Editorial

Expensive Fraud Calls

Published on:

October 20, 2014

The recent case of phone call fraud highlights the growing risk of PBX systems being compromised, with hackers using them to dial expensive numbers. This situation often arises when the PBX is used as a "least cost router" to route calls through expensive destinations. Even without external voice traffic, however, bots on local networks can exploit PBX systems by accessing the TAPI feature and dialing numbers directly from a computer. To mitigate risks, it's crucial to ensure strong security measures, like checking for viruses, using secure passwords, and verifying the fraud detection features offered by service providers. It's also important to restrict expensive number calls via the PBX dial plan and ensure TAPI licenses are carefully managed.

It happened again, and it won't be the last time: http://finance.yahoo.com/news/phone-hackers-dial-redial-steal-012343295.html. Another victim of phone call fraud, the result of a hacked PBX somehow accessible to the bad guys.

We have talked about it before, but reading the article I think it's important to discuss some points that weren't so clear before. The first one is some carriers really seem to go after the money, even if they have to go to court. In contrast with the credit card industry, fraud calls are the responsibility of the customer, not the provider.

The next point is it's obviously not necessary the PBX actually receives voice traffic from the public internet - fraud calls typically fraud uses the victim's PBX as a kind of “least cost router” for terminating traffic into expensive countries. But when calling expensive 900 numbers, like those mentioned in the article, there's no need to have any traffic with the outside world. All it takes is the PBX using its route into the PSTN world.

In theory, a bot on a computer in the LAN can use the click-to-dial feature of the PBX to keep on dialing expensive numbers. The voice would end up somewhere either on the local PC or smart phone, or just on the phone on the office table. On the weekend, when nobody is in the office, it would take some time to figure out what's going on.

This is new. If a bot can access the local TAPI on the computer and initiate a call, you're in trouble. There's no extra password check between the TAPI client and the TAPI server. All it takes is a program running on the local PC that starts to dial numbers.

So what are we learning from all of this?

Apart from the usual recommendations to check for viruses on your computer and make sure users are choosing strong passwords and PIN codes, you should check if your service provider has a fraud detection feature. This will limit the damage, in case you get hacked for whatever reason, despite all the precautions you took. If you are using prepaid accounts, the damage will be limited to the money you've put into the meter.

By default, version 5 doesn't come with a CSTA license, which is required for TAPI calls. If you have the license and are using TAPI, you can take a few measures that reduce exposure to the risk - you can double check what numbers can be called from your PBX in the dial plan. In many cases, it's not necessary that PBX users are dialing expensive hotlines; if they do, you can set the flag in the dial plan so they have to enter a PIN code. And you can make sure PCs are turned off when users aren't in the office. This makes sure you don’t have any surprises on your phone bill on Monday morning. It also saves power.

Latest Articles

View All

The Vodia PBX and the OpenAI Realtime API for Healthcare

OpenAI’s Realtime API brings low-latency, multimodal voice capabilities to developers, and Vodia PBX is already harnessing its power. By enhancing IVR with backend JavaScript, Vodia enables real-time AI-driven call interactions, eliminating the need for patterns or webhooks. This integration has a significant impact on healthcare, enabling patients to book or cancel appointments, refill prescriptions, request records, and more, all without speaking to staff, and in multiple languages. This reduces wait times and frees up medical staff to focus on in-person care. With full Microsoft Teams support, the Vodia PBX and OpenAI Realtime API integration streamlines healthcare workflows, boosting efficiency and improving patient outcomes through intelligent, voice-powered automation.

April 24, 2025

How the Hospitality Industry Can Exceed Guest Expectations

As hotels prepare for the upcoming travel season, many are rethinking their communication systems to better meet modern guest expectations. Vodia CEO Dr. Christian Stredicke explains how VoIP, AI, and app-based control are key to delivering smarter, more personalized service. Guests now expect mobile-first experiences—whether for check-in, room controls, or contacting hotel staff. Vodia’s customizable communication solutions help hotels automate tasks, streamline operations, and boost guest comfort while reducing costs. With robust security and seamless integration into existing hotel management systems, Vodia enables hotels to move beyond outdated hardware and deliver the connected, high-quality experience today’s travelers demand.

April 23, 2025

Seatrade Cruise Global 2025: Communications Revolution Onboard - What Cruise Experts Need to Know

At Seatrade’s 40th anniversary, Vodia and Lufthansa Industry Solutions showcased the Vodia Maritime Communication Server and the new CruisR World App—purpose-built for next-generation cruise ships and cost-effective retrofits. Key themes at the event included AI-powered language translation, breakthrough satellite connectivity, UC platforms, and advanced emergency protocols. These innovations enable cruise lines to streamline operations, personalize guest experiences, and meet growing expectations for safety and connectivity. As the cruise industry evolves, Vodia’s solutions position communication teams to lead with smarter, more human-centric technology at sea.

April 23, 2025