Phone phreaking – are you at risk?
Global telecommunications fraud probably isn’t at the top of the list of an SME’s risk concerns, but it’s a crime that can leave its victims liable for huge, potentially crippling, phone bills. Worryingly, the UK is now one of the top five global hot spots for communication fraud, which includes telephone hacking (also known as phone phreaking). The most recent figures estimate it costs UK companies over £1 billion a year.
High profile examples include the phone hacking scandal whereby newspapers gained access to celebrities’ voicemails for information on their private lives, and New Scotland Yard being hacked to the value of £1 million over a six-month period.
What is phone phreaking?
Originally the term phone phreaking referred to telephone enthusiasts in the 1960s and 70s who were interested in the workings of telecommunications systems and how they could manipulate them to make free long distance phone calls. Over time, with the ever-increasing use of computerised phone systems, phreaking has become more closely linked to computer hacking.
There are many different ways telephone fraud can be perpetrated, but is essentially criminals accessing a company’s telephone system for financial gain – either to avoid paying for calls or to make money from unauthorised calls. Some common attacks include:
- Direct inward system access or dial through fraud – the hacker dials into the telephone system and enters a PIN number to access an outside line and then make calls at the company’s expense. These include calls to premium rate numbers (which they own) so they make money from these calls.
- Voicemail hacks – many voicemail systems have an outbound divert system with calls directed to a preset number whenever new messages are received. The hacker gains access to the voicemail system password and changes the preset number to a premium number, again to net the proceeds from these calls.
- Call forwarding – anyone with access to a company’s building could divert a seldom used phone extension to an overseas number. By dialling that extension the call would be connected overseas but they would only have to pay for the first leg of the call.
- Selling on the details of a hacked network – setting up a bypass number which accesses the hacked network to make cheap international calls.
- Hackers gaining access to a number of phone systems then gather them together to create their own networks and use them all over the word.
The cost of all these types of calls are charged by the telecoms provider to the business where the call originates from. They are liable for these calls, irrespective of who made them or how.
Who is at risk?
Traditionally, hackers target businesses which are closed for long periods of time, such as schools and universities, so the call activity remains undetected for as long as possible. Even businesses which just close for the weekend and over bank holidays are at risk.
Small businesses are also more vulnerable as they are more likely to have one main number with a number of lines going from that number. The hackers can then use each line to make calls from.
The large amounts of money that can be made from phone phreaking attracts sophisticated cyber criminals from all over the world, so realistically any business that is at risk from a cyber attack can fall victim to this type of fraud. It’s hard to identify the patterns of these crimes as they often go unreported because the company doesn’t want to risk any damage to their reputation.
Steps to prevent phone phreaking
There are some straightforward risk management precautions companies can take to prevent themselves becoming a victim. Businesses should:
- Frequently change passwords/PINs (including voicemail), especially when employees leave the company.
- Ensure passwords/ PINs are random - do not use the default ones
- Have unwanted telephone features disabled where possible – including auto attendant options for accessing outside lines
- Implement a strict call barring plan – especially for overseas numbers, premium rate numbers and to operators, including directory enquiries. If someone does try to call these numbers then you can get an email alert to flag it
- Ask their network provider if they can be alerted when excessive call charges are incurred in a short period of time
- Ensure their telephone system’s software is fully up to date, especially with any security updates
- Regularly review the call logs and reports – look for increased or suspect call traffic
- Ensure staff are fully trained on the telephone system so they fully understand how to use its features and the risks involved.
The role of cyber insurance
A company typically doesn’t know they’ve been hacked until they receive a huge bill from their phone company. This debt can threaten the financial stability of the company, even if the phone company is willing to negotiate and reduce the bill (although they are under no legal obligation to do so). Traditional insurance policies, including crime insurance, do not cover telephone hacking.
A cyber insurance policy offers a wide range of protection relating to the damage or loss of information from IT systems and networks, and will cover the cost of the unauthorised calls from a phone hacking incident. It will also usually include assistance with the management of a cyber incident to minimise reputational damage. Tokio Marine HCC’s cyber security insurance policy is specifically designed for SMEs (typically with a turnover up to £5 million) and provides cover for a wide range of cyber incidents, from data breaches and privacy protection to hacker damage and cyber business interruption. Cover is for first and third party liability, meaning not only is your balance sheet protected, but those of the third parties you work with (such as customers or suppliers) as well.
If you’re interested in finding out more about the risks associated with cyber hacking and how our Cyber Protect product can help, visit our Cyber Security Insurance page.