Gulaga Networks

What is Fraud Prevention and how can you protect against it?

With a business that is growing and expanding, coupled with a desire to meet customers’ expectations and provide efficient and convenient services, there is a lot to think about. For a business with a digital element, that has shown significant growth over the past few years, there can be even more to think about as you consider fraud protection solutions and helping to keep your customers’ information secure and safe.

There are some great benefits to offering some services in a way that is completely based on digital and IP networks, but it can also leave organisations feeling a little more susceptible to some identity-based threats. So, having fraud detection and prevention solutions in place can make a huge difference to your business, as well as to your customers.

Phone system fraud

The National Fraud Intelligence Bureau has issued warnings to small to medium-sized businesses, as well as to schools, charities, and medical practices, when it comes to fraud, in particular, phone system fraud. This is where phone lines are hacked and the perpetrators make a lot of premium rate or international calls, resulting in costly phone bills. The number one victim of this is often small to medium-sized businesses. So, as a small to medium-sized business, this needs to be something that you are aware of so that you can take precautions and be proactive in stopping fraudulent access to, and calls from your business office phone system. This type of fraud is also most likely to occur when organisations are most vulnerable. If you are closed for the Christmas holidays, for example, it is much more likely to happen, compared to when you are open all hours in the summer, for example. So being vigilant is vitally important.

Unfortunately, this is not an exhaustive list, but it illustrates some of the wide range of methods that are used to conduct office telecoms fraud.

Phone System fraud, also known as, Dial Through Fraud is a multi-billion-pound cybercrime in the UAE and is estimated to cost organisations in the region of Dirham 5bn per annum. In most cases, this could be avoided by ensuring preventative measures are in place to stifle and block hackers. Fraudsters will use sophisticated auto-diallers to call random telephone numbers day and night with the objective of connecting to a business’s voicemail portal systems. Once connected, they hack into the system and dial international and premium-rate numbers, by exploiting remote access to the voicemail portal, message forwarding and call diversion features. In many cases, the PIN or passcode number is still set at the default factory setting, or at best, not very secure allowing then the fraudster to easily gain control of your phone system to make outbound calls at you, the owners’ expense. VOIP systems can also be attacked via malware or by accessing the IP addresses that connect to the internet and bypassing the firewall security.

Revenue share scams are a type of fraud usually involving premium rate telephone numbers. Calls made to this type of number carry a higher price tag for their services. Hackers will create shell companies that will then purchase these premium-rate numbers. They can artificially inflate traffic to these numbers where they get a substantial portion of the call charge.

In most cases, the fraudsters will hack into a business phone system and generate unauthorized calls to the premium rate number. They will usually do this on weekends in order that the breach is not immediately discovered, usually not until Monday morning, but not before many hours’ worth of illegal phone calls have been made. The unsuspecting victim will end up with a costly bill and the hacker makes off with revenue from the illegal calls.

Call transfer fraud happens when someone hacks into a VoIP PBX phone system to generate free international calls. The hacker usually has their own VoIP service in another country. When a subscriber to the fraudulent service makes a call to an international destination, the call travels through the compromised PBX or IP phone system. The actual owner of the office phone PBX cannot bill the subscriber of the fraudulent service. The fraudster is then able to collect payment from their customers for illegal services provided through stolen resources.

Mobile telephony fraud can range from a handset being stolen and used, being tricked into calling or texting a premium rate number, the phone being cloned, or used for eavesdropping. Apps are another important security consideration. Some apps may use and can expose the user’s personal information, location, address book, and financial information through previously granted or set permissions.

Preventative Measures

While not exhaustive, some straightforward preventative actions that can be taken are recommended here.

Change the default administrative and engineering passwords. It used to be that hackers coveted the default engineer passwords to office phone systems and traded them with other hackers. Today everyone on the Internet can find out the default password of most PBX systems and routers.

Change DDI extension and the associated voicemail default passcodes regularly.

Another easily set up and frequently used technique is to simply forward someone’s extension to a fraudulent number. Be aware of what numbers calls can be forwarded to, by whom, and how.

Disable access to your voicemail portal from outside lines. If this is a business-critical matter, ensure that access is restricted to essential users and that they update them regularly.
Consider changing the routing of calls for out of business hours. Most fraud occurs out of hours, and if all incoming calls are transferring say to an answering service out of hours, then the fraud opportunity diminishes.

Create dial plans that restrict international calls to only those users who have a real business need to make them. Somalia, Cuba and Nigeria are prime destinations for fraudulent phone calls to premium-rate numbers that offer a hacker revenue share. These countries are outside of the jurisdiction of UAE regulations and law, so there is no chance of prosecution or recovery of monies.

Check your business insurance to see whether you are covered for phone fraud losses. Some insurance companies have Electronic Fraud cover built into their policies already. However, it probably won’t payout if you didn’t change the default admin password!

The Telecommunications UAE Fraud Forum, TUFF, provides lots of interesting industry work in trying to better understand and raise awareness of business telecoms fraud and is a good source of information.

Can Gulaga Networks assist?

If you are looking for help with fraud protection, then Gulaga Networks can offer some real-time solutions to help your business. We know just how much fraud can impact a business and how quickly things can change overnight. To prevent this from happening and to minimise fraud within your company, call us today and our friendly team would be delighted to advise you and help you with some insight into what your business needs might be in terms of phone fraud prevention. We pride ourselves on our expertise, professionalism and many years’ of experience in fraud protection.

If you suspect you may have been the victim of fraud, we suggest you report it to Action Fraud, the UAE’s national fraud reporting centre by calling +971-4-222-5592 or by visiting Action Fraud.

Gulaga Networks Ltd would like to remind its customers that it is their own responsibility to protect their VOIP, SIP or PBX telephony system or mobile phone estate from any dial-through fraud or other fraudulent use. If any fraud occurs, the customer is liable for any charges incurred due to unauthorised use of these services.

Gulaga Networks Ltd can conduct an audit of your telephony systems security and can recommend or implement solutions that your system supports. Please note this does not pass the liability of any business telecoms fraud to Gulaga Networks Ltd, the liability remains with you the customer at all times, but these actions may reduce the risk of the fraud activity occurring in the first instance.