ComReg warns businesses to defend against PBX fraud over Easter weekend

28 Mar 2013

Businesses shutting up shop for the Easter weekend have been warned by telecoms regulator ComReg to be vigilant against PBX fraud, which could leave them reeling with phone bills in excess of €30,000. In the highest-profile case in Ireland, one government institution was defrauded by as much as €300,000.

PBX fraud, once considered the telecoms industry’s dirty little secret because it liked to pretend it didn’t happen, occurs when hackers dial into a phone extension on an office PBX and then use the number to make calls. Most firms don’t realise a fraud has occurred until they receive their bill a month or so later.

Typically the fraudsters would break into the PBX system at the weekend when offices are empty. They would then use a phone extension to dial premium-rate numbers, making it a lucrative crime for the fraudsters but devastating for businesses in the midst of a recession.

According to ComReg, in the last three months there have been 16 cases reported by operators.

In one recent case, calls to the value of €30,000 were made without the knowledge of the victim.

“The problem is that business phones, often known as PBXs, have features on them which may allow unauthorised third parties to dial into the system and place calls through the system without the knowledge of the systems owner,” ComReg explained.

“Also in many cases businesses use external parties to maintain their phone systems which means that external access to a PBX is required.

“PBXs have maintenance ports to enable these maintenance companies to dial into the phones to diagnose problems. Unfortunately, these access ports are often left open and have either weak or default passwords which are known by and easily exploited by hackers.

“In some cases the systems can be hacked through the phone extensions when hackers dial in and access the system through those lines using the extension password, often 0000, 1234 or the same number as the extension,” ComReg said.

How to protect your business

ComReg recommends that firms that use a third-party provider to maintain their lines should consider disabling the remote access and only enable it when there’s work to be done. Maintenance companies usually provide remote access and firms are urged to only use strong passwords and disable default passwords.

Also, if it is unlikely that premium-rate numbers need to be called from your premises, ask your operator to have premium-rate numbers barred.

“If your phone is hacked you should ask your operator to contact ComReg urgently as we may be able to help, but immediate action is necessary as it is normally not possible to take action after a few weeks have passed from the date the calls are made. You should also report the matter to An Garda Siochána,” ComReg said.

The scale of the PBX fraud problem

The International Forum of International Irregular Network Access (FIINA) estimates that telecoms fraud is costing companies €42bn a year and is growing at 15pc a year. IDC estimates there are more than 200 different types of PBX fraud in existence.

The most high-profile instance of telecoms fraud in Ireland occurred in 2003, when a Comptroller and Auditor General report revealed that the Department of Social Affairs was defrauded to the tune of €300,000. In one weekend alone, an overseas crime gang that had hacked into the department’s phone exchange racked up calls of €12,000.

In another case, an unidentified business in Dublin was one of the victims of a PBX fraud attack by an organised crime gang which hacked in and made international calls. The owners of each of the PBXs had substantial carrier bills to pay, particularly the final PBX, where costs of more than €75,000 were run up on a weekend. The destinations of the calls were in India, Pakistan and Africa.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years