Toll fraud is an ongoing risk for business customers, where businesses are billed for long distance calls made fraudulently through their business Voicemail equipment.
The activity involves experienced fraudsters accessing vulnerable business Voicemail equipment via system option prompts that eventually permit the user to place long distance calls.
Fraudsters most often call a business after-hours and use its automated answering system to troll for vulnerable mailboxes. Experienced fraudsters recognize the equipment they are calling by its prompts and know the equipment's default passwords, allowing them access to mailboxes with unchanged passwords (or try guessing at simple passwords such as 1234 and 1111).
It is imperative for you to protect yourself against this type of fraudulent activity by ensuring your Voicemail equipment is safeguarded and your employees are educated about password security.
Here is what you can do to increase protections for your business:
Ensure that your employees change the manufacturers’ default password immediately upon being assigned a Voicemail box, and that they are reminded to change the password frequently thereafter.
Program your Voicemail system to require passwords with a minimum of 6 characters (8 is preferred – the more complex the password, the more difficult it is to guess).
Train your employees not to use easily-guessed passwords such as their phone number, their phone extension, or simple number combinations.
When assigning a phone to a new employee, never make the temporary password the employee’s telephone number.
Program your Voicemail system to force users to change their password every 90 days.
There is a feature called “through-dialling” that allows you to make long distance calls from within your mailbox when you are at an offsite location. Confirm if the through-dialling feature is needed, and if not ask your equipment support provider to disable it. Through-dialling is the primary enabler of toll fraud on phone systems.
If you decide to keep through-dialling enabled, it is important you generate and monitor through-dialling reports to ensure your mailboxes are not being abused.
Remove all unassigned mailboxes.
There is a 101xxxx feature that allows you to make calls with another long distance carrier. Confirm if the 101xxxx feature is needed, if not, disable the feature or ask your equipment support provider to disable it on your behalf.
There is a 0-11 feature that allows you to make overseas calls. Confirm if the 0-11 feature is needed, if not, disable the feature or ask your equipment support provider to disable it on your behalf.
There is a 0+ feature that allows you to make calls with operator assistance. Confirm if the 0+ feature is needed, and if not disable the feature or ask your equipment support provider to disable it on your behalf.
Block access to remote maintenance ports and system administration ports.
Block long distance calls when outside normal operating hours of your company (nights, weekends, holidays).
There is a “call forwarding” feature that allows you to forward calls from your business phone to another phone number. Confirm if the call forwarding feature is needed, and if not disable the feature or ask your equipment support provider to disable it on your behalf.
Direct Inward System Access (DISA) is a feature that allows offsite employees to make business long distance calls as if they are “inside” the company’s private branch exchange (PBX) and have the calls billed directly to the company. If your company has DISA:
Restrict access outside normal operating hours of your company (e.g. nights, weekends, holidays);
Avoid publishing phone numbers that could provide direct access to your system;
Change your DISA numbers periodically;
Issue a different DISA authorization code for each user and warn users to never write down their authorization codes;
Program your PBX to generate an alarm when an unusual number of invalid DISA authorization codes are entered, and to disable the port after a set number of invalid attempts.
Possible features and recommendations that customers should be aware of relating to their specific system and toll fraud:
Call forward external from end users phones should be restricted
Redirect of incoming numbers to outside numbers should be restricted
General Access phones should be limited to local calling only
End user phone access levels should be assigned correctly for applicable long distance calling
Access to known high toll fraud areas is restricted or limited using restriction tables
Use of long distance authorization codes
Monitor and track long distance activity using Call Detail Reports
Redirect inbound calls via Auto Attendant to external numbers such as answering services etc.
Restrict or control Voicemail revert (0) – thru dialling to pagers and cells
Restrict or control Voicemail Remote Notification to pagers and cells
If available, use Desktop messaging or Remote Notification to email to notify of voicemail messages
End users forced to change mailbox access passwords on a regular basis
End users password minimum length is set to a minimum of 6 digits
Removal of any unused mailboxes
Restriction and permission lists to restrict outbound access where required
Passwords should not be posted or distributed
Passwords should be changed on a regular basis
Passwords must be changed from default passwords
Authorization codes should be changed regularly
Restriction Permission controls should be in place to limit inbound/outbound transfers
Monitor systems using traffic and Call Detail Reports to check calling patterns:
Calls to unusual locations
High call volume
Long call durations
International and calls to 809 or 900 area codes
High traffic after business hours
The above security measures are of a general nature and might not protect every aspect of an individual telephone system. We encourage you to contact your equipment support provider to discuss the unique aspects and vulnerabilities of your telephone equipment in greater detail. Remember that you are solely responsible and liable for paying for all calls originating from or passing through your telecommunications systems, equipment or accounts, and long distance charged calls or operator assisted calls, regardless of who made or accepted them.
Thank you for using Bell.
Note: Bell Canada’s Unregulated Terms of Service – Voice and Internet pertaining to long distance calls can be found at Terms of Service (see esp. Articles 7 and 22).