Though the realm of internet hacking is primarily concentrated on website invasion and similar mechanisms, the reality is that any device that is connected to the internet is vulnerable to attack. This includes VoIP phones, which businesses around the world use to conduct business on a daily basis.
In most cases, sophisticated hacking operations overtake control of such devices to facilitate illicit and illegal phone operations. When this occurs, even the most ironclad business can lose a significant amount or all of its revenue. This can be especially damaging for a small business. Learning how to identify and prevent this type of attack is critical to maintaining the operational security of your firm.
Two Types of Telecom Fraud
At its core, there are two primary types of telecom fraud. These are subscription fraud and toll fraud. Under the former, a hacker will pose as an employee-customer to gain access to company accounts, often infiltrating more than one in the process. Toll fraud, on the other hand, relates to the process of controlling the flow of money through the telecom network itself. This form is often more monetarily damaging, with loses commonly exceeding $1 million. In this event, hackers reroute phone calls to their own destinations, which are often extremely expensive and performed in high volumes. One long-distance phone call can be costly, but a thousand of them can be detrimental.
In addition to monetary setbacks, these types of crimes also hurt companies at an operational level. Once such a crime is identified, service and connectivity are typically blocked by the carrier or unified communications provider. In some cases, this blockage can extend to the global level, causing performance levels to drop indefinitely.
This is especially challenging in the case of subscription fraud, in which genuine employees must argue that they are indeed actual hires of the company with a legitimate need to access the telecommunications network, not hackers posing as such. The ensuing complications can take months to resolve, costing the affected company substantial portions of revenue in addition to hefty phone bills that it could be racking up in the meantime.
The Risk and Reward of VoIP
In businesses around the world, VoIP systems are heralded for their digital connectivity and the ease through which they facilitate international communication efforts. Yet, it’s this very connectivity that makes such systems inherently vulnerable to a hacking attack. As VoIP systems use the internet to facilitate conversations, they’re tapping into the same digital network that a majority of internet services use, opening them up to the same vulnerabilities and insecurities.
It’s also nearly impossible for a VoIP provider to become totally lock-tight against such susceptibility, as it must work in partnership with global companies to extend service and coverage to all parts of the world. As such, while the U.S. might be working to strengthen VoIP security, other countries might not have the same rigorous standards in place, creating a gap in the system.
Some industry research shows that VoIP fraud has increased by more than 40% in certain countries. This number is only expected to rise as the international hacking community becomes more tech-savvy through new avenues of access including password scanning and traffic pumping.
When performed over a VoIP network, toll fraud can affect both the telecom provider and the subscriber or end user. Even if the event happens at the provider level and the subscriber manages to avoid paying the costs associated with an attack, the event could cause the provider to change rates over time, resulting in increased costs. If it occurs on the subscriber level, it could lead to financial disaster. Understanding what to look for is key to preventing such attacks.
Identifying VoIP Threats
Staying on top of your VoIP security requires a dedication to data analysis and performance tracking. For instance, hackers will typically wait until your phone system isn’t at peak use to perform their attacks. That might mean making the long-distance calls in the early hours of the morning or late at night, when employees are away from the office. Or, they might wait until the weekend, and subsequently, flood your network with the pricey calls.
If you notice a strange amount of activity on your network during these down times, that could be a sign of suspicious activity. You should also monitor your internet access for any changes. Are you constantly being redirected or seeing new browser extensions every time you enter a web address? Your internal network could be compromised, if so.
The same goes for any devices you have integrated into your VoIP or internet network, such as microphones or web cameras. If these start displaying abnormal behavior, such as turning on or off without interference, someone could have gained access to them remotely.
Safeguarding Your Company Against VoIP Fraud
Just as you would put security measures in place to secure your internal network, you should also take the same steps to secure your VoIP telecommunications solution. This includes practicing basic internet safety and ensuring all employees are up to speed on what to do and what not to do.
At the very least, your IT department should ensure that all systems are up-to-date and running on the latest versions of all available software. Passwords should be strong, data should be encrypted, and two-factor authentication should be activated wherever possible. Research reveals that last year alone, two in five internet users have their passwords stolen.
Where possible, hardware firewalls should be in place to ensure critical network points are secured. When calling or conferencing over VoIP, it’s helpful to use a Virtual Private Network, or VPN, wherever applicable. Another VoIP-specific security measure is to place special standards around your Session Initiation Protocol, or SIP.
In short, your network’s SIP protocol is how it determines when a communication session is initiated and when it is over, and systems should be shut down. If a hacker gains access to and control of this system, he or she can change the SIP protocol to keep the lines open even after a conference session has ended.
To keep your SIP protocol as secure and private as possible, consider setting up a firewall around its parts. You can also restrict which employees have access to it by setting up passwords and authentication measures to ensure that only personnel with authorized access are permitted to change settings. Most VoIP systems come pre-equipped with passwords and similar credentials that are searchable online.
While some systems will lock users out after a few failed attempts to log in, most are installed without such lockouts in place, meaning that a hacker can spend hours trying new combinations without penalty. On both the employee level and the administrative one, passwords should be changed immediately, then updated every six months.
As the majority of hacking activity occurs outside of normal business hours, another step is to disable calling features once the company closes for the day. Taking these steps might require an investment in both money and time for your company, but the added peace of mind they can help provide is priceless. Considering that only 38% of people believe they’re adequately set up to succeed even after a cyber attack, it’s a move worth making as soon as possible.
Maintaining an Environment of Security
Ultimately, VoIP security is akin to internet security, though there are specific measures that must be taken to secure the telecommunications network separate from your normal internal one. Though it appears to be only a hardware system, employees and executives alike should keep in mind that it is connected to a much larger network that is more exposed than it appears.
Business leaders should review all phone logs and provider bills thoroughly to check for any suspicious activity, and remain in regular contact with their provider to learn of any issues on their level, as well. A VoIP phone system can be an ideal asset to your company, but like any other, it must be used with discernment and consistently monitored to ensure that your teams see the return on the investment they expect.