Skip to Content

Business phone support

Toll fraud - How to protect your business

Toll fraud scams - where organizations are billed for long-distance calls made fraudulently through their voicemail systems - have cost Canadian businesses more than $1.1 million since 2013.

How does toll fraud work?

Usually, fraudsters will call a business after hours and try to identify its automated answering system based on its menus and prompts. This allows them to enter the system’s default passwords until they get access to a vulnerable mailbox - either by using an unchanged password or by trying simple sequences like “1234”. Once they’re in the system, fraudsters can rack up significant charges. The average incident results in $2,200 in fees – with some businesses getting billed up to $45,000.

You can protect your business against fraudulent activity by taking the following steps to safeguard your voicemail equipment and educate your employees about password security.

General steps for protecting against toll fraud

Make your passwords more secure

Password security is the most important part of fraud prevention. In general, your organization should:

  • Ensure employees change the manufacturer’s default password as soon as they are assigned a voice mailbox.
  • Remind employees to change their passwords on a regular basis and program your voicemail system to force them to change their passwords every 90 days.
  • Program your voicemail system to require passwords with a minimum of six digits.
  • Train employees not to use easily guessed passwords like their phone number/extension or simple number combinations.
  • Never use the phone number as the temporary password when assigning a phone to a new employee.
  • Never post or distribute your company’s voicemail passwords.

Disable or block unused features

Your voicemail system likely includes a number of features that make it easier for employees - and fraudsters - to conduct long-distance calls. Confirm if the following features are actually needed by your organization. If they’re not, ask your equipment support provider to disable them on your behalf:

  • Through-dialling – This allows you to make long-distance calls from within your mailbox when you’re offsite – and is the primary enabler of toll fraud. If you decide to keep this feature, it is important to monitor through-dialling reports to ensure your mailboxes are not being abused.
  • 101xxxx – This feature allows you to make calls with another long-distance carrier.
  • 0-11 – This feature allows you to make overseas calls.
  • 0+ – This feature allows you to make calls with operator assistance.
  • Call forwarding – This feature allows you to forward calls from your business phone to another phone number.

You should also block long-distance calls from being made outside of your organization’s normal operating hours (e.g., nights, weekends, holidays). It is also recommended that you block access to any remote maintenance ports and system administration ports.

Fraud-prevention tips for specific systems features

Direct Inward System Access (DISA)

  • Restrict access outside of your normal operating hours (e.g., nights, weekends, holidays).
  • Avoid publishing phone numbers that could provide direct access to your system.
  • Change your DISA numbers periodically.
  • Issue a different DISA authorization code for each user and warn users to never write down their codes.
  • Program your PBX to generate an alarm and disable the DISA port when an unusual number of invalid authorization codes are entered.

PBX

  • Restrict the use of external call forwarding from users’ phones.
  • Restrict the redirect of incoming numbers to outside numbers.
  • Limit general access phones to local calling only.
  • Assign users the correct access levels for applicable long-distance calling.
  • Restrict or limit access to known high toll fraud areas.
  • Use long-distance authorization codes.
  • Monitor and track long-distance activity by generating call detail reports.

Voicemail

  • Redirect inbound calls via auto attendant to external numbers such as answering services.
  • Restrict or control through-dialling and remote notifications to pagers and cell phones.
  • Use desktop messaging or remote email notifications (if available) to tell users that they have voicemail messages.
  • Force users to change their mailbox access passwords on a regular basis.
  • Ensure user passwords are a minimum length of six digits.
  • Remove any unused or unassigned mailboxes.
  • Use restriction and permission lists to restrict outbound access where required.

All systems

  • Change all authorization codes on a regular basis.
  • Implement restriction permission controls to limit inbound/outbound transfers.
  • Monitor systems using traffic and call detail reports to check calling patterns such as:
    • Calls to unusual locations
    • High call volume
    • Long call durations
    • International and calls to 809 or 900 area codes
    • High traffic after business hours

What to do if you suspect toll fraud

Businesses are solely responsible and liable for all calls originating from or passing through their telecommunications systems or accounts, regardless of who made or accepted them. This means it is in your utmost interest to do everything you can to avoid toll fraud.

The general security measures listed above may not protect every aspect of your company’s telephone system. We encourage you to contact your equipment support provider to discuss the unique aspects and vulnerabilities of your telephone system in greater detail.