Have you ever collected the mail, opened your phone bill and been shocked at the daunting figure staring you in the face? $300 for the quarter? $500 maybe?
Try $50,000, which is what a Statewide Mutual member council’s bill came to recently after they fell victim to ‘phreaking’ – an increasingly common type of toll fraud scam. A second member was hit with a $15,000 bill before it was stopped.
Phreaking is the slang term for illegal access, use and manipulation of an organisation’s telecommunications system by a third party for, on the most part, financial gain. Phreaking is often used to commit ‘toll fraud’. Phreakers (or ‘hackers’ as they’re more commonly known) usually target an organisation’s PBX (Public Branch Exchange); a standard phone system used by most councils to switch internal calls between users while sharing a number of external phone lines. Most modern PBX systems are managed through internet-based software.
The fraudulent scam works by hackers initially setting up a premium number service (e.g. ‘dial-a-horoscope’ charging $5.99 per minute). They then write code, or computer programs, that search the corners of the internet for vulnerabilities in organisations’ PBX systems. These vulnerabilities typically exist due to lax internet security or ‘firewalls’. Once an entrance point is identified, the hackers can access the PBX system and are free to make as many long-duration calls to their fake premium number service as they can get away with, reaping tens of thousands of dollars.
The scams are conducted anonymously and usually from other countries, in other continents including Europe and Africa, meaning it’s very unlikely they’ll ever get caught, and even less likely that organisations will get their money back.
The global cost of telecoms fraud, involving scams such as phreaking, was a staggering $US38.1 billion in 2015. This figure is expected to progressively rise as scammers become more tech-savvy and find new ways to steal from unsuspecting victims.
Thankfully, most Statewide Mutual members are covered for toll frauds such as phreaking under the Crime Scheme (primarily through cyber insurance). Toll fraud satisfies the definitions of an ‘External Crime’ and ‘Computer Crime’. In the instances referred to above, the Councils that suffered the toll fraud were covered for the loss, which is testament to being part of a Mutual that ensures the broadest cover possible to protect Members against emerging risks.
What you can do to protect Council
There are a number of actions Council can take to avoid PBX hacking, and consequential toll frauds such as phreaking, or at least dramatically reduce the impact of system breaches1.
- Block international calls
Unless you conduct business in certain countries, or have suppliers who do so, check that your Council’s PBX allows country prefixes to be blocked – especially high-risk regions such as North Africa and Eastern Europe. An additional benefit of this is preventing unnecessary costs from staff making unauthorised international calls. - Choose complex passwords
Don’t use basic passwords such as ‘1234’ or ‘0000’. Doing so pretty much rolls out the red carpet for hackers. Use passwords that are a combination of upper and lower case letters, numbers and symbols. In addition, change passwords regularly. - Disable remote access
Reduce the web’s visibility of your Council’s PBX by disabling DISA (Direct inward system access). The more access is permitted for remote users, the more points of entry hackers have to your system. For them it’s a numbers game. This is especially important if your IT team is managing Council’s firewall. - Update your firewall version and settings
It’s easy to let slip, but make sure your firewall settings are regularly updated. Again, this is especially important if your IT team is managing Council’s internet security (as opposed to your telecommunications provider). Your best bet is to have your telco manage your firewall as they have fraud experts in their ranks.
Need to know more?
Please contact your Account Manager to discuss Council’s level of Crime Cover, and talk with your IT team and telecommunications provider to give you peace of mind that Council is as protected as possible from toll fraud attacks.
1 http://www.overthewire.com.au/news/how-to-protect-yourself-from-toll-fraud