While there are several security concerns when implementing voice-over Internet protocol (VoIP) services at a business, one that rarely receives attention is the potential for toll fraud. Some businesses even mistakenly believe that a switch to VoIP will prevent fraud. If anything, VoIP makes the business more susceptible to toll fraud.
If businesses host their own PBX system, converting VoIP to copper and back, it creates a tempting honeypot for hackers. If the hackers gain access to the system, they have nearly unlimited ability to place phone calls at will.
These are not cheap intrusions. The average cost of a toll-fraud VoIP attack is about $36,000. Given that some PBX units are cheap enough that even SMBs can afford them, that’s a potentially ruinous (and entirely avoidable) cost.
How VoIP Toll Fraud Works
The basic premise is relatively simple. VoIP fraud occurs almost exclusively in third-world countries whose local telephone grids charge huge rates for access. Hackers collaborate with unscrupulous phone grid operators to hook first-world VoIP systems into the grid, so that the business can be charged astronomical prices for phone calls to nowhere. Then, they split the profits.
Since these fees are charged directly to the victims’ phone company and numerous laws/treaties require their prompt payment, the victim is virtually always left on the hook for the charges.
In some cases, particularly enterprising hackers may even establish their own “dark” phone company, selling services to local users at low rates while running the calls through hijacked first-world computers. However, this aspect of the practice is becoming less common as cell phones and consumer VoIP lower the costs of voice communication.
Law enforcement is rarely an option in these cases. The local police or government entity might be part of the deal, and U.S. law enforcement won’t touch such cases. An active defense truly is the only option for preventing VoIP fraud.
The Deeper Dangers Of VoIP Fraud for SMBs
In most larger business networks, VoIP is kept separate from the overall data network. This means that if an intruder gains access to their PBX or other phone-switching hardware, that intruder can’t get access to anything else.
However, many smaller businesses don’t segregate their networks in this fashion. For them, a PBX attack could be the first hole poked in their security by a phalanx aimed at taking over the network. Poorly defended VoIP systems make excellent staging grounds for larger attacks.
Besides keeping these networks entirely separated, the solution here is an active, always-on security system. VoIP and cloud systems security cannot be left to chance. A network needs an active security system that’s consistently monitoring for intrusions and reporting any irregularities as soon as they occur.
Without this, a business is leaving itself open to attack, fraud, or potential systems disruption.
