‘REGIONAL CYBER UNIT ALERTS SMES OF PBX FRAUD’
Gloucestershire Constabulary received an alert from the Regional Cyber Unit warning of a PBX (private branch exchange) fraud affecting SMEs, community centres, schools and colleges. The Constabulary states, “over the last few months we have had a number of reports of this type of attack around the region costing victims a substantial amount of money.”
The purpose of this alert
Is to provide knowledge and prevention advice to help organisations protect themselves from PBX and dial through fraud.
There has been a significant rise in the number of reports made in relation to this type of fraud. Since the end of June 2013 there have been nearly 500 Action Fraud reports relating to this - costing victims over £6m.
What is PBX Fraud?
Private Branch Exchanges (PBX) are systems which enable organisations to allow improved communication both internally and externally. PBX/dial-through fraud occurs when hackers target these systems from the outside and use them to make a high volume of calls to premium rate or overseas numbers to generate a financial return.
How does it work?
This type of crime can take one of two forms:
1. Criminals use auto-diallers to identify systems which are easy to hack into, especially voicemail.
2. The system is subject to a sustained cyber-attack to establish the pass code that will give them access to the PBX system itself. This can be relatively straightforward as often victims leave the password/code on default settings.
Once access is gained, the criminals can exploit in-built services such as message forwarding and call diversion and can make calls on the organisations account.
The criminal can make their money in two ways:
I. Dialling premium rate numbers to which they are affiliated
II. Dialling international numbers through the compromised telephone system, especially to Eastern Europe, Cuba and Africa.
Who is affected?
The victims are often small to medium-sized businesses, but the NFIB has also noticed that a number of schools, charities and medical/dental practices are being targeted, with losses sometimes up to tens of thousands of pounds. It is anticipated that these types of organisations will be subjected to increased victimisation as criminals identify common flaws in security procedures.
This type of fraud is most likely to occur when organisations are most vulnerable i.e. during times when businesses are closed but their telephone systems are NOT, for example in the early hours of the morning or over a weekend or public holiday
Prevention: The good news is that some simple steps will significantly reduce your risk of victimisation:
• Use strong pin/passwords for your voicemail system, ensuring they are changed regularly.
• If you still have your voicemail on a default pin/password change it immediately.
• Disable access to your voice mail system from outside lines. If this is business critical ensure the access is restricted to essential users and they regularly update their pin/passwords
• If you do not need to call international numbers/premium rate numbers, ask your telecoms provider to place a restriction on your telephone line.
• Consider asking your network provider to not permit outbound calls at certain times e.g. when your business is closed
• Ensure you regularly review available call logging and call reporting options.
• Regularly monitor for increased or suspect call traffic.
• Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down!
• Speak to your maintenance provider to understand the threats and ask them to correct any identified security defects
• If you do become a victim, please report to Action Fraud