BT Wholesale

Dial Through Fraud



Don’t get caught by Dial Through Fraud: BT’s Top Tips to help protect your business

A recent survey of members of the Telecommunications United Kingdom Fraud Forum has found that 98% of private branch exchanges that are subject to hacking result in a fraudster using the compromised telephone exchange to commit dial through fraud. Of the respondents surveyed, more than three quarters confirmed that communications fraud had increased or stayed the same within their own company during the surveyed month, with more than a quarter of respondents having reported losses greater than 5% of revenues.

BT has developed ‘15 Top Tips’ to help guard your business against the risks of Dial through Fraud:

1. Remove or de-activate all unnecessary system functionality including remote access ports.  If remote access ports are used consider using strong authentication such as Smartcards/ Tokens.
2. Restrict any destinations that should not normally be dialled e.g. Premium Rate, International or Operators including Directory Enquiries.
3. Review PBX call logging/ reporting material regularly and analyse for increases in call volumes or suspicious destinations.
4. Voicemail ports should be barred for outgoing access to trunks if possible.  Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
5. If access to trunks via Voicemail is necessary then suitable controls need to be implemented. Remove Auto Attendant options for accessing trunks.
6. Surplus mailboxes should be locked until allocated a user.
7. If DISA is not used then it should be disabled completely.
8. Restrict access to equipment (e.g. Comms room, master terminals).
9. Only give the appropriate and minimum level of system access required to carry out a task
10. Ensure all security features (passwords, PINS etc) are changed following installation, upgrade and fault/ maintenance (including resetting password defaults).
11. All internal information such as directories, call logging reports, audit logs should be treated as confidential material and be securely destroyed if no longer required.
12. Avoid using tones to prompt for password/ PIN entry, (used by ‘hacking’ programmers”). Develop processes to cover employee entry procedures, passcards, new employee vetting, people leaving, changing jobs (revoking access to systems, mailboxes, buildings etc)
13. System security and configuration settings should be reviewed regularly.  Any vulnerabilities or irregularities should be followed up.
14. Be vigilant against bogus callers (e.g. posing as a company employees etc) asking to be connected to switchboard operators to obtain an outgoing line.
15. Make sure you have the right terms and conditions reflected in your contracts with your PBX, VOIP and/or Voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe