection

Protect Your Business from Telecommunications FRAUD

Telecommunications fraud is a global concern that can affect any business, regardless of its telephone provider or the country in which it resides. Telecom fraud generally involves an unauthorized third party gaining access to a business telephone system and placing costly long-distance calls.

Rogers monitors network traffic for unusual or suspicious activity on a continuous basis. However, your business is ultimately responsible for all calls originating from and accepted to your telephone line. It is essential that you take all appropriate measures to protect your business phone systems from fraud.

The best defence against telecom fraud is knowledge!

What is Telecom Fraud?

Telecommunications fraud generally involves a third party making long-distance calls at the expense of a business. Forms of fraud involve:

PBX Fraud (DISA)

The majority of recent fraud cases have occurred around Private Branch Exchange (PBX) systems, by direct inward system access (DISA). Intruders gain access to businesses that use a PBX phone/voicemail system and use system commands such as an 800 number or other access number to gain a dial tone.

They place unlimited long-distance calls directly through these lines for unscrupulous operators reselling long-distance at a profit. These calls appear no different to the service or equipment providers than any other call originating from that business.

Voicemail Fraud

Voicemail fraud is the most prevalent type of fraud and the most significant threat to businesses that use a Private Branch Exchange (PBX) phone system or voicemail. An unauthorized third party can gain access to a business's phone system and place long-distance calls directly through these lines. They gain access most commonly through voicemail menus protected with only simple passwords (1111, 2222, 1234, etc.) or unchanged factory default passwords.

Once inside your system, an unauthorized third party can use the system commands to gain a dial tone and place calls that appear no different to your service or equipment provider than any other call originating from your business. Having a good password management policy and practice is a strong start towards protection.

Calling Card Fraud

An unauthorized third party steals a calling card or calling card number and then uses it to make calls.

Modem Fraud

An unauthorized third party can gain access to your Internet dialler if you access the Internet via a dial-up connection, and use your phone line to place long-distance calls.

How to protect your Business from Telecommunications fraud

While no telecommunication system can be made entirely free from the risk of fraud, diligent attention to system security can reduce the risk considerably. The following actions can limit the risk your business faces.

Remote System Access and AdministrationBack to top

Remote access allows callers from the public network to access your business's PBX system using an access code. For example, an off-premises executive may use it to dial directly into the PBX in order to make a long-distance call less expensively than with a credit card. It's also one of the primary avenues of illegal entry into your system. To lessen the vulnerability of your remote access system, use authorization codes or other passwords to control access and limit calling range after normal business hours or provide attendant intervention.

Smart Passwords and Access CodesBack to top

Never use default passwords or default access numbers for your system as they are easy to crack and almost everyone knows them. One of the most effective security measures is to select hard-to-break passwords and remote access codes. Use the maximum number of characters, mixing the pound sign (#), asterisk (*), and numeric digits (0-9).

Avoid passwords that contain the following:

  • Predictable patterns, such as ascending or descending digits (7654321)
  • Repetitive digits (5555555)
  • The same digits as your extension number (or the reverse of your extension number)
  • Numbers that align to or identify the owner (room number, employee ID number or even a social insurance number)

Tips to safeguard your DISA (direct inward system access) number:

  • Never publish a DISA telephone number.
  • Change DISA access telephone numbers periodically.
  • Use longer DISA authorization codes: ideally 9 digits and never fewer than 7 digits.
  • Issue an individual DISA authorization code for each user.
  • Warn DISA users not to write down authorization codes.

Frequently Change Passwords and Access CodesBack to top

It's a good idea to change passwords and access codes at least four times a year for both switch (software based/remote access) and hardware-based voicemail systems and automated attendant services. Always change or remove authorization codes when authorized users leave the company, especially when technicians depart. Do not write down remote access codes or passwords, or program them into auto-diallers.

Controlling Long-Distance CallingBack to top

  • Prohibit or restrict calls to countries you do not do business with
  • Consider block all calls to the Caribbean, a popular calling destination for telethieves and call resellers
  • Limit international calling to only those employees who need to place international calls. Limit calls to domestic area codes if calls to these states are not permitted
  • Put time-of-day restrictions into effect, such as prohibiting or limiting outbound calling at night and on weekends
  • Restrict 800 access from non-essential areas that are known toll-fraud centers

Protect Your Voicemail SystemBack to top

Prevent unauthorized third parties from connecting to your voicemail system and accessing private bulletin board messages, creating their own mailboxes, or accessing the PBX system by taking the following measures:

  • limit the voicemail to internal calling only
  • remove mailboxes immediately when an employee leaves the company
  • avoid spare mailboxes before they are needed

Restrict Automated AttendantsBack to top

After remote access and voicemail, automated attendants are the most common entry point for unauthorized third parties. Automated attendants answer a company's telephone, but can also serve as an open door to telecom fraud. Telethieves enter the automated attendant function, then dial the 91XX or 9011 extension. On many PBX and voicemail systems (with dial-out capabilities left active), these extension numbers connect to outside long-distance lines. To reduce automated attendant fraud, restrict or block access to long-distance trunks and local dial capabilities. In particular, block access codes such as 9XXX and possibly even the 8XXX fields or install a "verify extension field" capability, if available. Review the recommendations in the "Smart Passwords and Access Codes" section.

Monitor and Analyze Your SystemsBack to top

Continuous monitoring of your company's calling patterns will help you to identify fraud at an early stage and minimize loss. It's a good idea to regularly monitor your PBX, voicemail, automated attendant and 800 call detail records. Learn to spot patterns such as an increase in after-hours calls, calls to countries you don't do business with, multiple short duration inbound calls (especially after working hours).Watch for numerous incoming calls on your 800 lines followed shortly thereafter by a surge in long duration outbound 800 calls, which may indicate that an unauthorized third party has entered your phone system through your 800 lines and is dialling out.

What to do if you detect or suspect Telecom Fraud

Reach Customer Care at 1-800-496-4401.

If you detect or suspect tampering, or that you are the victim of telecommunications fraud, take immediate action. Telecom fraud charges can mount quickly - you can't afford to lose a minute. Your first call should be to your equipment vendor and your second to your long-distance provider. Together they can begin to pinpoint the fraud source and block further fraud attempts.

While no telecommunications system can be made entirely free from the risk of fraud, diligent attention to system security can reduce the risk considerably. One thing you can almost count on - when fraud happens it won't happen at a convenient time. These criminals often will direct their heaviest assaults on your network when vigilance is at its lowest, during non-business hours, in the middle of the night, on weekends or holidays. That's why it's a good idea to include telecommunications fraud in your Crisis Intervention Plan (CIP). Your plan should contain a checklist of actions you can take the moment you spot fraud. With a CIP in hand, you can minimize the time necessary to stop fraudulent calling, and perhaps even stop the unauthorized third parties in their tracks.

Rogers is committed to joining with our customers and law enforcement officials in the battle to control telecom fraud. As your partner, please contact Rogers if you suspect fraudulent activity has occurred in your network. Reach Customer Care at 1-800-496-4401.