RSS Feed

Phone fraud is a serious and growing problem in the UK and can lead to companies suffering severe financial losses and also disruptions to service.

The issue is costing businesses £953 million annually – making it bigger than credit card fraud.

Dial-through – or voicemail – fraud can cost companies upwards of £1,000 per day and potentially thousands of pounds during a weekend or holiday period.

Inverness-based HighNet say companies, charities and even schools are vulnerable to hackers using dial-through fraud and other criminal techniques when premises are closed.

A study of 1,000 businesses by the Internet Telephony Services Providers’ Association showed 27 per cent had been hacked in the last five years, with losses averaging £12,000.

Dial-through fraud occurs when criminals target phone systems from the outside and use them to make a high volume of calls, typically to premium rate or overseas numbers.

Hackers can obtain access to a business’s call-forwarding system via its voicemail if security passwords have either not been set or are not strong enough. They can then call an extension which has call-forwarding enabled, directing the call to the premium-rate number, with the revenue for those calls being received by the fraudsters.

HighNet, which manages more than 20,000 business lines, said in the past year its security systems have intercepted eight fraud cases – involving numbers from Morocco, Cuba, Liberia, Togo, Tunisia, Albania and Bosnia – potentially worth around £100,000 in total.

Instead, the total cost was limited to £2,327, with some of the victims escaping without any financial loss due to the level of protection they have.

The Elgin-based Peugeot dealership Alan Milne Ltd was a target for hackers who made more than 500 calls to numbers to Guinea and Tunisia in just a few hours via voicemail fraud.

It could have cost the firm thousands of pounds, but a security system costing £1 a month led to HighNet intervening early and no money was lost.

The calls began at 8.08pm on a Friday- a typical weekend exploitation, hoping to get a full weekend of making expensive calls. By 11.30pm HighNet had picked up the criminal attempt, barred the calls and notified the customer.

David Siegel, HighNet’s managing director, said: “Not only did we spot the breach, but we stopped it getting worse and highlighted the problem to their phone system maintainer who subsequently locked out the bad guys.

“If we’d not acted as effectively as we did the hackers could easily have run up bills at a rate of £1,000 for each night they remained undetected.”

Steven Milne, the company’s managing director, said: “This could have been a very costly weekend for the company, but thankfully security measures were in place to stop these illegal calls before they did too much damage.

“It was an eye-opening experience for us and one we’ve learned from as we’ve updated our system and will be a lot more vigilant in future.

“We would also warn others to be aware of how easy it is for unscrupulous hackers to take advantage of businesses who do not take phone security seriously. A holiday period, or even a weekend, could cost them dearly otherwise.”

Aberdeen-based John MacLean and Sons suffered two fraud attacks this year, from numbers in Cuba and Liberia, but timely intervention by HighNet limited potential costs of up to £30,000 to just £600.

In both instances, voicemail in the Aberdeen site that had simple passwords on them were guessed by the fraudsters. This was then changed to divert to international/premium rate numbers, and then corresponding direct numbers were repeatedly dialled at random intervals for short periods each time.

The firm’s finance director Alan Freeland said: “Having recently experienced a third- party hacking into our system and utilising our communication system for fraudulent calls, it only brought home what we already knew; that it will not happen to us ……. until it does!

“We had overlooked the possibility of fraud on our telephone system and relied on old software to protect us.

“Fortunately, HighNet was alert to these scams and brought the issue to our attention very promptly and secured our lines with little impact on service or cost.  Since then we have upgraded our protection and our system is secure again.

“Everyone should ensure their communication lines and systems are fully protected, and we are grateful for HighNet’s speedy response and effective management.”

David Siegel said there are simple precautions firms can take to protect against phone fraud, while additional layers of security can be added to customers’ systems commercially for as little as £1 per month to mitigate financial loss.

“Dial-through fraud is a huge problem and has burgeoned in recent years. Fraudsters scan the internet looking for vulnerable firms to target and are ruthless when they find a weakness.

“As well as the financial loss, it can be very distressing for businesses when they fall victims to the hackers. So, we want people to be on their guard at all times, but particularly during periods like the festive holidays when they could be at higher risk.

“There are easy actions they can take to make their system safer and, for our customers, some very effective ways of countering attacks for very little cost.”

Customer checklist to help prevent phone fraud –

  • Remove all default password settings and limit access to any maintenance ports
  • Passwords and access codes should be changed regularly and, if possible, be alpha/numeric and as many digits as the system allows.
  • Avoid 000, 1234, or extension number = PIN passwords.
  • Delete/change passwords for ex-employees.
  • Consider limiting call types by extension, if an extension user has no requirement to ring international/premium rate numbers, then bar access to these call types.
  • DISA – (Direct Inwards System Access) is typically used to allow employees to dial in from home and make outbound calls (usually high value call types, i.e. mobile, international etc) via the company exchange. If activated it should be closely controlled.
  • Secure the system physically, site it in a secure comms room and restrict access to that area.
  • Regular reviews of calls should be carried out to cover analysis of billed calls by originating extension also to identify irregular usage and unexpected traffic.
  • Ensure you fully understand your system’s functionality and capabilities and restrict access to those services which you do not use.
  • Block access to unallocated mailboxes on the system, change the default PIN on unused mail boxes.
  • Be vigilant for evidence of hacking – inability to get an outbound line is usually a good indicator of high volumes of traffic through your system.



Back to news