In spite of awareness of the enormous financial implications of PBX fraud since 2013, cases continue to come to light. Police force cyber crime teams have recently been dealing with new cases where business PBX telephone exchanges have been exploited towards the end of 2015 but the fraud has only come to light when inflated bills appeared in January. The National Fraud Intelligence Bureau refers to this as“PBX Dial through fraud” and instances should be reported to them on through their online fraud reporting tool.
PBX stands for Private Branch Exchange, a private telephone network used within a company. Users of PBX phone systems share a number of outside lines for making external phone calls. In the majority of cases companies have allowed themselves to be vulnerable to attack by not changing the default passwords/PIN on new equipment when purchased. A general guide to safer practice is as follows:
- Use strong pin/passwords for voicemail system, ensuring they are changed regularly.
- If you still have your voicemail on a default pin/password change it immediately.
- Disable access to your voice mail system from outside lines. If this is business critical ensure the access is restricted to essential users and they regularly update their pin/passwords
- If you do not need to call international numbers/premium rate numbers, ask your telecoms provider to place a restriction on your telephone line.
- Consider asking your network provider to not permit outbound calls at certain times e.g. when your business is closed
- Ensure you regularly review available call logging and call reporting options.
- Regularly monitor for increased or suspect call traffic.
- Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down!
- Speak to your maintenance provider to understand the threats and ask them to correct any identified security defect.