Fraudulent Calling: How to Minimize Your Risk.

Hackers cost companies millions:

Hackers continue to find new ways to hijack phone systems to make fraudulent calls. They attack companies and organizations of all sizes, and the losses, while not known precisely, are likely to be in the millions of dollars.

While hackers are continually finding new strategies, there are steps you can take to minimize their likelihood of success with your phone system.

Steps to minimize risk:

First, check with your phone system vendor to see if they have built fraud prevention into your phone system and if so, what steps you need to take to make the best use of it. Next, check with your insurance provider to make sure you will be covered in the event of fraud.

Additional Phone System Protections:

• Set your phone system so that it accepts connections only from on‐site phones and specific, known IP addresses.
• Check on phones where call forwarding has been set up. A common technique is for a hacker to set an extension so that it forwards calls to a fraudulent destination.
• Use complex passwords and/or MD5 authentication or public/private keys.
  • Set passwords to at least eight characters in length, with at least one capital letter, at least one number, and at least one special character as allowed by your phone system.
• Ensure that users are not allowed to use their extensions or other trivial PINs as the password on their voicemail accounts (e.g., 1111, 1234, etc.)
• Configure SIP proxies and firewalls with access lists to prevent access from unauthorized IP address blocks.
• Configure your phone system to reject calls to international destinations if you do not need to call them. If you do need to make international calls, set up only the destinations you need to call, if your phone system allows.
• Change usernames and passwords for connected devices when a user leaves or becomes de-authorized. Ensure that all access is removed from a user upon departure.
• Change passwords routinely on remote connected accounts.
• Review call records regularly to be sure that traffic is what is expected from normal business use.
• Do not share SIP account passwords and device configuration passwords with anyone.
• Do not allow external users to redial from the phone system.
• Prevent external access to the phone system management portal.
• Secure other services on the phone system. HTTP, FTP, and SSH are commonly exploited and should be tightly restricted.
• Phone systems should be behind firewalls, and SIP proxy services should be used to pass traffic between external and internal systems.
• Ensure that no default passwords have been left on your phone system and network devices.