PBX Toll Fraud Protection - The "Extention 900" Scam

Toll fraud is, or should be, a concern for any business with a telephone system. There are many scams that hackers may use to attempt to steal your business telephone system potentially costing your business thousands of dollars over a single weekend. The purpose of this article is to discuss a social engineer scam called the "Extension 900 Scam".

In this scam, the hacker calls your main number or toll free number and ask your receptionist to transfer him to extension 900. In most business telephone systems, "9" is the access code for an outside line and 00 is the number for the international operator. If the receptionist transfers the call, he is connected to an international operator who will then politely assist the caller with his connection to an international number. Your business will pay for this fraudulent call.

How this scam works.

Most hackers/thieves understand that not all systems are blocked from this kind of attack. It's a simple matter of calling your main number and asking to be transferred to extension 900. Most companies do not have an extension 900. Most companies do not have ANY numbers beginning with a 9. The digit 9 is almost always exclusively used to access outside lines. So if the caller is successful in having his call transferred to 900, he is connected to an international operator. The actual code is: 9(outside line) + 00(international operator).

A good receptionist will understand that there is not an extension 900. They will usually know most of their internal extensions by heart. If the receptionist tells the caller that they don't have an extension 900, the caller will say something on the order of "the president of the company told him to ask for that extension and was waiting for his call". If the receptionist insists that they do not have an extension 900 the caller may very well become threatening and try and intimidate her into transferring the call.

How to Protect Your Business

The most important thing is to educate your end users, especially your receptionist or operators. Bear in mind that it doesn't have to be the receptionist who answers the call in order to make this work. For example, if you can dial a direct number to any office in your building, you can ask any one to transfer you. That person could be the warehouse clerk or janitor, it doesn't matter. So be sure to educate your users at least once a year.

Here are some more things you can do to stop this kind of attack.

1) Block calls to 9-00. If your company has no need to call an international operator, then it should be blocked. I would also include all international calling (9-011) if it is not needed by asking your carrier to block it. If you need to make the calls on the rare occasion, then use a prepaid calling card. You can get some incredible deals with these cards and you will limit your loss liability.

2) Block any Trunk to Trunk calls. If a call comes into your PBX or Key System, and you transfer it back out, that is a "trunk to trunk" call also called a tandem call. This can be blocked on most systems. Keep in mind what this may effect: do your executives call in and have their secretaries transfer them to an outside number? Do you have an after hours service that requires callers to be transferred to an outside service? If you don't need to do these things then you should block trunk to trunk calls.

3) Restrict phones from being able to transfer callers to outside numbers. You may need this feature for some people but certainly not everyone needs it. Work with your telephone system vendor to set up the Classes of Service that will block this ability.

4) Restrict the calling areas telephones can call. Does every telephone in your business need the ability to call international numbers, or even to a number outside your business area? If a phone has no reason to call outside your business area then why give access to that ability? If you can't call a long distance number then you can't transfer a fraudulent caller to a long distance number.

5) Monitor your phone bills. It's easier to get away with any toll fraud scam if you never check your phone bills. You need to watch for unusual calls.

6) Finally, be sure your phone vendor even knows what toll fraud is. This may be surprising considering that they are supposed to be the experts, but I've met many technicians that really don't think about such things. Most have never had even the most rudimentary training regarding toll fraud security. I ran into one technician that was highly though of by our mutual customer. I noticed that a trunk to trunk transfer was enabled on the class of service of his voice mail system and insisted that it be removed. When I explained why, he even asked "Why would any one do that?" Now that you know be sure your vendor does.