IP PBX Fraud - the ghost of fraud's past

Luke Taylor
Author: Luke Taylor CCO & Deputy CEO
Date: 3rd January 2017
Categories: Technology, Financial, Banking, Telecoms, Fraud protection, Optimus, Neural Technologies, PBX, PBX Fraud, Internet Protocol

The telecommunications industry has come a long way since its inception, from manually operated switchboards through to the explosion of mobile networks to today’s Internet-Protocol. But from traditional telephone networks to modern IP networks some frauds never leave us, and PBX (Private Branch Exchange) appears to be still haunting the industry like a particularly persistent poltergeist.

Fraudulent calls made through newly-installed IP PBXs to premium rate (or international) numbers are causing CSP's the same headache they always have. Fraudsters are hacking IP PBXs, whether in-house or cloud based, in order to send calls to bogus premium rate numbers and benefiting from high-value payments from operators before vanishing like spectres to target another victim.

The coming few weeks are an ideal time for PBX fraud to increase dramatically, with many businesses shutting down for the festivities and New Year - as offices lie dormant, the PBX could be pinged continuously until the door which has been left ajar is fully opened..

I recently spoke to two CSP's who are trying to protect their customers from this type and also mitigate thier own financial losses of fraud by raising awareness and implementing customer training for IP based systems. They have found that some customers are not remembering to employ basic security protocol such as changing passwords and checking that PBXs are correctly installed. This is leaving the door open for fraudsters.

Often, the first time that a customer becomes aware of falling victim to fraud is when they receive a shockingly high bill, by which time the fraudster has made his money and disappeared, leaving the CSP and end customer to argue over the substantial bill amount. There is a fine line between customer service and customer satisfaction when the operator has the unfortunate task of requesting payment of large invoices; this normally results in increased customer care overheads to manage such issues and the underlying financial losses compounded by decreased customer satisfaction.


In many cases PBX are not owned by the CSP, but are owned by the end customer and the CSP is somewhat hindered by end customers leaving 'their door open' for fraudsters to abuse and the end customer pleading innocence and expecting the CSP to pick up the bill. Moreover, these costs are not just lost opportunity to make money from the customer but in fact hard dollars that the CSP has to pay out to third parties.

Some fraudsters scam customers for smaller amounts over a longer period of time, but more frequently it is about a large short term gain and moving on. Once fraudsters have gained access to a PBX, they will use it until they are discovered. Therefore, it is in everybody’s interest to make access to the PBX as difficult as possible in the first place and if fraudsters do find a way in, to make sure that any ongoing fraud does not slip under the radar undetected for any period of time.

Telecoms have evolved exponentially over the last few years with numerous services including streaming media, mobile financial services, etc. Whilst we are constantly reminded of the modern threats currently pervading the industry - such as cyber crime - we must remain wary of the past ghosts still haunting the industry... because they are not going away. Proactive approaches including operators training their customers in PBX fraud prevention 'best practice' (e.g. correct installation, complex passwords and access logging) which removes many of the basic risks and protects consumers and operators alike from some of the costs of fraud.

Fraud control is not always about systems even though they are crucial for automated real-time analysis, but it also requires people, process, education, management and continuous interaction to be successful. In the case of PBX fraud, it may be a ghost of the past, but it is with us in the present and without a concerted proactive approach will be with us for yet to come.