Business Insights

Most business owners today have made the smart choice to use VoIP (Voice over Internet Protocol) technology to handle their voice communications. It provides dozens of productive business features and costs significantly less than traditional telephone technologies.

The one down-side to VoIP is — because it uses your business network and the Internet — it is more vulnerable to intrusion by criminals.

Insights has often reported that hackers are after business data that may include financial information on your company or your customers. Hacking into voice calls and voice mail is also a profitable enterprise. Credit card numbers and other personal information are often exchanged verbally during everyday voice conversations.

That makes VoIP hacking a costly threat to your business and to your customers.

A story in the New York Times Technology Section tells about another potential cost:

“Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time. ‘I thought: “This is crazy. It must be a mistake,”’ Mr. Foreman said.

It wasn’t. Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives.

The firm, in Norcross, Ga., was the victim of an age-old fraud that has found new life now that most corporate phone lines run over the Internet.

The scheme works this way, telecommunications fraud experts say: Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut. In the United States, premium-rate numbers are easily identified by 1-900 prefixes, and callers are informed they will be charged higher rates. But elsewhere, like in Latvia and Estonia, they can be trickier to spot. The payout to the lessees can be as high as 24 cents for every minute spent on the phone.

Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes’ worth of phone calls a minute to the pay line. The hacker gets a cut of the charges, typically delivered through a Western Union, MoneyGram or wire transfer.”

Protecting your VoIP telecom from these two types of threats requires many of the same steps you take to protect your data — whether your VoIP network is housed on-site or hosted. Ask your VoIP provider to help you make sure you’ve taken the following steps to secure your voice communications.

Precautions that help prevent VoIP hacking:

  • Checking the configuration of your network and making sure protections are in place. These can include:
    • Firewalls
    • Intrusion prevention systems
    • Strong two-factor authentication for administrative access to your network
    • Up-to-date network systems
    • Voice and data systems separated
    • Session Initiation Protocol (SIP) to encrypt the signal as it travels through your network gateway
  • Controlling access by requiring secure authentication by everyone using the network
  • Encrypting those voice conversations that may contain financial or personal information
  • Limiting what kinds of calls are allowed on the network (by device, by user, and by other restrictions — such as time of day)
  • Making sure all your employees and other users are aware of the importance of creating secure authentication and strong passwords for accessing the network and their voicemail boxes
  • Instructing users to immediately delete voicemail messages containing financial or other personal customer data — stored voicemails can be hacked
  • Telling your employees to immediately report any oddities they experience with your VoIP system, such as a saved voicemail message that has been deleted or forwarded to an unusual number
  • Creating a response plan so that, if your VoIP network is hacked, you can stop the threat in its tracks

What to do in case of a hack:

Take action immediately. Within the first 24 to 48 hours you need to determine what part of the network was compromised and what information might have been stolen.

  1. Turn to your VoIP provider to help you determine where the threat resides and how to block that part of the network so it is safe until you can implement a fix that will prevent further breaches.
  2. Use the response plan you prepared to know which steps to take next. It should include what to tell employees, your board of directors, partners, or investors. If private customer data is breached, you also need to tell your customers, law enforcement, and regulators. If your business is in the financial or healthcare sector, other compliance steps may be required.
  3. Rely on professional help to restore your business operations, whether by restoring data from backups, adjusting firewalls, blocking IP addresses, or reimaging corrupted machines.
  4. Instruct all users to change every password.
  5. Understand what went wrong and how to prevent that action or situation from happening in the future.

A breach of business and/or customer information from your VoIP system can be very costly in terms of money and of your business’s reputation. Prevention is the best defense. It’s important to be sure your VoIP system is set up to keep your voice conversations and your voice mail secure.