Telecom Fraud on the Rise What Enterprises Need to Know

“SCTC Perspectives” is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide. Tags:Best PracticesPBX hackingtoll fraudRobocallssubscription fraudSecurityConsultant PerspectivesSCTC Articles You Might Like Yes, the bulk of PBX hacking still occurs the old-fashioned way. Hackers deploy scripts that look for open ports on your telecom system. Once found, they deploy standard passwords (you know, those “default passwords” or generic ones that are easy to crack?), and then control the traffic passing through the system. And it’s not just legacy PBX systems that are being compromised; IP systems are just as easily targeted. The takeover script then routes calls to premium services or uses the system to provide extensive toll calling to continue the fraud. The fix? Close the ports and change the passwords. Simple enough, yet many organizations fail to do so. Often launched through a bot attack that tests login credentials (again attempting those common, simple passwords) to look for ways to gain control of accounts to order devices and costly services, these scammers look a lot like the credit card fraudsters of five years ago. Thankfully, the carriers have taken notice of those financial protections put in place to stem the credit card fraud tide, and have begun to deploy behavioral analytics and device intelligence in the form of digital identity-based verification to detect and deter this seemingly easy target (ThreatMetrix, 2018). It comes as no surprise that scam phone calls are on the rise and scammers are becoming even more savvy in their attempts. From spoofed calls broadcasting inaccurate caller ID information and vague but believable discussions with your eldest granddaughter, or the “IRS,” there is big money to be made and the scammers are all vying to be first in line. Yet, while scammers can certainly be a threat to your family, their impact on your personal life pales in comparison to the impact they can have on your enterprise telecom. A week and a half ago, my 92-year-old father received a call from his eldest granddaughter. “Hi Grandpa, how are you feeling?” she asked. He responded that he was doing well, and that his most recent doctor appointments had gone as expected. “Was there any new news after your last hospitalization?” she went on to inquire. “No, it is the same situation, but look, I am 92 years old, so these things are to be expected. How are you doing?” Then the conversation shifted. Unlike PBX hacking’s simpler fixes, robocalling fixes are much more complex — so much so that the FCC and carriers have established a technical protocol – SHAKEN/STIR – to attempt to address it. Using a digital certificate-based public key cryptography to provide call authentication, SHAKEN (Secure Handling of Asserted information using tokens) and STIR (Secure Telephony Identify Revisited) protocols are the strongest shot across the bow of robocalling spammers that the FCC and the industry have taken to date; hope is high that the carriers – through SHAKEN/STIR — will be able to stem the robotide. A lesser known but extremely costly form of telecom fraud comes in the form of subscription fraud and theft of service – especially when combined. Put simply, this involves the use of stolen identities – both individual and corporate – to take over or acquire pricey devices like smartphones for resale on secondary markets. How prevalent is this? According to ThreatMetrix, “the rate of growth in attempted fraud is outpacing legitimate transactions by 83% compared to Q1, 2016.” sctcperspective_Small.png She shared that she had been arrested for speeding, and that while the police were willing to release her, she needed money to pay the ticket before they would do so. “I’m really in trouble, Grandpa. Can you help me out? I need $750 sent right away.” Having been well prepped in telephone security and scams by his daughter (me!), he then asked “Kelly, what authorities pulled you over?” She shared that she was in Iowa and that a local constabulary had her in their offices. He immediately hung up. He has no granddaughter named Kelly. According to the Communications Fraud Control Association (CFCA) in their 2017 survey of telecom fraud loss, organizations and carriers were hit with losses of $29.2 billion in 2017. Interestingly enough, this represents an almost 25% decrease from 2015, but it doesn’t mean the situation is improving. It simply means that, just like on the consumer side, enterprises and service providers are becoming more savvy at detecting and stopping some incidences. Finally, if my “niece” Kelly calls, hang up. Log in or register to post comments Just like that simple question asked by my father — “Kelly, what authorities pulled you over?” — the key will be to quickly identify the source, then terminate the scammer’s access. First and foremost, ensure that your passwords are changed. That’s a “duh” statement to be sure, but don’t be surprised if you find that it hasn’t been changed. Simply change it. Make Teams, Slack, Other Collaboration Tools Ultra-Secure Sorell Slaymaker August 21, 2019 Read how Hotshot adds location and time elements to its MFA strategy and discover how you can protect your enterprise with a zero-trust architecture. An area where organizations are focusing but feel like they are swimming upstream, is the marked increase in robocalls. According to the Washington Post, the number of robocalls in America reached the 26.3 billion mark in 2018, and these robocalls are estimated to account for 50% of all calls received in 2019. The result on the receiving end? An unanswered phone. On the surface, this seems like a “so what” moment, correct? Not necessarily, because many large enterprises, including medical providers and banks, use outbound auto-dialing protocols, and now their calls go unanswered as well. Additionally, take the time to learn about the SHAKEN/STIR protocols. Demand that your own carriers adopt this authentication protocol and adopt it quickly. Ask your mobile and landline carriers which protocols they have in place to digitally identify fraudulent orders placed on your behalf. Put SLAs around it in your contracts. These three fraud threats – PBX hacking, robocalling, and subscription fraud – account for $12 billion in fraud losses according to the CFCA. That’s a pretty hefty portion of the $29.2 billion in estimated losses for 2017. But the solution to each of the three has something in common: The fix must come from within. Phish-Prone Testing, Keep Your Enterprise Secure Scott Murphy August 21, 2019 Phishing testing teaches employees to detect and respond to malicious emails, helping to create a culture of security. IT Security Refresh: The Cyber Defense Matrix Terry Slattery October 02, 2019 With the Cyber Defense Matrix, enterprises can measure their security coverage and discover gaps in their IT strategy. One of the leading causes of telecom fraud at the enterprise level is PBX hacking and toll fraud. Representing greater than 13% of the reported 2017 losses, it isn’t a new scam by any means, but it does point to a very significant issue: Security of the enterprise phone system is still not a big enough priority inside the enterprise. In fact, the simplest of fixes are still often overlooked. Keeping Your Communications Systems Safe Takes Practice Gary Audin August 29, 2019 Don’t assume you’re ready for a security attack if you’ve never exercised what you have in place. Fraudsign_774.png The Threat of Toll Fraud Persists Irwin Lazar September 16, 2019 With a toll fraud prevention and mitigation strategy, enterprises can identify and mitigate potential toll threats – sometimes before they even happen. See All in Security »

Leave a Reply

Your email address will not be published. Required fields are marked *