Preventing Phone Fraud at Your Home or Business

EMERY TELCOM offers the following tips to ensure your protection from phone fraud at your home or business:

• Don't accept collect calls from people you don't know. By accepting a call, you have agreed to pay the phone charges.


• Block third-number billing to your phone number. Third-number billing allows you to bill calls you make from other phones to your phone number, but it is also a potential source of phone fraud. If you have a calling card, it's a good idea to block all third-number calls.


• Watch out for individuals claiming to be law enforcement or telephone companies who ask you to accept collect calls or third-party calls as part of an investigation or telephone repair/analysis project. Legitimate law enforcement and telephone officials will never ask you to accept collect calls or third-number charges. If anyone asks for sensitive information as part of an "investigation," be wary. Don't provide any information and report the activity to the alleged agency or company. Either use the telephone number printed on your statement or look up the inquiring agency number in the telephone book.

Preventing PBX & Voicemail Fraud

A PBX, or Private Branch Exchange, is a telephone switch usually located on your premises. It provides communications between individual users and the public switched telephone network. A PBX is often paired with a voicemail messaging system.

A PBX or voicemail hack occurs when hackers discover a hole in the security of the telephone system. The hackers take advantage of that hole by generating calls that they have no intention of paying for. Instead, calls are billed to the organization using the PBX or voicemail system.

What can you do to protect your business?

• Contact your equipment vendor immediately and have a proactive discussion on PBX and voicemail security.
• Deactivate unused features and mailboxes.
• Change default passwords for users and administrators and increase the length of passwords. Restrict login attempts.
• Restrict message notification or out-dialing on voicemail boxes.
• Block operator services or international access as appropriate.
• Block casual dialing from the PBX: 101XXXX and 1010XXX.
• Add verified account codes for international dialing.
• Review the call detail on monthly invoices and report anything suspicious.
• Invest in call accounting software or station message detail recording to review internal extensions for abnormal activity.
• Do not allow remote access until confident it is secure.

Do you have VoIP equipment?

If your customer premises equipment is improperly configured, it is possible that unregulated inbound SIP traffic will pass through your IP network / PBX and out of your SIP trunk group. This can allow Internet-based hackers access to local dial tone from the IP PBX / SIP trunk group without your knowledge.

• Contact your equipment vendor about running a security audit of your IP and voicemail systems.
• Check the status of your firewall and/or other call processing software for errors or manipulation of setup.
• Verify the configuration of your IP PBX to ensure that WAN traffic is isolated from SIP Trunk solution.
• Block Internet WAN traffic from accessing the gateway via SIP (Port 5060) for TCP and UDP.

What is EMERY TELCOM doing to help?

• Notifying our customers of suspect usage.
• Providing education and suggestions to customers so they can minimize the risks.
• Cooperating with other carriers and law enforcement agencies to investigate and prosecute.
• Saving money for customers by detecting and blocking fraudulent calls.

Social Engineering

In the communications industry, a Social Engineer uses his or her conversational skills to trick an unsuspecting victim into providing access to dial-tone or other information. Once dial-tone is received on the fraudster's end, calls can be made anywhere, for any length of time. The victim, usually a business owner, is left holding the bill.

Social Engineering happens in a variety of ways:

• A caller posing as an employee of the "telephone company" calls into the receptionist at ABC Company. He asks the receptionist for assistance in testing the line. He may ask to dial 9, 0, #, and then hit the "connect" key on the telephone set. The 9 will allow him to get an outside line, the 0 will take him to the Operator, and from there he can call any destination, billing back to ABC Company. He may also ask to be connected to extension 90(X) and attempt to get an outside line that way.


• A caller calls into ABC Company and requests Customer Service. When Customer Service answers, he takes the name of that person and then says he was transferred to the wrong department. He asks to go back to the receptionist, and pretends to be the Customer Service representative asking for help getting an outside line. Once he gets the outside line, he places a fraudulent call, which is then billed back to ABC Company.


• Social Engineers can manipulate representatives of ABC Company into providing PIN numbers for calling cards, extension numbers, names, password information, telephone system information, or any information that would enable them to make a free phone call. This includes the ability to talk or trick a victim into accepting third-party billed or collect calls.

What can you do?

EDUCATE! Tell everyone in your organization and then spread the word externally. Educating employees is the number one deterrent against successful Social Engineering.

REPORT! Tell your Communications Manager and your Communications Carrier what has happened. In nearly all cases, the calls originate from a pay phone or unknown numbers. Although the fraudster is often impossible to find, Carriers are pooling information in an effort to combat fraud and prosecute the perpetrators.

PREVENT! Make changes in your telephone system that may prevent access to well known fraud destinations. You can request an international block from your carrier or certain country code blocks from your telephone equipment vendor. Operator Services can be blocked at the local carrier level to avoid unauthorized charges made through the Operator Service Provider.

Call your vendor and inquire about the security of your current system: Is there access from the outside world into your system or voicemail? Are all systems password protected? Have default passwords been changed? Are features not in use turned off, such as out dialing? Are all vacant voice mailboxes deleted? Read your telephone bills! Inquire about suspect activity to international countries or calls placed outside normal business hours.