The use of VoIP in the enterprise has risen considerably over the course of the last few years, as better technology has been put in place and faster, more reliable internet speeds have come about. But like any technology that becomes popular, with it also comes the problem of it coming to the attention of cybercriminals. For VoIP, this means that we’ve seen a rise in fraud, on both consumer and PBX systems. Unlike traditional systems, VoIP relies on computers to transmit voice and it’s these systems which have opened up inroads for cybercriminals to exploit. In consumer systems, Skype, being the most popular VoIP app on the market, has been subject to hacks and attacks and this has seen some consumers finding themselves to be on the end of a large, unexpected bill. Shadow IT in the enterprise could also be said to create a vulnerability within a business when employees use apps like Skype without authorisation. In 2013, VoIP fraud cost businesses $4.73bn globally, with small and medium-sized businesses the most targeted, according to the Communications Fraud Control Association. It’s thought that as well as consumers, VoIP fraud affects both enterprises and telecoms providers as the latter are often left covering the bill. And the charges racked up by fraudsters can be substantial – in 2009 small business owner Michael Smith found that he was left with a bill of $900,000 after his PBX system was hacked. AT&T attempted to sue Smith for $1.5m to recover the call costs, claiming that the responsibility lay with him as he should have ensured that his systems were secure. However, the telecoms company later dropped the suit, although they maintained that it wasn’t their responsibility. The top five countries from which fraud originates are:

USA
India
UK
Pakistan
Philippines

So it’s very much a problem which can cost SMBs and telecoms companies a lot of cash. VoIP fraud can reap a lot of cash for cybercriminals in a relatively short space of time too, and for smaller telecoms companies, can prove fatal.

Types of VoIP Fraud

There are lots of techniques that can be employed by attackers to exploit VoIP systems. Some are borrowed from traditional phone fraud, whilst others use hacking and software and hardware exploits. Other types include:

Arbitrage – exploits the settlement rate between countries – with VoIP this falls into “a legal grey area” which means that telecos often withhold payments to providers if it’s suspected that the provider is artificially increasing traffic in countries where higher rates can be charged.
Buffer overflow – where hackers use buffer overflow errors in certain packets, causing apps to crash or run arbitrary code.
Bypass/GSM gateway fraud– in this scenario unauthorised traffic is inserted onto another carrier’s network and then uses advanced technology in order to make it appear that calls overseas are domestic calls being made as usual. In reality, the fraudster is usually selling phone cards abroad that are then used on the network.
Call transfer fraud – where the PBX is hacked and its services used to make long distance calls, usually at night or weekends when it’s unlikely that it will be noticed.
Premium rate calls – cybercriminals pair up with premium rate number providers to generate traffic to the numbers using illegal methods.
PBX hacking – the most common type of fraud, this sees the attacker hacking into the PBX system in order to generate large amounts of traffic.

PBX Hacking

Since this is most common, let’s have a look at this one in a little more detail. Once the system is hacked through vulnerabilities in the IP PBX, then the attacker can carry out other types of fraud. This can be done by guessing extension pins or by simply finding an extension which uses a default pin – so you should always change these to something more complex when setting up a VoIP system. Other common configuration mistakes include:

Poor user authentication and access control
Reliance on SBCs for security
Inadequate LAN separation and control
Lack of use, or inadequate use, of encryption
Phreaking

Shell Companies

A common type of VoIP fraud affecting telecos is the use of shell companies which are essentially set up solely to gain services on credit, which are of course not then paid for. This works by forcing a scenario in which a high volume of service is provided, again typically on weekends and holidays, so that they can operate undetected and run up a huge bill. Once this has been done, the shell company typically pays for the service in small instalments to keep the service provider happy and the account open until they have bled everything they can out of the provider. Similarly, subscription fraud signs up and uses the service, often running up large bills quickly, with no intention to pay at all and this sometimes goes hand-in-hand with identity theft.

Combatting VoIP Fraud

Most IP PBX vendors have adequate security in place to ensure that systems are protected, but it’s also important to consider security during deployment. This should encompass the existing network and before deployment begins, engineers should carry out a security audit and penetration test. Once the system has been deployed, it’s then a case of monitoring the infrastructure and its traffic to pick up any spikes that could indicate fraud is taking place, especially outside of normal working hours when most cases take place. Suspicious activity must be able to be picked up and blocked temporarily until it can be properly assessed. Some businesses go a step further and block certain countries for calling out that have a high incidence of telecoms related fraud. All software and firmware should be patched as soon as updates become available and file and server monitoring put in place. Employees should also be made aware of the dangers of using unsecured Wi-Fi networks when out of the office and connecting to the intranet portal. And of course, passwords, pins and usernames should be complex and managed with a password manager, rather than memory. Network security in general needs to be strong if VoIP fraud is going to be avoided. It’s a highly lucrative business for cybercriminals, so it’s unlikely that it will disappear anytime soon, but with better security at network and end user level, as well as a provider that offers encryption, static IP and a good level of cloud security, it needn’t be your business that suffers.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Types of VoIP Fraud

PBX Hacking

Shell Companies

Combatting VoIP Fraud

Get in touch with us today