Got VoIP? 4 tips to avoid getting hacked

26 Jun 2018

Image: luchunyu/Shutterstock

As the popularity of IP-based enterprise communications continues to grow, the threat of fraud also rises. Al Castle, VP of product and engineering at Flowroute, gives his top tips to protect your business.

The financial impact of telecom fraud is massive – costing the industry more than $38bn a year, according to a global survey by the Communications Fraud Control Association in 2015.

Further, the aftermath of a security breach grows exponentially when factoring in damage to a company’s customer relationships, and tarnished reputation.

Businesses that have, or are looking to integrate, IP-based communications should be wary of the four common types of VoIP fraud:

  • Premium route fraud, which routes calls to premium-rate (mostly international) destinations or to newly announced destinations that do not have updated rate decks.
  • Inbound toll-free abuse or fraud, which places calls to individuals and plays confusing or difficult-to-hear audio, forcing call recipients to stay on the line longer while they try to figure out what’s happening.
  • Black/grey routes, where hackers steal and potentially resell SIP trunking accounts.
  • Identity fraud and caller ID spoofing, where hackers impersonate a business or individual and misattribute calls from their account. This type of fraud also includes voicemail hacking.

To compound matters, many attacks occur during off-peak hours, such as on holidays or on the weekends, when a fraud attack could go undetected for hours, if not days – costing businesses potentially hundreds of thousands of dollars.

A well-known example of this was when a small, seven-person architecture firm was hacked over a holiday weekend in 2014, racking up a massive phone bill of more than $160,000 after fraudsters routed calls from the company to numbers in Gambia, Somalia and the Maldives.

Businesses can avoid falling victim to attacks such as these by considering a few simple but effective best practices when assessing whether their current IP communications carrier offers the best protection for their network and communications services.

Conduct an annual security audit

If a business operates one or more PBX systems on public IP addresses, it’s critical to conduct an annual security audit of the system(s) to ensure that fraud controls are still aligned with traffic patterns. These check-ins are imperative to protect the account(s) from fraudsters roaming the web looking for easy targets.

Set a maximum default rate for outbound calls

A maximum default outbound rate will block any call to a destination that exceeds the predefined scale or parameters. Assessing the normal traffic levels can help determine the rate cap that a business might be comfortable setting.

This rate can be updated as traffic patterns change, but the more precise that a company can be in determining its rates, the more effective it can be in catching fraudsters before they can wreak havoc on an account.

Define the countries on your destination whitelist

A destination whitelist allows businesses to choose countries that users can call regardless of the outbound rate. Defining countries on this list will set security parameters to avoid charges that result from a breach or hack. This tool can be adjusted as needed to meet the needs of the company and its customers’ dynamic traffic patterns.

Another option is to use a strict destination whitelist tool. When this is enabled on the account, only countries on the strict whitelist can be called, regardless of the maximum outbound rate in place. When this tool is in place, it will override any maximum default rate settings.

Enable IP-based authentication for outbound calls

If the phone system has a static IP address, consider enabling authentication for outbound calls as a way to secure the account. By restricting access to telephony resources from internal IP addresses, only people within the authorised network will be able to place calls or send messages.

If the system has mobile users logging in from a dynamic IP address, consider instead utilising a third-party tool to create a blacklist of IP addresses that have been identified as potential threats. These types of tools can monitor log files and automatically block IP addresses that have failed a certain number of password attempts to create dynamic fraud protections for the account.

Being proactive and vigilant in the fight against telecom fraud will help protect and secure a company’s ability to keep day-to-day operations running smoothly, while also keeping customer relationships and corporate reputation intact in the long term.

By Al Castle

Al Castle is the vice-president of product and engineering at Flowroute

Updated, 2.28pm, 26 June 2018: This article was updated to clarify that Al Castle authored this guest column, not William King, as previously stated.