Toll Fraud Costs Us £4bn a Year
Toll fraud costs this country almost £4 billion a year.
That is 10 times the cost of credit card fraud [in no small part due to the switch to chip and pin]. It’s a combination of wasted time for businesses, stress and hassle for consumers and people who are victims of fraud. Part of the reason toll fraud has such a big price-tag is because people use toll fraud technology to enact credit card fraud, extortion and steal trade secrets. Crooks use some sort of confidence spoof – using a phone number or piece of information known about the victim’s financial accounts, discovered from another source. They then call their victims and talk to them as if they are from a financial institution they trust. As the phone number looks like it’s their bank, the victim feels reassured and complies! You can imagine what happens next.
At a basic level toll fraud can be as simple as someone making unauthorised calls at the business’ expense. There are companies out there that have a business of three or four hackers in a room, who go on the internet and run port scans, looking for unsecured SIP devices, servers or services that they can exploit.
Once they find a device that is not fully secure, holes in a firewall or default passwords they get to work.
They also run seemingly separate businesses that sell low-cost VoIP traffic. These sites sell minutes to anywhere you want at frankly ridiculous prices. The key is they are sending their customers call out via your equipment, hence there are no costs to them – everyone’s happy – apart from you. It’s your bill and you get charged a lot more than they charged someone else. It’s a legitimate business for them and there’s that much ‘free money’ to be had that they just go out and get it.
It even happened to us once.
A few years ago an employee was working from home and plugged their VoIP phone into a Virgin Media Super Hub, which has awful security. It’s protection systems are either completely on and nothing gets through, or completely off and everything gets through. As you have no choice, you end up turning off the firewall to get your phone to work. This exposes you to the internet and people looking for vulnerable access points.
Hackers find your phone within days, or even hours (this happened in less than a day in this instance). SIP phones have a web admin interface [theoretically invisible to the internet], and they figured out a way of getting the Virgin Media router to fire up that interface and cycling through a list of random passwords got into it. This admin interface will deny you access after three wrong attempts for about three minutes. These hackers have a brute force server that just runs password after password, waiting for the right time and trying again, and again.
Eventually they got the right password and logged in. They figured out a way of getting the phone to send them the password details, which obviously happens completely unseen. All of this is happening while the phone is just sitting there on the desk. They use these stolen details and plug them into their servers, they then sold some minutes. Thankfully we have limits on how many calls per second and how much we allow to go through a particular user channel, so they only used up about £50 worth of calls, but this could have been much worse if we had no way of detecting this odd calling behaviour.
Money can disappear in moments. These scams are operated by automated systems and can make thousands of calls every second! We aren’t talking about the effect of an extra person sat at a desk in your office making calls, this could be 1000 extra people who only call expensive foreign destinations – until your carrier decided you’ve exhausted your credit limit with them.
It was a great learning experience, giving us some invaluable insight and helping make sure our clients do not fall foul of toll fraud. Telephony service providers do not offer credit to each other, everything is prepaid, so we pay before our users spend it. So it’s our risk, our money.
Toll fraud is rife within the telecoms industry, and costs this country far more than credit card fraud. Make sure you’re taking the necessary steps to prevent it. If you’re not sure if your VoIP system is protected, feel free to give us a call and one of our VoIP experts will be more than happy to offer some advice!