Protecting an enterprise against PBX fraud

India is Number 2 in the world for PBX fraud

$7.4 B — That was the amount of fraud loss through PBX hacking in enterprises, according to the CFCA Communications Fraud Loss Survey 2015. And, India is second on the list of countries originating PBX fraud.

We recently consulted for a top-10 Indian company on hardening the security around their enterprise PBX. This happened since they faced a significant PBX fraud and the resultant financial loss, and wanted to improve their setup.

What is PBX fraud?

Malicious attackers look to enter into an enterprise’s PBX system and make international calls to premium rate numbers from within the enterprise. Typically, these destination numbers are located in high toll regions like the Pacific Islands.

This is also called as International Revenue Share Fraud (IRSF).

How do the fraudsters make money?

The fraudsters have arrangements with the premium rate number providers to share a percentage of the revenue that is collected.

So, for example, if there is a call rate of $2 per minute, then as the call transits through multiple service providers across the world, charges are paid to these service providers. When the call reaches a premium rate number and revenue is shared, the fraudster might eventually get about $0.30.

Just $2? What is the size of loss?

It is $2 per call, but the fraudsters make thousands of calls per hour and since they typically attack late nights or over the weekend when monitoring is low, losses in hundreds of thousands of dollars are typical.

A typical attack can cause a loss of $100,000 to $500,000, depending on how quickly it is detected.

Shouldn’t the telecom service provider take liability?

The Telecom service providers can’t take the liability since the calls are being made from inside the enterprise. Quite frequently, unmonitored enterprise PBX are intimated by the service provider about unusual activity. But, it is usually too late, and significant losses are already racked up.

Why aren’t these incidents reported in the news?

Since enterprises are the target, there is irrefutable risk of a huge reputational loss for the enterprise. So, even though there are many enterprises that have faced this, the news is not made public to protect reputation.

Is India on the Radar of fraudsters?

India is second on the list of countries where PBX fraud originates, behind only the US. There are many Indian firms that have faced this fraud.

What can you do to protect yourself?

There are many configurations within the PBX and the connected adjuncts that can be done to protect your voice infrastructure from a PBX fraud. Some of these include

  • Disabling remote access
  • Restricting calls to specific countries
  • Setting outgoing call restrictions in off hours
  • Disabling call re-directions on voicemail
  • Removing unused extensions in the PBX and voicemail
  • Access Controls
  • LAN separation
  • Encryption, and many more

Will hardening configurations suffice?

While the configurations will protect the voice infrastructure from PBX fraud, it is important to regularly monitor the configuration on at least an hourly basis. If a fraudster does get access into the enterprise network through other means, he would look to disable one or more of the security restrictions in the PBX configurations.

So, regularly monitoring the security configurations every 30–60 mins will ensure that any tampering will be immediately detected.

Isn’t monitoring intensive and costly?

It can be intensive and the cost can be calculated in employee expenses. But now there is an automated solution — Assertion, that can do this for you, at a fraction of the cost it would take to do it manually, and do it more efficiently.


Protecting an enterprise against PBX fraud was originally published in Assertion on Medium, where people are continuing the conversation by highlighting and responding to this story.