Telecoms fraud costs UK SMEs about £1billion a year according to a survey conducted by Incom (2012).
Phone hackers are often skilled engineers, who focus solely on vulnerable telecommunications systems. Organisations such as Ofcom, City of London, and Action Fraud advise that small businesses should take necessary precautions to prevent themselves from being targeted.
The following advice is for business owners and managers:
1) A number of suppliers offer fraud detection and indemnity – some for free and some at a charge. However, it is important to read the detail to understand exactly what is covered and how it works. For example, is it change in call volumes or calls to certain destination? How much of the fraud is covered? Is it from point of detection, all of it, or the excess above a certain level?
Ofcom says providers should not profit from fraud. If you are a victim and have to make a payment to your telecoms provider it should only be for the cost of the calls incurred by the supplier, not their normal resale price.
2) SMEs need to be cautious when speaking over the phone to representatives claiming to be calling from their provider or in relation to their phone systems. If you’re unsure always end the call, bar calls from unknown numbers, and/or do not call numbers you have never seen before. Always leave time between ending the call and you calling the number back; hackers try to leave the line open for a few minutes so their accomplices can hack into the phone system.
3) SMEs should ensure that employees are aware of the risks and how to mitigate them. Security measures, such as passwords or questions on their accounts, should be set-up. Make them unique and memorable – not predictable. Ofcom says that many telecom fraudsters target businesses because their passwords are too obvious.
4) The rise of IP or Internet solutions such as SIP and VoIP has created a new set of potential problems. Before businesses moved from analogue phones to IP phone networks, employees could seldom access anything relating to their phones from the corporate computer network – but with an Internet solution they can. So the best configuration is to have physically separate phone and data networks. If this isn’t realistic, VLANs can separate traffic. No data should be able to traverse between the two networks without passing through a network security device. Many providers recommend the use of a session border controller (SBC) to protect the network.
5) Whether it is landlines or IP – setting up call bars on premium numbers and, unless required for normal business, international numbers can limit the impact if your systems are compromised.
All SMEs need to be aware of the threat and should talk to their provider about what steps they can take to avoid becoming the victim of a telecoms fraud, which can be costly, disruptive and time consuming to sort out.