When Hackers Attack Your Voicemail System
BlogCyberCrime PreventionSecurity

When Hackers Attack Your Voicemail System

By March 14, 2018 December 14th, 2023 No Comments
How to Avoid a $73K Long Distance Phone Bill

Think it can’t happen to you? Think again.

A short time ago, one of my technicians was speaking with a client who, one Monday morning, came in to the office to find they weren’t able to place long distance calls. After speaking with their long distance provider, they were told their long distance service was suspended because of suspicious long distance activities that occurred over the weekend.

After further discussions with their provider they learned that $73,000+ of long distance calls were made overseas over the weekend from their offices. Naturally, they didn’t make the calls, as their staff was not in.

Based on the calling activities, it was determined that their voicemail system was hacked from an external location. To add insult to injury, after learning this, they also found out that they were responsible to pay for these charges, even though they didn’t incur them.

The client then contacted the local company that supports their phone system. After explaining the situation, the client was told that this type of a hack attempt was well known to them. In fact, they knew exactly what to do to close the loopholes to prevent this from ever happening.

When our client asked why they weren’t alerted about this situation since it was known to them, the provider responded by saying “Do you know how many clients we have? We wouldn’t have had the time to let everyone know about this.”

When I heard this story, I was disgusted and shocked that, ethically, this company wouldn’t have at the very least sent an e-mail or a letter to all of their clients. I can’t imagine how the client felt. Needless to say the client was frustrated and disappointed and questioned whether to continue the relationship.

How Voicemail Fraud Works

Many businesses and phone companies around the world have fallen victim to this fraud. Fraudsters most often call a business after hours, then employ a variety of manual and automated techniques to try to guess the passwords used to protect access to voicemail equipment.

If these passwords have not been changed from their default settings, or if passwords are used that are easy to guess (i.e. 1111 or 1234), it is fairly easy for these criminals to gain access to voicemail equipment. Once inside, long distance calls are initiated, resulting in unexpected charges, often in the tens of thousands of dollars.

How to Protect Yourself from Voicemail Hacks

Today’s sophisticated voicemail systems come with safeguards to prevent this kind of exploitation. However, like locks on your car or on your house, they have to be used properly in order to be effective.

Here is what you can do to increase protection for your business:

  1. Ensure that your employees change the manufacture’s default password immediately upon being assigned a voicemail box. Be sure they are reminded to change the password frequently thereafter.
  2. Program your voicemail system to require passwords with a minimum of 6 characters (8 is preferred – the more complex the password, the more difficult it is to guess).
  3. Train your employees not to use easily guessed passwords such as their phone numbers, the number of their phone extension, or very simple number combinations.
  4. When assigning a phone to a new employee, never make the temporary password the employee’s telephone number.
  5. Program your voicemail system to force users to change their password at least every 90 days.
  6. Turn off “through-dialing” if possible.
    This feature allows you to make long distance calls from within your mailbox when you are at an off-site location. Evaluate if the through-dialing feature is truly needed. If it isn’t, ask your equipment support provider to disable it.
  7. If you decide to keep through-dialing enabled, it is very important to generate and monitor through-dialing reports to ensure your mailboxes are not being abused.
  8. Remove all unassigned mailboxes from the system.

While these precautions are very general and might not protect every aspect of an individual telephone system, they will go a long way to reducing your vulnerability to this type of fraud. We encourage you to contact your telephone equipment support provider to discuss your particular configuration in greater detail.

According to Bell, you are responsible for paying for all calls originating from, and charged calls accepted at, your telephone regardless of who made or accepted them.

In Ontario, there is a pending class-action suit against Bell regarding all of these charges. It is the Plaintiffs’ position that if Bell is capable of identifying fraudulent activity, they should be able to shut down the activity more quickly, before thousands of dollars are incurred.

If you don’t currently have a telephone equipment support provider to help you, feel free to contact the team at Technical Action Group. We’d be happy to provide you with referrals. Don’t worry, we know the name of the provider who scammed our client, so we won’t send you there!