Businesses are being warned to guard against telephone fraud, a type of hack that compromises their phone systems and leaves them facing large bills that could amount to thousands of euro.
Phone fraud, also called PBX fraud, involves gaining access to a company’s PBX (private branch exchange) and using it to route international calls. It allows callers to dial international numbers at little or no cost to the caller, as the PBX owner ends up having to bear the cost of the call.
Detective Inspector Paul Gillen, head of the Computer Crime Investigation Unit with the Garda Bureau of Fraud Investigation confirmed that the problem has affected many Irish organisations. “There have been lots of cases and the amounts of money collectively would come up to several million euro over the last few years,” he told siliconrepublic.com.
In one of the most high-profile cases, a report by the Comptroller and Auditor General uncovered major losses by the Department of Social Welfare over a single weekend in 2002, amounting to €300k. According to David Clark of Soft-Ex, a provider of telecoms management systems, bank holiday weekends are popular choices for timing an attack. This way, hackers have three days’ worth of access to a telephone system before a company returns to work and notices something wrong.
Speaking at a recent network convergence seminar organised by Lan Communications, Clark said the relative ease of committing the crime made phone frauds attractive for criminals. “It’s simple to carry out, profitable and carries little risk,” he stated. Whereas data security is now a prominent issue, telephone security isn’t taken seriously enough, Clark argued.
He pointed out that many organisations don’t put in place systems to monitor their PBX systems, which means that telephone fraud tends to be discovered after the event. “The impact on your organisation is financial – you as the customer must pay the bill – and reputational.”
“Companies should treat their PBX system in the same way as their computer network,” Gillen stated. “Its compromise could potentially lead to the loss of tens of thousands of euro over a very short space of time and this has been proved over the past couple of years in Ireland.”
Gillen said it should be the responsibility of the IT department in a company to take care of these systems, although he is aware that this is not a trivial task. “It requires attention, patching, monitoring and logs to be kept, but if you fail to prepare, it’s only a matter of time before you could get attacked.”
Gillen added that large organisations are not the only ones at risk. “We have seen SMEs with their PBXs compromised and the money lost was significant amounts that affected their cash flow and their profits.”
“We’re very anxious that the owners of PBX systems would take action to secure them. Prevention is the best deterrent.” He also urged companies to report any suspect activity. “The gardaí are always here to help and advise in the event of a suspected compromise or fraud.”
Neil Wisdom, sales director with Lan Communications, warned that with the growing trend towards putting voice and data traffic onto a single network, security was more important than ever. “Security is not a one-off cure, it’s a culture. Converged networks carry everything, so security is not optional.”
By Gordon Smith