What You Ought to Know about VoIP Fraud

What you ought to know about VoIP Fraud

VoIP Communication is a common feature in corporate and personal life nowadays.  Most large concerns use it as a matter of course as part of their corporate integrated communications platform.

In the past, communications costs were inflated by unauthorised calls and other activities designed to get around telephone security policies. It’s no different today in VoIP Communications.  People still try to make unauthorised calls inside the organisation, and people try to hijack the company communications networks to make their calls.  Nothing really new, except that it’s now digital.

The first thing to do is to define VoIP fraud.

Simply put, VoIP Fraud is the unauthorised use of communication services resulting in a benefit to the fraudster and an unexpected cost to a third party.  The third party could be a service provider or the customer.

Many VoIP frauds are a continuation of a previous PSTN analogue fraud, but with a digital flavour. Some, because of the new technologies are entirely new.  Some use hacking techniques, but the bottom line is that someone is attempting to gain a financial advantage at someone else’s expense.

Fraud Types

Call Transfer Fraud

Call Transfer Fraud

In PSTN days it was possible to break into a telephone junction box, and then physically connect a handset to someone’s phone line.  The fraudster could then make international calls, charge an unsuspecting caller a fee, and have the bill ultimately paid by the real owner of the line.

The digital equivalent is where a hacker penetrates a VoIP PBX. In a similar way to that of PSTN days, the fraudster then offers callers discounted international calls. The calls go through the hacked PBX and are essentially free until they need to break out at the far end. The unsuspecting PBX owner is later presented with a bill by the foreign VoIP operator.

Usually, the hacker will get away with this since it will take some time for the fraud to come to light.  It is also difficult to pursue the matter across international boundaries.

Revenue Sharing Schemes

Revenue Sharing Schemes

Many service providers operate a scheme whereby companies can charge a premium call rate for using numbers to specialised services.  The income from these calls is usually shared between the two service providers.  The fraud is usually that the basic service provider gets no income from the premium rate service provider.

Call Forwarding

Call Forwarding

A variation on the revenue sharing  fraud is to forward a call supposedly to a local number to an international number.  This inflates revenue sharing income at the cost of the unsuspecting caller and service provider.

Value-Added Services

Value-Added Services

A fraud that depends on the digital world is that of unauthorised subscriptions to value‑added services. Often smart device users want to use different ringtones, listen to music and watch media clips which they download to their device.

Although strictly speaking, not a VoIP fraud, the caller who uses these services unwittingly signs up for a monthly subscription service charged to their VoIP number.  If the caller uses a corporate phone account, the costs, which can be substantial accrue to the company.

How to Limit VoIP Fraud

How to Limit VoIP Fraud

Remember, in a VoIP system, credentials are linked to an individual, not a handset.  In the past, you could borrow the managers phone to make an unauthorised long-distance call. No more.

Make sure that all users of your corporate VoIP system have valid credentials. Thereafter assign call limits to individuals and groups of individuals.   For example, if you have no need in your organisation to make international calls, block all international calls.

Other things:

  • Change the default credentials on your PBX.  It is surprising how many don’t, making it easy for hackers to break into your PBX.  They often do a network search looking for the default credentials. If they find a PBX, the games are on.
  • Make sure that your corporate network security policies include your VoIP system and PBX.  Remember that a VoIP system is a digital network system just like the rest of your server environment.  Apply appropriate security measures.
  • Make sure that your VoIP service provider is equally secure so that hackers cannot gain admin privileges to your and other VoIP systems.  Some have been seriously compromised in the past.
  • User Education.  Include VoIP aspects as part of your overall programme to educate your users against malware and hacking attacks. Hackers use social engineering techniques to find out user credentials.
  • Proactive Measures
    • Be vigilant with regular audits. Review usage logs for unusual activity.
    • Consider carrying out a penetration test on your PBX once in a while.
  • Compliance.  Sometimes security is not an option where confidentiality of information is a legal requirement.  Compliance is often good due diligence.

These examples of VoIP fraud are just a few of the ways in which increasingly sophisticated fraudsters try to separate corporates and individual from their hard-earned.   As are the recommendations as to how to thwart them.