Monitor Remote Access and Administration
Remote Access allows an inbound caller to access your business’s phone system and make outbound calls through it by using an access code. This is one of the most common modes of illegal entry into a phone system. To limit the risk to your business, use passwords and authorization codes to access these features. If your business does not use these features, contact your system administrator or provider to ensure that these features are turned off.
Use Strong Passwords and Authorization Codes
Your phone system’s security is only as strong as the passwords used to access it. Follow these tips to make sure your passwords and authorization codes are not easily guessed:
- NEVER USE DEFAULT PASSWORDS
- Use the pound sign (#) and asterisk (*) in your password if your system allows it.
- Use passwords that are at least 7 characters long. For maximum protection, you should use the maximum number of characters that your system allows.
- Do not use predictable patterns such as repeating characters (55555) or ascending or descending characters (54321).
- Do not use your extension number (or it’s reverse), your office number, or any other information that identifies a system owner or user (such as an employee number or social insurance number).
- Do not write down your password or store it on your hard drive or network. If a record is kept, it should stored in a secure location.
Frequently Change Passwords and Authorization Codes
It is a good idea to change your passwords and authorization codes at least four times a year. It’s also recommended that you change access/authorization codes whenever an employee (such as a network technician) leaves the company.
Control Long Distance Calling
- Prohibit or restrict calls to countries you do not do business with
- Prohibit or restrict calls to the Caribbean, a favourite call destination for fraudsters
- Restrict the ability to make international calls to only those employees who need to
- Restrict the time of day that calls can be made, such as at night or on weekends
- Restrict toll-free access from areas known a phone fraud centres.
Restrict Automated Attendant Access
Automated attendants are another common entry point for unauthorized third parties. When the automated attendant “picks up,” fraudsters can dial 91XX or 9011. On many phone systems (if the
dial-out feature is active), this extension connects the caller to an outside long distance line. The best defence is to block 9XXX or 8XXX access codes and/or require an additional authorization code.
Monitor Your System
Closely monitoring your phone system will help you to catch suspicious activity early. Watch for unusual patterns or usage spikes in your PBX, voicemail, automated attendant, and toll-free systems. These may be indicators that someone is attempting to gain access to your phone system.
Please take the precautions listed above. Ultimately, any unauthorized calls made to or from your phone system equipment — whether by someone in your company or by a third party — are your responsibility. It is essential that you take steps to protect your business from phone fraud.