Fraud within the telecommunications industry costs UK-based SMEs about £1billion a year, according to data from Incom.
Telecom fraud covers a number of aspects: using the phone system as a backdoor to your data if the two are linked; using your phone system to make calls, usually to expensive destinations eg international or premium rate numbers; or even someone making calls that look like they are coming from your organisation in order to scam other organisations.
A number of suppliers offer fraud detection and indemnity - some for free, others for a fee. However, before you choose one of these services, it is important to be clear about how much of the fraud is covered.
Ofcom insists that providers should not profit from fraud, so if you're a victim, and you have to make a payment to your telecoms provider, it should be only for the cost of the calls incurred by the supplier, not their normal resale price.
All employees should be made aware of the risks and how to mitigate them:
- Always be cautious when speaking over the phone to anyone claiming to be a representative from your provider;
- If you are unsure, always end the call;
- Bar calls from unknown numbers;
- Do not call back to numbers that you have never seen before;
- Security measures, such as passwords or questions on their accounts, should be set up;
- Try to make passwords unique and memorable, but not predictable - fraudsters love obvious passwords.
A new set of potential problems has arisen because of the rise of IP or internet solutions such as SIP and VoIP. Before businesses moved from analogue phones to IP phone networks, it was rare for staff to be able to access anything relating to their phones from the corporate computer network; so why should employees be able to access the phone network now simply because the network's underlying protocol has changed?
Ideally, you should have physically separate data and phone networks, but if this isn't realistic, VLANs can separate traffic. You want to ensure that no data can traverse between the two networks without passing through a network security device. Many providers recommend using a session border controller (SBC) but some companies are reluctant to pay for this extra measure, partly because its significance is not always understood.
Whether you use landlines or IP, it's worth setting up call bars on premium numbers (and even, if appropriate, international numbers) to limit the impact if your systems are compromised. It's also worth taking a more robust approach with the use of passwords.
All SMEs need to be aware of the threat and should talk to their provider about what steps they can take to avoid becoming the victim of a telecoms fraud.