Editorial

Expensive Fraud Calls

Published on:

October 20, 2014

The recent case of phone call fraud highlights the growing risks of PBX systems being compromised, with hackers using them to dial expensive numbers. This situation often arises when the PBX is used as a "least cost router" to route calls through expensive destinations. However, even without external voice traffic, bots on local networks can exploit PBX systems by accessing the TAPI feature, dialing numbers directly from a computer. To mitigate risks, it's crucial to ensure strong security measures, like checking for viruses, using secure passwords, and verifying the fraud detection features offered by service providers. Also, restrict expensive number calls via the PBX dial plan and ensure TAPI licenses are carefully managed.

It happened again, and it would not be the last time: http://finance.yahoo.com/news/phone-hackers-dial-redial-steal-012343295.html another victim about phone call fraud, caused by a hacked PBX that was somehow accessible for the bad guys.

We have talked about it before, but reading the article I think it is important to point out some points that were not so clear before. The first one is that some carriers really seem to go after the money, even if they have to go to court. In contrast to the credit card industry, fraud is the responsibility of the customer, not the provider.

Then the next point is that it is obviously not necessary that the PBX actually received voice traffic from the public internet. Typically fraud uses the victims PBX as a kind of “least cost router” for terminating traffic into expensive countries. But when calling expensive 900 numbers like mentioned in the article, there is no need to have any traffic with the outside world. All it takes is that the PBX is using its route into the PSTN world.

In theory, a bot on a computer in the LAN can use the click to dial feature of the PBX to keep on dialing expensive numbers. The voice would end up somewhere either on the local PC or smart phone, or just on the phone on the office table. On the weekend when nobody is in the office it would take some time to figure out what is going on.

This is new. If a bot can access the local TAPI on the computer and initiate a call, you are in trouble. There is no extra password check between the TAPI client and the TAPI server. All it takes is a program running on the local PC that is starting to dial numbers.

So what are we learning from all of this?

Apart from the usual recommendations to check for viruses on your computer and make sure that users are choosing good passwords and PIN codes, you should check if your service provider has a fraud detection feature. This will limit the damage in case you should get hacked for whatever reason, despite all the precautions that you did on the system. If you are using prepaid accounts, the damage will be limited to the money that you have put into the meter.

By default, version 5 does not come with a CSTA license which is required for TAPI calls. If you have the license and are using TAPI, you can do a few measures that reduce the exposure to the risk. You can double check what numbers can be called from your PBX in the dial plan. In many cases it is not necessary that PBX users are dialing expensive hotlines, and if they do, you can set the flag in the dial plan that they have to enter their PIN code. And you can make sure that PCs are turned off when users are not in the office. This does not only make sure that you don’t have any surprises on your phone bill on Monday morning. It also saves power.

Latest Articles

View All

Webinar | Real-Time Media Streaming in Vodia PBX: AI, Call Transcription, and Security in V69.5.6

Join Vodia Networks on April 8 for a live, in-depth webinar on how real-time media streaming is powering the future of voice communication. Discover how Vodia PBX version 69.5.6 enables seamless AI integration, live call transcription using the Whisper API, and secure voice data handling. Hosted by Sales Engineer Eric Altman and VoIP Engineer Hamlet Collado, this session will walk you through real-world use cases, including OpenAI and Google Speech-to-Text integrations, MS Teams support, and new security features. You’ll also get a first look at Vodia’s AI roadmap and have the opportunity to ask your questions during a live Q&A.

March 28, 2025

The Vodia PBX On-Premise Whisper AI Deployment​

Whisper, OpenAI’s Automatic Speech Recognition system, delivers multilingual, noise-tolerant, and technical-language-ready transcription through a streamlined encoder-decoder architecture. With Vodia PBX’s integration, organizations can choose between using OpenAI’s service or hosting Whisper AI locally for complete data sovereignty and control. This on-premise option ensures that sensitive call data stays within your infrastructure while still benefiting from powerful transcription capabilities. To explore deployment options, see our Whisper AI on-premise setup documentation, review a self-hosted integration example, or follow our cloud-based call transcription guide.

March 27, 2025

Vodia at Enterprise Connect 2025: Embracing AI and Advancing Communications

Vodia Sales Engineer Eric Altman attended Enterprise Connect 2025 on March 18 and 19, where he connected with partners and gained insight into the future of enterprise communications. AI was the clear focus of the event, with discussions centered on agentic systems, chatbots, and generative technologies. “It was certainly the main element in the atmosphere,” Eric noted. He also shared his excitement about Vodia PBX version 69.5.6, which includes real-time AI integration with OpenAI and call transcription using the Whisper API. The event confirmed that AI is rapidly becoming a core component of modern communication platforms—and Vodia is well-positioned to lead the way.

March 26, 2025