Personal Small Business Enterprise
Phone on desk with laptop

Toll Fraud: What it is and How to Protect Your Business

We are all familiar with telephone scams that offer free hotel rooms and cruises to snare unwary consumers, but small businesses are threatened with an even more insidious and potentially costly form of telecommunications fraud – toll fraud.

Last fall, a New York Times story featured recent statistics from telecom industry group the Communications Fraud Control Association, which reported that toll fraud primarily affects small businesses and cost victims about US$4.73 billion globally in 2013 – an increase of almost $1 billion from two years earlier.

There are two primary motivations for toll fraud: theft for financial gain, and creating financial distress for an organization that a hacker might have a grievance against.

What is toll fraud?

Simply put, toll fraud occurs when an unauthorized third-party hacks into a business’ phone system and uses its long-distance service to sell long-distance on the black market. It can take only a few hours for hundreds of calls to be made, racking up phone bills in the thousands.

It’s something of a technology sub-culture where hackers study, experiment with, and explore telecommunications systems. They know how to reverse engineer a system and use it to reroute long-distance calls to anywhere in the world.

How does it happen?

The most common method is for a hacker to target the private branch exchange (PBX) system used by many small businesses. With a PBX, a central number allows multiple telephones in the office to have their own extensions and voicemail lines. Voicemail is the chief point of vulnerability because it provides passcode access to the PBX system and is designed for remote access so employees can check messages when they are away from the office.

Hackers get into these systems by figuring out or obtaining the passcodes used by employees to access their voicemail. This is commonly done by taking advantage of weak passcodes that are the same as extensions, or are easy-to-guess sequences, such as 1234.  Once hackers gain access, there is nothing stopping them from racking up huge bills. A favourite tactic is to do it over the weekend, when nobody’s around to notice.

How can you protect your business?

There are a number of easy and affordable ways that businesses can protect themselves. For example:

  • Consider blocking long distance calls when outside the normal operating hours of your business.
  • Ensure that your employees change the manufacturer’s default password immediately upon being assigned a voicemail box.
  • Program your voicemail system to require passwords. Passwords using the maximum eight characters are best.
  • Train your employees not to use easily-guessed passwords such as their phone number, their phone extension or simple number combinations.
  • Program your voicemail system to force users to change their password every 90 days.
  • When assigning a phone to a new employee, never make the temporary password the employee’s telephone number.
  • Deactivate all unassigned voicemail boxes.

There are also a number of features that can potentially expose your system to compromise. Review these features, and if they are not really being used, have them disabled. They include through-dialing and features for making overseas calls or getting operator assistance.

The bottom line

Most telecom service providers across Canada have taken steps to help protect businesses from this manner of fraud. To learn more about what Bell is doing for its business customers, visit this page for additional tips on what to do if you suspect your business is the victim of toll fraud.

But the onus is ultimately on the business to take proactive precautionary measures, just as it would to protect itself from any other kind of illegal activity, such as cyber security threats or physical theft.

Do you have additional questions about toll fraud? Please let us know in the comments, below.

Let us know what you think

Leave a Reply

Your email address will not be published. Required fields are marked *