PABX systems prove soft target for criminals

Hundreds of businesses are being scammed out of thousands of dollars by overseas "criminal gangs' who are hacking into their telephone switchboards (PABXs) and making free calls, an industry body has warned.

The Telecommunications Industry Group, whose members include Telecom and Vodafone, said PABX fraud had quadrupled this year with 40 to 50 firms being scammed each month. It estimated annual losses at hundreds of thousands of dollars.

Chief executive Rob Spray said criminal gangs in Eastern Europe, Mexico and the United States were tapping into PABXs by ringing up people's work phone numbers and guessing their voice mail passwords. Once inside a company's voice mail system, fraudsters could often use a feature that is designed to let workers forward calls to their home phone or mobile to make calls to any outside line.

The gangs sell lists of hacked voicemail numbers to others who want to make free calls, he said, and in some cases to fraudsters who would repeatedly ring premium phone numbers – such as overseas sex lines – running up huge bills, in return for a kick-back.

Such fraud had taken place for years but was now "going through the roof", Spray said. That was partly because more small businesses were buying sophisticated but vulnerable PABXs and also because criminals had realised it was "easy money". Around the world, such fraud was costing businesses hundreds of millions of dollars, he said. "It is organised crime. The criminals are on to a good thing."

PABXs used to be complex, specialistic pieces of hardware costing hundreds of thousands of dollars, but now come in the form of software that can be downloaded on to a personal computer "Small businesses have got a computer that they put in their office in many cases, and there is an open cheque book sitting inside it."

In one case a child had downloaded PABX software to his family's computer and been scammed out of $5000.

Spray said businesses could reduce the risk of fraud by picking hard-to-guess voice mail passwords or eliminate it by disabling the function in their PABX that allowed incoming calls to be routed to outside lines. "Most PABX allow you to turn that feature off." They should avoid using their PABX's factory default password or an obvious one such as "0000". There was a "balance of responsibility" between businesses and PABX suppliers, he said.

Businesses usually only became aware they have been scammed when contacted by their phone companies. Telecommunications companies were on the lookout for suspicious activity and would often alert customers if they noticed very unusual calling patterns, but could not be held liable for the frauds, he said.

- © Fairfax NZ News