Telecom Fraud on the Rise: What Enterprises Need to Know
A week and a half ago, my 92-year-old father received a call from his eldest granddaughter. “Hi Grandpa, how are you feeling?” she asked. He responded that he was doing well, and that his most recent doctor appointments had gone as expected. “Was there any new news after your last hospitalization?” she went on to inquire. “No, it is the same situation, but look, I am 92 years old, so these things are to be expected. How are you doing?” Then the conversation shifted.
She shared that she had been arrested for speeding, and that while the police were willing to release her, she needed money to pay the ticket before they would do so. “I’m really in trouble, Grandpa. Can you help me out? I need $750 sent right away.” Having been well prepped in telephone security and scams by his daughter (me!), he then asked “Kelly, what authorities pulled you over?” She shared that she was in Iowa and that a local constabulary had her in their offices. He immediately hung up. He has no granddaughter named Kelly.
It comes as no surprise that scam phone calls are on the rise and scammers are becoming even more savvy in their attempts. From spoofed calls broadcasting inaccurate caller ID information and vague but believable discussions with your eldest granddaughter, or the “IRS,” there is big money to be made and the scammers are all vying to be first in line. Yet, while scammers can certainly be a threat to your family, their impact on your personal life pales in comparison to the impact they can have on your enterprise telecom.
According to the Communications Fraud Control Association (CFCA) in their 2017 survey of telecom fraud loss, organizations and carriers were hit with losses of $29.2 billion in 2017. Interestingly enough, this represents an almost 25% decrease from 2015, but it doesn’t mean the situation is improving. It simply means that, just like on the consumer side, enterprises and service providers are becoming more savvy at detecting and stopping some incidences.
One of the leading causes of telecom fraud at the enterprise level is PBX hacking and toll fraud. Representing greater than 13% of the reported 2017 losses, it isn’t a new scam by any means, but it does point to a very significant issue: Security of the enterprise phone system is still not a big enough priority inside the enterprise. In fact, the simplest of fixes are still often overlooked.
Yes, the bulk of PBX hacking still occurs the old-fashioned way. Hackers deploy scripts that look for open ports on your telecom system. Once found, they deploy standard passwords (you know, those “default passwords” or generic ones that are easy to crack?), and then control the traffic passing through the system. And it’s not just legacy PBX systems that are being compromised; IP systems are just as easily targeted. The takeover script then routes calls to premium services or uses the system to provide extensive toll calling to continue the fraud. The fix? Close the ports and change the passwords. Simple enough, yet many organizations fail to do so.
An area where organizations are focusing but feel like they are swimming upstream, is the marked increase in robocalls. According to the Washington Post, the number of robocalls in America reached the 26.3 billion mark in 2018, and these robocalls are estimated to account for 50% of all calls received in 2019. The result on the receiving end? An unanswered phone. On the surface, this seems like a “so what” moment, correct? Not necessarily, because many large enterprises, including medical providers and banks, use outbound auto-dialing protocols, and now their calls go unanswered as well.
Unlike PBX hacking’s simpler fixes, robocalling fixes are much more complex -- so much so that the FCC and carriers have established a technical protocol – SHAKEN/STIR – to attempt to address it. Using a digital certificate-based public key cryptography to provide call authentication, SHAKEN (Secure Handling of Asserted information using tokens) and STIR (Secure Telephony Identify Revisited) protocols are the strongest shot across the bow of robocalling spammers that the FCC and the industry have taken to date; hope is high that the carriers – through SHAKEN/STIR -- will be able to stem the robotide.
A lesser known but extremely costly form of telecom fraud comes in the form of subscription fraud and theft of service – especially when combined. Put simply, this involves the use of stolen identities – both individual and corporate – to take over or acquire pricey devices like smartphones for resale on secondary markets. How prevalent is this? According to ThreatMetrix, “the rate of growth in attempted fraud is outpacing legitimate transactions by 83% compared to Q1, 2016.”
Often launched through a bot attack that tests login credentials (again attempting those common, simple passwords) to look for ways to gain control of accounts to order devices and costly services, these scammers look a lot like the credit card fraudsters of five years ago. Thankfully, the carriers have taken notice of those financial protections put in place to stem the credit card fraud tide, and have begun to deploy behavioral analytics and device intelligence in the form of digital identity-based verification to detect and deter this seemingly easy target (ThreatMetrix, 2018).
These three fraud threats – PBX hacking, robocalling, and subscription fraud – account for $12 billion in fraud losses according to the CFCA. That’s a pretty hefty portion of the $29.2 billion in estimated losses for 2017. But the solution to each of the three has something in common: The fix must come from within.
Just like that simple question asked by my father -- “Kelly, what authorities pulled you over?” -- the key will be to quickly identify the source, then terminate the scammer’s access. First and foremost, ensure that your passwords are changed. That’s a “duh” statement to be sure, but don’t be surprised if you find that it hasn’t been changed. Simply change it.
Additionally, take the time to learn about the SHAKEN/STIR protocols. Demand that your own carriers adopt this authentication protocol and adopt it quickly. Ask your mobile and landline carriers which protocols they have in place to digitally identify fraudulent orders placed on your behalf. Put SLAs around it in your contracts.
Finally, if my “niece” Kelly calls, hang up.