How to Outfox PBX Fraud


Be alert to the overt signs of PBX abuse: repeated calls of short
duration, unexplained increases in incoming or outgoing calls, sudden
increases in 800 usage or changes in after-hours calling patterns.

If practical, eliminate remote access to your PBX and replace it with
telephone credit cards for authorized personnel. If you eliminate remote
access, make sure the system is disabled when not in use.

If eliminating remote access isn't an option, try implementing these
suggestions to minimize your risk to toll fraud:

    If possible, limit the number of employees who use remote access.

    Use an unpublished number for remote access lines instead of 800
    numbers.

A delayed electronic call response can provide added security. Your PBX
should be programmed to wait at least five rings before answering a
call.

A steady tone used as a remote access prompt leaves your system
vulnerable to perpetrators' automatic dialing programs. Use a voice
recording or silent prompt instead of a tone.

Tailor access to your PBX to conform to the needs of your business.
Block access to international and long-distance numbers your company
does not call. If this isn't practical, consider using "time-of-day"
routing features to restrict international calls to day-time hours only.

Whenever possible, limit remote PBX access to local calling during
normal business hours. Be sure to restrict access after hours and on
weekends.

Delete all authorization codes that were programmed into your PBX for
testing or servicing.

Assign codes on a need-to-know basis. Advise employees to treat codes as
they would credit card numbers. Never print codes on billing records.

Assign the longest possible authorization numbers your PBX can handle.
Select codes at random -- don't use telephone extension numbers,
employee ID numbers, social security numbers, addresses or other common
numerical sequences.

Audit and frequently change all active codes in your PBX. Cancel
unassigned access codes, especially those used by former employees.

Consider implementing a barrier code system, an additional numeric
password that adds a second level of security.

Don't allow unlimited attempts to enter your system. Program your PBX to
disallow access after the third invalid access or barrier code attempt.

Carefully review all billing information to identify unauthorized
calling patterns. Frequent reviews can save lots of money.

Investigate toll fraud monitoring options that may be available from
your local exchange company or interexchange carrier.

Directories and business cards that list PBX access numbers should be
shredded before being placed in the trash.

Never give out technical information about your system to callers unless
you're certain who's on the other end of the line.

Educate employees about the dangers of phone fraud and what they can do
to help prevent it.