Insist your teams follow basic security procedures

Your telecom system has all sorts of passwords, for extension registration with the SIP server, voicemail, Web user and administration interfaces.  But let’s be honest; many people, even the IT guys, often create short and overly simple passwords that are vulnerable to brute force hacking. Or worse, the factory defaults never get changed! That’s why a strict password policy is critical. Create long complex passwords that combine special characters, numbers, and upper and lowercase letters (e.g., w#$*&b@!DoT) and enforce regular password changes.  When employees leave, immediately disable all telephony-related accounts.

Beware the social engineering capabilities of the fraudster. All those hard-to-remember passwords are stored in central password stores protected by accounts whose password can often be recovered by knowing the answer to a couple of security questions, and you are not always looking too far away for the culprit. An unscrupulous disgruntled employee may know both where you got married and your dog’s name.

Fraudsters want your trash, too. There is a treasure trove of information "stored" in your paper waste and even your physical e-waste.  Keep "dumpster divers" away with a solid document shredding program in place, using lockable shredding receptacles that are emptied often. Send a trusted employee on a midnight raid of the office to look for all those passwords written on post-it notes and inside notebooks left lying on desks. And don’t forget that old router, the one with the VoIP ports, that still has the default admin password that is just waiting for an unsuspecting network to plug into. Always factory-reset any e-waste before you dispose of it.

Use an application-level call monitor

VoIP telephony is controlled with the SIP protocol, an easy-to-read message-based protocol for managing the establishment, progress and termination of each call. Application-level call monitors look at these packets in real-time to look for unusual traffic that might signal fraudulent activity on the network, both from within (people with late-night access to the office placing expensive international and premium rate calls) and external (the hacker intent on using your network to pump traffic to their dubious International Revenue Share numbers). Look for a fraud protection solution that can process the expected calls-per-second of your network and can apply a number of strategies for alerting you to possible fraud and let you quickly identify that hacked SIP extension or IP PBX in your network.

Look for a solution that works independently of your PBX. There is little point relying on a compromised network component protecting itself given that the first thing an accomplished hacker will do is disable any protection mechanism. 

Make good use of firewalls and session border controllers

Many PBXs have built-in SBC functionality, a VoIP firewall if you will, that will focus on enforcing communications policies, managing external traffic, hiding the topology of your internal network and providing denial-of-service protection.

Use offline call record and billing analysis to look for longer-term trends

Locking down the network and getting instant alerts at the first sign of trouble is good; but, for the complete solution, track your call and billing records over time to look for unexpected calls from non-existent extensions to irrelevant destinations.

We will never eliminate telecom fraud entirely. Make one approach unprofitable for the fraudster and they will surely find another one; the only good trick is to try and stay one step ahead of the fraudster. Make sure you have people who know how VoIP fraud works, and the methods fraudsters use. In this environment, no one can afford to be thinking, “this can never happen to me”.  It is imperative you implement a reliable anti-fraud solution combined with solid security policy controls including a robust staff training program in order to monitor and protect your business against fraud and significantly reduce the risk of revenue loss.