VoIP for Business provides a range of benefits, including substantial cost-savings that make it a must-have for most businesses. However, as with most IT advances, VoIP has attracted the dark side of the developers. Hackers and scammers are using VoIP for Business as a way to steal data and execute hacking exploits.
As with other types of malware attacks, business need to be aware of how these exploits are executed and what preventative measures they can take.
The first thing to understand is that most successful hacking attacks are by having users provide sensitive information. Scammers are becoming more sophisticated, and they are increasingly using VoIP to steal personal and company data or just cause mischief.
Here are some common types of attack and how to avoid them.
-
Interception
An attacker can hack into your VoIP system to record business conversations. They can then be decrypted, sometimes in real time, to obtain crucial business or personal information.
The first step is obviously to prevent hackers entering your VoIP system in the first place. Change server passwords, and under no circumstances continue to use the manufacturer-supplied default passwords.
Because your VoIP call is likely to be routed outside your network, protecting your calls from interception can be out of your hands. If security is a major concern there are software tools that provide a second layer of end-to-end encryption. Adding a second encryption layer makes it highly unlikely that calls can be decrypted in real time, and even when recorded calls are analysed offline.
-
Hosted Services
If you are using a VoIP Hosted Service supplier, you need to be very careful about the security they provide. You need to be sure that they are as secure as you would be with an inhouse system.
-
Firewalls and Security
All companies already implement firewalls and security in their overall ICT infrastructure. If you are concerned about security, it may be prudent to deploy a VoIP specific firewall that closes a VoIP session once the call is complete. This prevents hackers piggy-backing on a session to find out information about your VoIP system.
In a high-security environment, you may consider adding further layers of security, for example allowing only authenticated devices to make or receive VoIP calls.
-
User Security
You can implement all the security technical features you like, but the majority of successful data breaches and hack attacks occur because of user error, deliberate or malicious.
-
Phishing
In a phone-based phishing attack, the hacker calls a user and pretends to be from IT support or from a recognised company IT supplier.
In an attack on a user, they either quiz the user for personal information like credit card numbers, bank account details or information on family or friends. Sometimes they claim to be from IT Support and need the user to go to a web-site, “to update their software”, and the malware finds its way onto the company network.
Support policies applied by ICT need to ensure that all ICT maintenance functions are carried out by staff with verifiable credentials. In any event, most ICT update functions can be carried out remotely without user involvement.
Users need to be educated not to respond the requests by third parties to carry out maintenance tasks on their PCs and to refer the caller to IT support.
-
Fake Caller/Caller ID
A phishing attack over a VoIP or cellular connection can be legitimised by having a caller-id that shows the call coming from a reputable source. Unfortunately, caller-ids can be faked. Users need to be very careful and verify that the caller is legitimate before divulging any potentially sensitive information.
-
War Dialing
A carry-over from the dial-up modem days, a hacker sends out a phone message to hundreds of phone voicemail boxes, asking the caller to return a call. This legitimises the number and allows the hacker to carry out a phishing attack.
-
In short, VoIP defences have two components, technical appliance and software defences, and an education programme for users to make sure that they do not provide potentially sensitive information to a third party. Obviously, electronic defences need to be kept up to date. Users need to be educated on general and VoIP security on a regular basis.