PBX Fraud

Private Branch Exchanges (PBX) are telephone systems used by small and medium businesses for internal and external communications. They are frequently targeted by criminals who exploit the technology by committing what is known as PBX fraud (also known as ‘dial-through fraud’) – where the PBX is hacked into allowing calls to be routed through the system to high rate international/premium rate numbers. The financial damage to a business can be significant. It is thought that dial-through fraud is significantly under-reported, partly because of a lack of awareness or understanding of the issue. Attacks are generally prolonged and involve expensive telephone numbers being dialled hundreds or even thousands, of times, with the business left to pay the bill.

How PBX fraud works

Once an auto-dialler has been used to identify systems which are worth hacking, the criminal attacks the system in order to establish the pass code that will give them access to the PBX system itself. Features such as remote-access voicemail, message forwarding and call diversion can all be exploited to enable the illicit call dialling. In the case of voice over IP (VOIP) telephony, systems are generally compromised by malware or accessing an IP address connected with the PBX box to bypass the company’s firewalls.

The risk

  • Your business accumulating substantial or even crippling phone bills without your knowledge

Preventing dial-through fraud

Conventional PBX systems

  • Reduce the ability for your system, if compromised, to dial high rate numbers by:
  • Restricting any destinations that should not normally be dialled such as premium rate, international or operators including directory enquiry services.
  • Review available call logging and call reporting options.
  • Regularly monitor for increased or suspect call traffic.

Restrict access by:

  • Immediately setting up call logging on any system where fraud is suspected. This should be professionally programmed to ensure all call types are covered.
  • Disabling voicemail from being to access outside lines. Take professional advice on how to set up voicemail securely on your system.
  • Set up secure PINs to access voicemail remotely.
  • Put suitable restrictions in place on any extension that must have access to an outside line via voicemail.

Avoid auto features:

  • If your system has Direct Inward System Access (DISA), ensure it is completely disabled. To prevent someone calling in from outside the PBX to dial calls as if from one of the extensions.
  • Set up any networked telephone exchanges very carefully to restrict hackers from breaking out from one site to another.
  • Ensure interactive (menu driven) voice response and auto attendant options for accessing outside lines are removed.

VOIP systems

  • Be sure to take steps to ensure both the physical and technical security of your equipment.
  • Seek advice from your system or managed service provider to help you secure your system. Some service providers have precautions in place such as monitoring unusual usage spikes, cutting off services if they exceed pre-agreed thresholds or disconnection in the event of their SIMs are connected to a computer, switchboard or the internet.

If you think you have been a victim of PBX fraud

Report it to the Cyber Incident Response Team in the Ministry of Science, Energy and Technology: 876-929-8990-9 or the Communication Forensics and Cybercrimes Unit of the Jamaica Constabulary Force: 876-967-5948 or 876-922-3288

This page was compiled with the kind assistance of TUFF (Telecommunications UK Fraud Forum)


See Also...

Jargon Buster

A Glossary of terms used in this article:

IP address

Internet Protocol address: a unique address that is used to identify a computer or mobile device on the internet.