Hosted PBX: The (Ever-) Growing Threat of Fraud

Hosted VoIP

Hosted PBX: The (Ever-) Growing Threat of Fraud

By Micah Singer, CEO, VoIP Logic  |  March 09, 2015

Telecom fraud is always on my mind. As our partners have had success using VoIP Logic’s (News - Alert) Hosted PBX platform to expand their businesses, fraud incidents continue to occur on their networks. Invariably, with growth comes more points of exposure which, because of very efficient hackers and fraudsters, are more likely to be exposed. 

Telecom fraud has evolved in certain ways – notably because of more overall CPU power preying on technical weaknesses, more savvy fraudsters, and more ubiquitous high quality public Internet connectivity. And it has remained much the same in many ways. The prime means of defrauding come from using system-default settings to a hacker’s advantage, weak user-selected passwords, and listening in the right places as devices communicate publicly. 

Before I break down what I mean with these fraud descriptions, I wanted to acknowledge that at its highest level the fraud problem is a people problem – a collective breakdown in vigilance during the deployment and subsequent management of phone systems and in phone service by the people that touch these systems. If hosted PBX (News - Alert) engineers included fraud mitigation in system deployment and user provisioning, and if end users were aware of (or forced to) be more careful with certain information, the problem of fraud could be substantially reduced. So it pays to iterate and re-iterate the importance of both catching fraud before it starts with best practices and of fraud monitoring.

Evolution of Telecom Fraud

I polled VoIP Logic’s engineers about telecom fraud as I started to think about writing this piece, and I was encouraged to learn that there is no new type of fraud we are seeing in the industry. Instead they have noticed an evolution in both the tactics used by hackers to gain secure information and access, and the usage patterns of end users that make more of this information publicly accessible.

First, for most hackers, it is still largely a numbers game. The more servers you can scan, the more passwords you can attempt, and the more calling destinations you can enter – the more likely you are to find a weakness. With more powerful CPUs and more servers on the Internet to use to do your bidding, hacking is more rapid and more widespread.  Our IP addresses are scanned at least 25 times a day. We see concerted destination dialing attempts from unauthorized users and registration attempts from unauthorized devices many times per week. In short, there is now much more of the same type of hacking that has been common for half a dozen years.

Second, not to stereotype all of the bad guys, but fraudsters are a bit more mature and patient nowadays. We see fraud occur in smaller amounts over longer periods of time.  This makes it much harder to detect when presented in this format mixed with large daily volumes of traffic. In addition, we now see fraudulent calls more frequently to lower cost and higher trafficked destinations – again harder to discern as fraud. Historically, telecom fraud looked like a hit-and-run scene. The norm was huge volumes of calls sent really quickly over the course of one night or starting on Friday after business hours to see if anyone was watching over the weekend. This still occurs but, given that it is so much easier to monitor and stop, it is becoming less common.

Third, a broadband Internet encourages (by allowing much improved voice quality of service) more companies and individuals to use publicly accessible places to register SIP devices. That, in turn, exposes their private access credentials to public availability unless they take advanced means of protecting this information. There are protocols like secure HTTP (HTTPs) for transmitting SIP user name and password information from your phone or softphone software on your computer across a network using protection, but there are many devices that do not use encryption technology. Coupling the increase in computing power available to hackers with the improvements in the bandwidth on the Internet makes this evolution particularly relevant to the uptick in fraud; though, admittedly, it is very hard to determine that this sort of packet sniffing has occurred after the fact.

Fraud Prevention Best Practices

First, far and away the most important best practice is to use the tools available to you to protect your assets as best you can. This means only use long complex non-dictionary passwords with lots of characters and numbers and capitals – the kind you can’t remember but have to look up or cut and paste.

Second, all machine-to-machine communication should be encrypted. With great public Internet in many places – more people are registering SIP devices using public IP connections. If your data is not encrypted, packet-sniffing software can grab the registration information, and your account is then accessible to hackers who are potentially fraudsters.

Third, make sure you change all system default settings – most notably passwords. The biggest issue with default settings is not changing them when you know they exist but, rather, learning they exist in the first place. Research all the built-in protections available on a new system you are deploying so that you make it your practice to understand each protection and set it to maximize your security.

Fourth, there are some fraud prevention tactics that are unique to telecom fraud. Make sure you throttle all expensive destinations that are not frequently called – like international calls to low volume but high cost countries (like Somalia) or places with confusing numbering plans that can be exploited (like the Caribbean, which uses the same 1 + area code + 7 digits as the U.S. and Canada, but where calls can be much more expensive). 

Finally, make sure you are using a tool to monitor fraud in real time or near real time.  Just like hackers have access to machinery that allows them look for weaknesses more easily, service providers have tools that allow them to crunch data (CDRs, generally) and parse out fraudulent usage based on deviation from normal patterns. In addition to looking at actual toll fraud as evidence of a compromised system, it is also possible to monitor and alarm system logins, registrations, call attempts and other fields.


Early in this article I mentioned that at the highest level, fraud is a people problem – many of the practices and techniques mentioned in this article can help to mitigate the benign part of the people problem. However, a large percent (and generally the most damaging) of fraud is caused willfully by people. Packet sniffing can net a hacker a single user name and password of an individual user, but buying a root password from a disgruntled or under-appreciated employee or packet sniffing a sloppy engineer with the highest level access can net a hacker every user name and password. 

Make sure access is only granted as needed, root-level passwords are rotated frequently, a fraud monitoring system is in place, and choose (and compensate) your employees well.

Micah Singer (News - Alert) is CEO of VoIP Logic (www.voiplogic).

Edited by Stefania Viscusi