Are You at Risk? 6 Tips to Avoid Toll Fraud in Your ShoreTel System
By Jona Sanford
Toll fraud. Unfortunately, we are seeing a resurgence of it across the country. Toll fraud is any unauthorized use of a businesses telephone system and carrier services.
The end game in toll fraud is stealing money via phone charges. Using auto dialers, hijackers call DID numbers until they reach voicemail or an auto attendant and guess the passwords to gain access to voicemail. Once the hijacker gets in, they are able to dial out expensive international calls or calls to premium numbers overseas and then take a portion of these charges. Under the guise of an employee making expensive calls form within your organization, these hijackers are able to make a hefty profit. Carriers are able to spot toll fraud and will notify you if they see questionable activity but usually only after the fact.
Don’t let this be a problem for you by leaving your system unguarded. The following are 6 common mistakes that could leave your system vulnerable and how to mitigate them.
- Using default or easily guessable voicemail and ShoreTel Communicator client passwords
Using default or easily guessable voicemail and communicator client passwords only makes it easier for hijackers to get in to the system and start taking advantage of dialing out. Passwords like “changeme” and “1234” are widely know, so we recommend setting more complex passwords.
- Enabling the ‘Enable Voice Mail Callback’ feature in Class of Service (COS)
This feature allows a user to listen to a message in their mailbox and choose the option to call the party back. External parties can spoof their inbound caller ID and leave a message for a user. If that user has a default or easily guessed passwords (1234, 123456, or the # same as their extension), then this person can then call back into the system and login to the user’s mailbox at that time. They listen to their message from the spoofed address and use the callback feature to dial the number. And if the inbound caller originally spoofed their phone number to be from Zimbabwe, the system would make an outbound call to Zimbabwe.
- Allowing the ‘Voice Mail Notification’ User Group to have international dialing rights
Allowing international dialing rights, either by means of the ‘COS – Call Permissions’ set to ‘No Restrictions’ where ‘International Long Distance’ dialing, adds to the issues outlined in issue #2, and also opens the door to the same behavior via a Conference Bridge/SA device. If the Conference Bridge is externally reachable, individuals can join via the web bridge and use the ‘Call Me’ feature to have the system dial their phone to join them to the bridge via audio. However, if an international number is provided it will (by default) be able to dial the number.
- Allowing ShoreTel Director access via the web
To put it simply, the HQ server should never be accessible from the web. If a Director needs to be accessed while outside the network, we recommend connecting via a VPN tunnel or a remote access tool (LogMeIn, GoToAssist, etc.).
- Using default or shared admin accounts in ShoreTel Director
The “admin” account is the default account with Director access when the application is installed, and as such, is widely known on the Internet. All administrators should have individual log in for system access, which allows for more granularity in terms of determining who made changes within Director at any given time.
- Allowing unrestricted access to international dialing across all user groups
Again, this is easily mitigated because there are limitation options – access can be limited on a per user group basis. It can also be limited by requiring account codes, which require a user to enter a pin number if they attempted to make an international call.
If you ask any company, large or small, how important is your toll free lines that connect to your business? Many take it for granted but these numbers are vital for the lifeblood for organizations – you don’t want intruders tampering with your lines and more importantly, you don’t want them dialing out to then charge you more money for no reason! Safe guard your organization from toll fraud with a few simple steps.