ComReg warns firms to be on guard against PBX fraud

15 Dec 2011

Telecoms watchdog ComReg has warned there has been a rise in the number of PBX fraud incidents where firms’ telephone systems have been hacked into and large bills generated over their lines.

The International Forum of International Irregular Network Access (FIINA) estimates that telecoms fraud is costing companies €42bn a year and is growing at 15pc a year.

Typically, fraudsters target firms during out-of-business hours and break into the PBX and generate calls via any one of the company’s lines. IDC estimates there are more than 200 different types of PBX fraud in existence.

A popular scam involves selling call card services in overseas cities while the calls are routed through the unsuspecting firms’ PBX during evenings and weekends.

The most high-profile instance of telecoms fraud in Ireland occurred in 2003, when a Comptroller and Auditor General report revealed that the Department of Social Affairs was defrauded to the tune of €300,000. In one weekend alone, an overseas crime gang that had hacked into the department’s phone exchange (PBX) racked up calls of €12,000.

In another case, an unidentified business in Dublin was one of the victims of a PBX fraud attack by an organised crime gang which hacked in and made international calls The owners of each of the PBXs had substantial carrier bills to pay, particularly the final PBX, where costs of more than €75K were run up on a weekend. The destinations of the calls were in India, Pakistan and Africa.

“Hacking businesses telephone systems/exchanges, known as PABXs (Private Branch eXchange), may result in the company concerned having to pay for the calls that are made by the hackers,” ComReg said this afternoon.

“These calls can be higher value calls than would normally be dialled by the business thereby exposing the PBX owner to considerable call costs to their network operator. In the space of one or two days, businesses can run up bills of tens of thousands of euros as a result of these incidents which arise through poor security procedures being in place for some PABXs in relation to allowing incoming calls to generate external calls through the system.

“ComReg understands that these calls often occur when the office of the victim of this fraud is closed and numerous calls are made from the PABX at this time without being detected for some time,” the regulator said.

How to defend your business from PBX fraud attacks

The telecoms industry historically has tended not to highlight the existence of PBX fraud for fear of encouraging the activity. However, this very attitude has only served to result in firms being unaware of the danger, and thus unprepared for an attack.

Under recently introduced Regulations – Regulation 23(2) of the Universal Service Regulations – ComReg has the authority to order an operator to withhold the payment of funds for traffic that is suspected of being the result of misuse.

“ComReg is reminding all operators and business PABX users to remain vigilant in monitoring suspicious call patterns on PABXs.

“ComReg is now reminding all business PABX users to ensure the appropriate security arrangements are in place for their equipment to prevent hacking for incoming calls. Most equipment of this type will have a number of settings which can be configured to prevent this form of fraud and ComReg would urge businesses to ensure the appropriate security arrangements are in place for their equipment to prevent such hacking and the resulting bills.”

ComReg recommends that any business concerned about this practice should follow these steps:

  • Contact your telecommunications provider immediately and advise them of your concerns.
  • Contact your PBX supplier (if different from your telecommunications provider) and ensure that your PBX has the latest software updates to prevent unauthorised access and the latest security settings are enabled
  • If you suspect that you are a victim of such a crime, contact your local Garda station and make a formal complaint

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com