PCs and computer servers aren't the only technology systems hackers stake out.
Major data breaches grab headlines, like Home Depot's recent computer security problems, by virtue of the millions of customers they potentially affect. Small businesses, meanwhile, continue to fall victim to another form of fraud that can lead to real losses. Understanding the threat can help you bolster your small business security.
As low-tech as it sounds, hackers are resorting to phone scams to line their pockets. Their methods are surprisingly sophisticated, and their attacks can reach heights unimagined by phone phreakers of the past.
Adam Simpson, CEO of Easy Office Phone, a cloud-based, small and midsized business (SMB) phone services provider, says many attackers exploit the gaps between a phone service provider's obligations and the security protections offered by a customer's phone systems. "The problem has been getting much worse over the past three years," he said.
In a telecom fraud case, a scammer calls a company and attempts to guess an authorized user's PIN code. On many business phone systems, a personalized PIN allows employees to dial into the office phone system to check voicemail messages and access other calling functions when they're away from their desks.
And making a wrong guess isn’t a problem. The fraudsters simply call back continuously using automated, multi-line computerized approaches that are the phone-based equivalent of a brute-force attack on a server. Once they establish a foothold, the real damage is done.
Small Business Security: The High Cost of Telephone Fraud
Simpson explained that once armed with a valid PIN code, hackers will begin calling premium international phone numbers with high per-minute charges. The owners of these numbers are typically in league with these hackers.
In the end, the hackers pocket their ill-gotten gains, and the cycle repeats. When the billing period ends, the victims receive a massive phone bill.
That was the case recently for Foreman Seeley Fountain Architecture, a seven-person firm in Georgia. The company was on the hook for more than $160,000—which ballooned to nearly $200,000 after fees—following a phone hacking incident.
Business owners shouldn't expect much help from the phone company if they find themselves in the same situation, said Simpson. "The telecom vendor is not responsible for the security of your [on-premises] equipment, no more than your ISP is responsible for your PC," he told Small Business Computing.
In the case of the architecture firm, lawyers got involved. Regardless of the outcome, it's an added expense that can strain a small business' finances.
Other scam variations include dialing up a small business' toll-free number after-hours and letting the auto-attendant pick up. Customers get a big phone bill and less-than-reputable employees at the phone service provider will share their haul with their partners in crime.
Even small businesses "running Asterisk and other VoIP on-premises solutions" aren't immune, warned Simpson. A poorly secured or configured implementation can open them up to attack.
Fortunately, there are ways small businesses can protect themselves.
Phone System Fraud: Small Business Security Tips
"Keep current on any software updates," said Simpson, and check with your phone system vendor regularly. Automatic updates are not the norm in this industry, particularly with older phone systems.
Change default passwords and PINs. That act alone helps eliminate "a back door through voicemail," said Simpson. In the same vein, disable little-used features like the ability to redial numbers from the outside, which are ripe for abuse.
Finally, consider a cloud-based business VoIP service. At a fraction of the cost of on-premises private branch exchange (PBX) systems, a cloud-based VoIP service provides monitoring capabilities, account controls, built-in security and fraud-detection capabilities that can help small businesses stop hackers in their tracks.
In the unlikely event that a hacker does gain access and goes unnoticed, spending limits can act as an early warning system that triggers an alert and shuts down international calling, a tactic Simpson's company uses to prevent fraud.
Pedro Hernandez is a contributing editor at Small Business Computing. Follow him on Twitter @ecoINSITE.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|