VoIP security, VoIP fraud, VoIP safety tips, and how to protect yourself working remotely: a short but comprehensive list of the most common type of VoIP security threats and how to fight against them.

Cybersecurity Awareness Month ended just recently. VoIP use at an all-time high. It wouldn't be amiss to review what vulnerabilities exist in VoIP, and how to protect yourself from them.

Why VoIP security is important

With the world under quarantine, more and more companies, big and small, are opting to conduct the business remotely. One of the ways allowing them to do that is VoIP. Using virtual phone numbers and IP PBX, a company can make sales, offer support, and communicate internally. Comcast reports more than a 200% increase in VoIP traffic. Other big names in the industry predict the market reaching more than 100 billion USD by 2026. What a piece of pie for fraudsters and hackers.

With more than 40,000 attacks on VoIP users and providers per day, keeping yourself informed about different types of attacks and exploits fraudsters use will make it slightly easier to combat them.

Types of VoIP fraud

VoIP fraud is, usually unauthorized, use of VoIP communications in a way that vary from outright illegal to technically allowed, though still harmful.

The most common types of VoIP fraud are:

  • Arbitrage;
  • Bypass/GSM gateway fraud;
  • Call transfer fraud;
  • Premium rate calls;
  • PBX hacking.

Arbitrage

This one is within a legally gray area. Arbitrage means taking advantage of the call rate difference in different markets.

Let's take a look at the example. Country A and B have high settlement rates between themselves. Country B and C have much lower rates. If a provider from country A sends traffic to country B through country C, by country C's rates, it would be arbitrage. So far, does that sound alright? Just a business sense.

When a fraudster pockets the difference and the end-user is charged full price, this becomes unsavory business practice. Other negative consequences are issues with additional services like voicemail and Caller ID issues.

Tips:

Using the services of a trustworthy provider lowers the risk of being exploited via arbitrage.

Bypass/GSM gateway fraud

Bypass fraud (GSM gateway fraud, SIM boxing, Interconnect fraud) is making long-distance or overseas calls to appear domestic when using GSM gateways. The difference in rates is the fraudster's profit.

It's something that more frequent in developing countries due to a huge difference in tariff rates.

Some consider this a gray area type of fraud, arguing that GSM gateways could be used legitimately.

Tips:

Again, only a reliable provider can ensure you're not being exploited by this scheme.

Call transfer fraud

One of the most direct and harmful types of VoIP fraud is call transfer fraud.

How does it work:

  • Fraudster is a provider of VoIP services in some other country or an owner of Premium Rate numbers. They hack a PBX.
  • They change call forwarding to another destination. The owner of PBX won't see the changes. Tracking a call after it is transferred out of the network is usually impossible.
  • The owner can't bill people who call the number used in the forwarding. He loses money and the fraudster gains profit.

Tips:

  • always change default passwords for any PBX user accounts to a strong and hard to guess one;
  • block call forwarding to any country except the one you use. Any exception must use the specific number;
  • turn off call transfer and/or outbound calls from your voicemail boxes;
  • set up a list of IP addresses that are allowed access to your PBX. It won't be a white list, however, and all the other security means will still work. It's just that no one from different IPs will be able to access your PBX.

This may be troublesome for people who often travel or don't have a static IP. So, the additional points of security would be setting up a daily limit for calls.

Premium rate fraud

Premium rate numbers were mentioned above already but let's dive into it. What is the premium rate telephone number?

Again, it's something that could be legal and becomes a fraud only if used unscrupulously. Normally, premium rate lines collect money for the call, per minute, because they provide some kind of service. Info desks, remote support, televoting, etc.

How premium rate numbers are used in call fraud?

  • You may be unaware you're calling a premium rate number. Government regulations in most countries require businesses to warn customers about this, call rate included. Fraudsters obviously won't do that. They may post it under false pretenses or even just call your number and quickly hang up, so you would call them back. Tip: don't call back unknown numbers.
  • Premium rate numbers could be used as the destination for calls through the hacked PBX. Tip: take as many steps as possible to protect your PBX.

PBX hacking

As the previous section states, a lot of VoIP fraud types are interconnected. Call transfer fraud is possible only through PBX hacking. But that's not the only possible way to exploit a PBX. Anyone who has unauthorized access to your PBX can make outgoing calls through it. Usually, destinations used are the ones where the hacker has a revenue share.

Actually, sometimes it doesn't even have to be PBX hacking. It's enough to hack your SIP account. So even if you don't use a PBX and instead use a SIP account created for you by a virtual phone number provider, you're not safe.

How to protect yourself from this simplest but most dangerous to an end-user type of fraud?

  • Never use default pins;
  • Strong password is a must;
  • Change passwords periodically;
  • Never disclose to anyone your SIP credentials. If you have, change the password ASAP;
  • A lot of hacking relies on usual tricks. Protect your email, don't click any strange links, and don't send information about yourself to anyone, etc.

PBX/SIP-specific tips:

  • Turn off outgoing calls outside business hours. Usually hacking and exploiting of a hacked PBX goes on at night or on weekends when it's harder to catch the culprit in progress because no one is looking very closely;
  • No short administration codes if possible;
  • Disable outbound destinations you don't use. How often your business needs to contact someone in, say, Zambia? It's preferable to change those restrictions as needed instead of leaving yourself vulnerable;
  • Review your call records and make sure to follow up on any inconsistencies, even small. There are patterns to look out for. Higher traffic outside business hours, untypical or unfamiliar destinations, quick calls (under 10 seconds). Sometimes, a long time passes after hacking before the fraudster feels safe to exploit the hacked PBX. Though the hacker could test that it's safe to use it still, from time to time. So, analyzing calls is a must.

It's quick and easy to take those further steps to secure your PBX.

However, if you're using a cloud PBX or just a VoIP phone number with a SIP account, it could be impossible to do it yourself. Contact your service provider and consult with them about how to protect your account better. Security policies and techniques may vary.

For example, Freezvon helps its customers to add three layers of security to their VoIP communications:

  • IP-restricted access to SIP accounts/virtual PBX;
  • White list of countries for outbound calls;
  • Daily limit for outbound calls.

The best way to protect your SIP account is to buy virtual numbers from a provider that invests in secure VoIP communications.