6 Tips to Avoid Toll Fraud in Your ShoreTel System

Toll Free Fraud and ShoreTel

Are You at Risk? 6 Tips to Avoid Toll Fraud in Your ShoreTel System

By Jona Sanford

 

What cost companies 4.73 billion across the globe last year?

Toll fraud. Unfortunately, we are seeing a resurgence of it across the country. Toll fraud is any unauthorized use of a businesses telephone system and carrier services.

 

The end game in toll fraud is stealing money via phone charges. Using auto dialers, hijackers call DID numbers until they reach voicemail or an auto attendant and guess the passwords to gain access to voicemail. Once the hijacker gets in, they are able to dial out expensive international calls or calls to premium numbers overseas and then take a portion of these charges. Under the guise of an employee making expensive calls form within your organization, these hijackers are able to make a hefty profit. Carriers are able to spot toll fraud and will notify you if they see questionable activity but usually only after the fact.

Don’t let this be a problem for you by leaving your system unguarded. The following are 6 common mistakes that could leave your system vulnerable and how to mitigate them.
 

  1. Using default or easily guessable voicemail and ShoreTel Communicator client passwords

Using default or easily guessable voicemail and communicator client passwords only makes it easier for hijackers to get in to the system and start taking advantage of dialing out. Passwords like “changeme” and “1234” are widely know, so we recommend setting more complex passwords.

  1. Enabling the ‘Enable Voice Mail Callback’ feature in Class of Service (COS)

This feature allows a user to listen to a message in their mailbox and choose the option to call the party back. External parties can spoof their inbound caller ID and leave a message for a user. If that user has a default or easily guessed passwords (1234, 123456, or the # same as their extension), then this person can then call back into the system and login to the user’s mailbox at that time. They listen to their message from the spoofed address and use the callback feature to dial the number. And if the inbound caller originally spoofed their phone number to be from Zimbabwe, the system would make an outbound call to Zimbabwe.

  1. Allowing the ‘Voice Mail Notification’ User Group to have international dialing rights

Allowing international dialing rights, either by means of the ‘COS – Call Permissions’ set to ‘No Restrictions’ where ‘International Long Distance’ dialing, adds to the issues outlined in issue #2, and also opens the door to the same behavior via a Conference Bridge/SA device. If the Conference Bridge is externally reachable, individuals can join via the web bridge and use the ‘Call Me’ feature to have the system dial their phone to join them to the bridge via audio. However, if an international number is provided it will (by default) be able to dial the number.

  1. Allowing ShoreTel Director access via the web

To put it simply, the HQ server should never be accessible from the web. If a Director needs to be accessed while outside the network, we recommend connecting via a VPN tunnel or a remote access tool (LogMeIn, GoToAssist, etc.).

  1. Using default or shared admin accounts in ShoreTel Director

The “admin” account is the default account with Director access when the application is installed, and as such, is widely known on the Internet. All administrators should have individual log in for system access, which allows for more granularity in terms of determining who made changes within Director at any given time.

  1. Allowing unrestricted access to international dialing across all user groups

Again, this is easily mitigated because there are limitation options – access can be limited on a per user group basis. It can also be limited by requiring account codes, which require a user to enter a pin number if they attempted to make an international call.

 

If you ask any company, large or small, how important is your toll free lines that connect to your business? Many take it for granted but these numbers are vital for the lifeblood for organizations – you don’t want intruders tampering with your lines and more importantly, you don’t want them dialing out to then charge you more money for no reason! Safe guard your organization from toll fraud with a few simple steps.

Download Our 2-page Tech-article about Toll Free Fraud

We are seen resurgence of toll free fraud across the country. Secure your ShoreTel system today!

About Inflow

Founded in 1997, Inflow Communications is a national leader in unified communications and Contact Centers. With over to 100,000 endpoints under Inflow’s innovative support plans around the world, their dedication to knowledge, innovation, and unrivaled customer support has landed them in ShoreTel’s top 2% in global customer satisfaction, and as a winner of ShoreTel’s coveted Circle of Excellence Partners award. For two years in a row, Inflow is a ShoreTel Platinum Partner, the highest level of partnership, and is their fastest growing partner globally. In addition, Inflow is one of the few Cloud Contact Center providers that offers implementation, ongoing support, and comprehensive consulting and training programs.  Inflow services clients across the globe and has local offices in over 10 major cities in the US.

Categories

"I highly recommend Inflow Communications! They were able to assess our current situation and recommend a ShoreTel® solution that improved our communications and saved us a substantial amount of money every month."
Steve Opbroek, IT Director, Skyline Hospital

"Not only was Inflow able to deliver a wonderful technical solution to our agency, but they were also able to help smooth the transition for those who feared the process of change the most."

- Central City Concern

"We rate Inflow as one of the very best vendors we do business with. Inflow Communications has been nothing short of excellent. Having such a strong partner and strong internal resources has made this project go very, very well."
Steven Langford, Chief Information Officer | Beaverton School District

cookie