Small business owners are pretty aware these days that their computer networks are wide open to attacks from hackers. Unfortunately, they are far less aware that their phone systems are just as vulnerable too.

As a New York Times article pointed out today, attacks for something called premium rate service fraud can cost small business owners hundreds of thousands of dollars. And unlike hack attacks where credit card or bank account information is targeted, an outdated regulatory landscape at the Federal Communications Commission puts small business owners on the hook for the fraudulent activity on their phone bills.

"There are a number of ancient FCC decisions dating back to the early 1990s that says that if a customer has fraudulent calls, the customer is 100 percent liable," says Mark Palchick, a partner at law firm Womble Carlyle Sandridge & Rice, which has lodged a complaint with the FCC for a particularly egregious case involving an architectural firm that's on the hook for $166,000 in fraudulent charges from a carrier called TW Telecom.

Hack attacks against small business phone networks--often called a private branch exchange, or PBX---aren't new, experts say, in fact they've been going on for at least 20 years. But they are increasing dramatically in number, and exponentially in dollar costs. In fact, fraudsters walked with about $5 billion in premium rate fraud in 2013, according to the Communications Fraud Control Association. 

Part of the reason the occurrence of telephone hacking has escalated so much in recent years is the explosion of voice over IP services. Small businesses tend to use these over the national carriers, because they are dramatically cheaper, says Jim Dalton, founder of TransNexus, a fraud software provider for VOIP, often costing up to 50 percent less. (TransNexus' software looks for irregularities in calling patterns and sends out alerts or shuts down calling when fraud occurs.)

But just like any network attached to the Web, they are wide open to attack.

In a nutshell, here's how a premium rate fraud scheme works. Hackers ping your phone network, looking for a weak spot, such as phone with an easily cracked password, which allows them to access the entire network. Once in, they basically take over, using auto dialers to call premium lines overseas, but sometimes within the U.S, which charge up to several dollars a minute. Hackers have leased the lines ahead of time, and collect a percentage of fees that are charged to the small business owners for use of these lines.

Fortunately, there are ways to head off phone hackers. Here are some tips from experts on how to protect your network:

  • Read your contract and know what you've signed up for. Palchick says his architectural firm client didn’t realize it had been signed up for international calling in the first place.
  • Find out from your provider what kind of fraud protection it offers. If it doesn't offer any, it's probably best to move on. The best operators should be able to put your PBX behind a firewall, just like your computer network.
  • Make sure every user on the phone network uses a complex password, preferably a combination of letters and numbers, up to 16 characters long, Dalton says. Also set tight administrative controls for the network, limiting the number of people who have access to master passwords and controls.
  • Tell your provider to switch off international phone calls, and just use your personal phone for any you need to make.
  • Consider placing limits with your carrier on the dollar amount you're willing to spend each day on long distance calling. Long distance phone calls using VOIP cost pennies. Most small businesses could get away with $40 cap a day, says  Shane Mitchell president and founder of Rock Solid Internet & Telephone, an Internet and VOIP provider.
  • Some providers will let you create a white list of IP addresses that are allowed to make phone calls. (That helps in the event some of your employees work remotely or from other locations besides your headquarters.) In the event an unknown IP address tries to take over and make phone calls, the system would shut it down, Shane says.

"Fraud protection is something you want to ask about and sign up for," Dalton says. "You want to know you won't be put out of business if it happens."

Published on: Oct 20, 2014