Bob Foreman’s seven-person architecture firm is using the latest technology in IP phones. Thinking they were safe and protected, they went about their business normally, until one day they opened their phone bill to see that they had run up a bill of $166,000 in one weekend. Quite odd, given that no one was in the office at the time.
Based on the firm’s normal phone bill, it would have taken them 34 years to amass those charges legitimately, as stated in the complaint filed with the FCC. But the charges weren’t a mistake. Malcontents had hacked into the phone system of the company, and routed the calls to premium-rate numbers in Somalia, the Maldives, and Gambia.
The firm, based in Norcross, Georgia, is one of the latest victims of an old fraud that’s found a new life, now that most corporate phone lines are IP-based. This swindle is easier to pull off on the web and infinitely more profitable. The targets are largely SMBs, and cost global victims $4.73 billion last year. That’s up almost $1 billion from 2011, states the Communications Fraud Control Association.
Tier 1 carriers have anti-fraud systems meant to catch hackers before they mount false six-figure charges. They can also afford to credit their customers for millions of dollars in fraudulent charges every year. SMBs, though, often use local carriers, that lack these sophisticated systems. And worse yet, some of these carriers are leaving their customers to pay for the calls they didn’t make.
There are no laws that assist in this area, as there are no regulations that require carriers to reimburse defrauded customers the way credit card companies have to. Lawmakers have occasionally taken up the torch, yet little progress has been made.
How It Works
Hackers lease premium-rate phone lines, typically used for psychic or sexual-chat lines, from one of many web-based services that charge callers over a dollar a minute, then give the lessee a cut. In the US, these numbers can be easily identified by their 1-900 prefixes; furthermore, callers are told they will incur a higher rate. Elsewhere, though, such as in Estonia and Latvia, these numbers can be more difficult to spot. The profit for the lessees might be as high as 24 cents for every minute a caller spends on the phone.
The black hats then crack a SMB’s phone system in order to make calls through it to their premium number. This is typically done on a weekend, when nobody will notice. Using high-speed computers, hundreds of calls can be made simultaneously, thereby forwarding up to 220 minutes’ worth of calls a minute to the pay line. Ultimately, the hackers get their cut, usually delivered through MoneyGram, wire transfer or Western Union.
This plan can be quite profitable, when executed well. This is why premium rate resellers are on the rise. In 2009 there were 17; in 2013 there were 85, says Britain’s Yates Fraud Consulting.
What’s Being Done
The problem is moving fast, say many industry groups, yet they are still trying to tackle it. One slow solution is to routinely input known fake “hot numbers” into a fraud management system, then sharing that with carriers so they can be blocked.
Catching the elusive hackers is hard, if only because the crime can cross up to three jurisdictions. In 2011, the FBI worked with police in the Philippines to arrest four men who used the ploy to collect $2 million in fraudulent charges. This money was funneled to a militant Saudi Arabian group that US officials believe underwrote the 2008 Mumbai terrorist bombings.
Bob Foreman’s firm has turned to the FCC, the FBI, and several other agencies for assistance, yet they are still on the hook for their $166,000 phone bill with their local carrier, TW Telecom. It now includes $17,000 in termination fees and late charges. The telecom’s VP for corporate communications said that Foreman’s firm ought to have taken measures to ensure the security of its equipment.
Mr. Foreman responded that his firm didn’t even understand that this was a possible risk.
To avoid this happening to you, be sure to turn off call forwarding, and ensure there are strong passwords for international dialing systems as well as voicemail. Treat your phones as Internet-connected machines, because that’s what they are. Hackers are already doing that. When you put a computer or an IP phone system on the Internet, it immediately gets probed for a weak point.