Toll fraud

Toll fraud, telephone system hacking, voice mail hacking – these are all terms for fraud involving business telephone systems that could cost your business thousands of pounds. Your business could be at risk if you use either voice mail or auto attendant. Even without these, there are ways to defraud companies of a great deal of money in a short space of time without them realising until it is too late.

What is toll fraud?

You will be aware of premium rate telephone numbers.

In the UK, these numbers begin with 09 and cost up to £1.50 per minute to call. The provider of the service gets a substantial fraction of that £1.50 paid to them and that is how they get paid for the service. Used legitimately, 09 numbers are a simple way to charge customers for services like help desks and adult services on a 'pay as you go' basis.

Other countries also have premium rate telephone numbers, which can be dialled from the UK and might be a lot more expensive than £1.50 per minute.

The availability of premium rate numbers opens an opportunity for fraud. If you own a premium rate telephone number and you can get calls to it fraudulently, you have a means to make a lot of money in a short space of time. This article aims to explain how it can happen and what you can do to prevent it.

How does toll fraud happen?

There are a number of ways that toll fraud can happen, some of which are described below. In general, the perpetrators of the fraud will set up a premium rate telephone number, then get telephone systems to make calls to the number without the owners of those systems being aware.

Toll fraud using auto attendant and DISA

Many businesses use auto attendant ("press 1 for sales...") and DISA (direct inward system access - "if you know the extension number of the person you require, please dial it now") systems to route callers to the right person. Both systems are often in use at the same time; for example, "if you know the extension number of the person you want, please dial it now or press 1 for sales...".

It is possible to have options on the auto attendant or DISA that make the telephone system route the call to an external number. A legitimate use of this would be to make a call to an employee's mobile telephone.

If fraudsters can access the telephone system and get it to dial an 09 number, they can dial into the system, select the option they have added to call their premium rate telephone number, then leave the call active while they take the money from the premium rate telephone number. If this goes on for days or weeks, the company will lose thousands of pounds. Insurers will often not cover this loss.

Even if fraudsters cannot access the telephone system, one aspect of DISA that is often not protected is the ability to dial 9. With this, someone can make a call into the system and when the system asks "if you know the extension you require, please dial it now", dial 9 to pick up an external telephone line. It is then possible to dial a premium rate telephone number.

Toll fraud using voice mail

This is similar to using auto attendant and DISA. Many voice mail systems have the capability of notifying the user when a message has been left; for example, by making a call to the user's mobile telephone. If fraudsters can access the voice mail system and set up their own mailboxes with notification to a premium rate telephone number, all they have to do is leave messages in the mailboxes and the voice mail system will do the rest.

How can fraudsters gain access to a telephone system?

There are several possibilities.

The simplest is if DISA has been set up with no passcode and access to external lines not blocked. Simply dialling 9 gives access and another call can be made.

Many voice mail systems allow creation of new mailboxes by dialling codes. If this facility has not been disabled, it is possible to make a call, get to auto attendant or DISA, dial the appropriate codes and create a mailbox. The mailbox can then be set to notify messages to whatever number the fraudsters want.

Many telephone systems have a remote configuration capability to allow the system maintainer to make changes without the need to visit the customer. While this facility is password protected, many are left with the default password or an insecure password in place. Also, telephone system manufacturers often have 'back door' passwords, which are supposed to be secret but are not.

There is of course always the possibility of a rogue employee accessing the system or simply dialling a premium rate telephone number from a company telephone.

Telephone lines are not secure and can be accessed in the street easily. It is possible to connect an automatic dialler to any telephone line in the street cabinet, which could make a lot of calls before being found.

How can fraud be detected?

Some indications that fraud is happening are:

• inability to get an outside line when it seems no-one in the office is on the telephone.
• line buttons on the telephones are lit up when there does not seem to be anyone on the telephone, especially at night or over the weekend.
• inability to access voice mail.

Many line and call providers monitor call patterns daily to look for unusual activity on the lines of their customers, and contact the customer if they see anything suspicious. Unfortunately, the first sign there is anything wrong can be when a bill for thousands of pounds arrives at the end of the month.

Who is liable for the costs?

Whoever pays the telephone bill is liable. The provider of the lines is not normally liable. Although many monitor calling patterns, this does not mean they are liable for any fraud that might happen on lines they provide.

Fraudulent call charges can quickly become many thousands of pounds, which could bankrupt many businesses. General business insurance does not normally cover this kind of loss.

What can be done to avoid toll fraud?

Any telephone system that has auto attendant, DISA or voice mail is at risk if it has not had proper measures applied to prevent fraud. Systems that do not have these facilities are at some risk, but not as serious.

The main thing the system user can do is to make sure that all mailbox passcodes have been changed from the default. Ask the system maintainer to ensure security measures are implemented on the telephone system to reduce the possibility of it being hacked. These include making sure maintainer and manufacturer passwords have been changed.

Voice mail security and passcodes

You have probably seen news reports of celebrities having their mailbox accessed by journalists. You might not be someone who attracts media attention but there are other reasons that someone with nefarious intent might want to access your mailbox. The most likely reason for an unauthorised person to access a company voice mail system is to commit toll fraud, which is commonly done through unprotected mailboxes.

It is very important to set a passcode that is difficult for anyone else to guess. While we cannot give a comprehensive list of passcodes not to use, the following is a list of passcodes that we see often that for some reason people think cannot be guessed.

• 1111
• 1234
• 4321
• 0000
• 9999
• 1966
• 1066
• Your date of birth or any part thereof

1966 and 1066 are particularly interesting as they both relate to famous events. The dates of well-known events make easy to remember but easy to guess passcodes; if you know the famous date, so do a lot of other people.

Your date or year of birth is also a bad choice as others are likely to know it.

We strongly recommend that you use a passcode that means something to you but not to anyone else.