How was it that a company in Harrogate managed to ring up a telephone bill of £25,000 over the New Year weekend, when the office was shut down? And how did two offices in Guernsey manage to make £28,000 worth of calls between them over just one weekend?
The answer is that both were the victims of telephony fraud, also known as ‘Phreaking’, and these are not isolated incidents.
Phreaking is costing UK businesses billions of pounds in lost revenue. This is a global problem, but the UK is one of the top five countries in the world where Phreaking is most likely to occur, according to the Communication Fraud Control Association (CCFA), which estimates that up to 40% of companies have been hit at some point.
So what is Phreaking?
Any business with a telephone system (PBX) can be targeted by phone hackers (Phreakers), regardless of the size of the organisation.
- The fraudsters hijack the PBX by breaking the PIN code on the voicemail, using access codes and on-line password cracking technology. This enables them to infiltrate your system, configuring it for their own use.
- Once access has been gained the hackers are able to make outbound calls to anywhere in the world, the cost of which falls to the owner of the phone line connected to the system from where the call has originated from.
Phone Phreakers are organised criminal gangs, linked to terrorist organisations. Typically they sell phone services in developing countries to customers who do not own their own phone line and they deal in cash, which is virtually untraceable.
The hackers are more likely to hit at night or over the weekend, when nobody is in the office. If you were to be around at the time when a hit was taking place, you would notice that the phone system would be lit up and the lines/trunks in operation for hours, even though no activity were taking place in the office itself.
The question is who foots the bill?
Unfortunately, calls made using your phone line are your responsibility to pay for, even if you didn’t actually make those calls yourself. Telecoms providers and carriers will argue that they lease you the lines but that it is your responsibility to protect your systems against this type of attack. The problem is that they fail to inform their customers about the potential risks, which leaves companies vulnerable and naive.
One telecoms provider I spoke to is taking the initiative to educate its customers about the possible dangers of Phreaking. MF Communications, a full service telecoms company in Tunbridge Wells, has sent info emails to all its clients.
‘We want to make sure our clients are aware of the potential risks of not protecting your PBX,’ says managing partner Fraser Young. ‘This is a dangerous international fraud crime which is only likely to worsen, unless we all take measures to tighten our security.’
As MF communications points out to its clients, you wouldn’t risk connecting your computer system to your network without having any virus detection or firewall security in place and you wouldn’t pay for something on-line using your credit card without ensuring that the payment method was secure.
‘But this is because we are all aware of the pitfalls and dangers of not taking the proper steps to protect ourselves,’ says Mr Young.
In fact, due to the increase in security of on-line payments, it is now estimated that telephony fraud generates up to five times the losses to businesses than that created by credit card fraud.
So what can you do to protect yourself?
If you happen to have a PBX system from Panasonic, Siemens or Samsung, you can now get a firewall protection system called Control Phreak, which was developed by Callista, a company based in New Zealand. Control Phreak can be configured to deny/allow any combination of numbers or facilities and is managed independently of the phone system, which means it cannot be accessed by hackers.
But if you haven’t got one of these systems it’s not all doom and gloom. As Mr Young points out, there are a number of measures you can take to protect yourself, which cost nothing to initiate:
‘Use strong system passwords, change them regularly and never use the same one twice. Change the password from the default as soon as you activate any settings. Lock or disable any unused voicemail. Ensure you’re using the latest up-to-date software for your PBX. Ensure any remote access is secure and monitored. Never disclose voicemail passwords to people outside your organisation and be vigilant against bogus callers.’
Phone Phreaking is an international concern, but the nature by which it is operated means that it is virtually impossible for police to detect. Prosecutions have so far been rare to non-existent. UK companies are continuing to be hacked to the tune of £1.5 billion per annum and rising. There is no guarantee it won’t happen to you and if you have been hacked once already, this doesn’t mean that it won’t happen again.
The only way forward is for companies to be made aware of the potential dangers that are before them and to make sure that they follow the correct procedures to protect their systems in the same way that they would in other areas of their business. It’s like MF Communications says, the way companies are leaving their telephone systems open and vulnerable is the equivalent of walking out of your office every evening and leaving the doors and windows wide open.
And we don’t do that, do we?