How does VoIP Fraud Work?

Posted on: 2018-05-04 | Categories:SIP

VoIP routes voice calls over high-speed Internet connections instead of dedicated copper lines. VoIP brings voice to the same data network used by other types of information like text, pictures, video etc. It is the convergence of several resources into a single system.

VoIP lowers the cost of phone calls and enables users to provision sophisticated features. It offers flexibility, mobility, and scale. However, VoIP phone systems are also vulnerable to different threats. They can be subject to data-driven attacks, system vulnerabilities, hacking attempts, and fraudulent schemes.

As VoIP becomes more popular across the world, the incidence of fraud and security issues continue to rise. It does not help that not many organizations are aware of the security landscape in which VoIP operates. Many people assume that VoIP is like PSTN in that not much security is needed. Unfortunately, they are mistaken.

VoIP Security Threats – Fraud

VoIP systems are vulnerable to many of the same threats that plague other forms of computing technology. Malware, network breaches, DDoS attacks, and even phishing attempts can compromise VoIP systems.

VoIP fraud constitutes a big part of the threat landscape. In general terms, a person or entity commits fraud when they use VoIP services with no intention of making payments. VoIP fraud is usually accompanied by other illegal schemes like identity theft, subscription theft, hacks and exploiting system vulnerabilities. Hackers usually try to avoid paying the bills from service providers, pay only a small portion or try to get someone else to pay what is owed.

Some types of VoIP fraud may technically be legal in some countries but still cause harm to VoIP service providers, organizations that use their services or even end-users. In most cases, fraudsters target organizations. It may be a business that sells VoIP services or uses them. Quite often, the targeted organizations have no idea that a breach has occurred. But they will find themselves on the hook for thousands of dollars worth of unauthorized phone calls.

Types of VoIP Fraud

Some types of VoIP fraud use techniques developed for PSTN networks. Others are inspired by computer hacking software. Businesses may not bother to update the software on their VoIP equipment which allows hackers to target them. The most common types of fraud begin with security breaches, phishing attacks, and even social engineering techniques.

Call Transfer Fraud

Call transfer fraud happens when someone hacks into a VoIP PBX to make free international calls. The hacker usually has their own VoIP service in some other country. When a subscriber to the fraudulent service makes a call to an international destination, the call travels through the compromised PBX. The actual owner of the PBX server cannot bill the subscriber of the fraudulent service. The fraudster is able to collect payment from their customers for services provided through stolen resources.

In many cases, hackers are able to generate significant revenue before they’re identified. When the breach comes to light, the business can do little more than patch the vulnerability and close the entry point. Authorities are unable to pursue the matter across international borders.

Revenue-Sharing Schemes

This type of fraud usually involves premium rate telephone numbers. Calls made to this type of number carry a higher price tag for certain services. Hackers will create shell companies that purchase these premium rate numbers. They can artificially inflate traffic to these numbers were they get a portion of the call charge.

In most cases, the fraudster will hack into an organization’s voice network and generate unauthorized calls to the premium rate number. They will usually do this on a weekend so that the breach is not discovered until several hours worth of phone calls have been made. The unsuspecting victim will end up with a huge bill and the hacker gets revenue from the illegal international calls.

Most VoIP fraud schemes involve hacking into different PBX systems. Many enterprise PBX boxes have weak authentication controls. Employees may be unaware of security best practices and reuse passwords across different sites which are easily compromised. Once a hacker gets control of even a single user account, it becomes easier to gain access to others. Quite a few VoIP services do not employ an adequate encryption scheme which is another risk factor.

It is not easy to detect and block fraudulent VoIP calls. Some service providers block numbers from countries known for high fraud rates. However, such attempts are rarely successful since hackers are able to rotate through several numbers from different countries. Such aggressive blocking can also affect legitimate calls.

A multilayered approach to defense can protect against VoIP fraud. Analyzing call records in real-time will also help in identifying unusual patterns, abrupt traffic spikes, a disproportionate number of unanswered calls etc. VoIP fraud is a huge problem for the industry. Both service providers and their clients should work together to secure voice systems.