PBX Hacking

Many larger businesses use a private branch exchange (PBX) phone and/or a voicemail system. However, since 2005, PBX hacking has been a leading fraud type. Telephone hackers break into insecure PBX systems to listen to voicemail, monitor conversations or reprogram the system – all to wreak havoc on the business.

These hackers also use PBX systems to make international and long-distance phone calls. When they gain access to trunk phone lines, they’ll start making a high volume of calls to international premium rate numbers that the criminals own – so they can collect revenue from those numbers.

Businesses with PBX systems may not be aware of unauthorized access or that hackers may be trying to “sell” the use of the business telephone system to others.

Midco Business cannot stop PBX hackers from making calls through our business customers’ PBX systems because we don’t have access or permission to do so.

If your system is compromised, your first warning could be a large telephone bill. There are other measures you can take to protect your business:

• Never provide technical information about your PBX system to callers unless you’re completely certain who is on the other end of the line.
• Do not allow your PBX system administrator to keep factory or default passwords on your system or for voicemail. Audit your system to ensure none of these passwords exist.
• Verify that there are no unauthorized or additional passwords in your system.
• If your company doesn’t need international calling, set up international call blocking in your system and local/long-distance switch.
• Delete or lock all unused mailboxes.
• Institute password policies and regularly educate your employees to:
  • Not allow predictable PINs, such as the last digits of their direct dial number, sequential numbers such as 1111, or incremental numbers such as 1234.
  • Require all employees to change their voicemail passwords to six- or eight-digit, non-trivial passwords.
  • Be sure these and other preventative measures are also applied to administrative, general delivery and system manager mailboxes.
• Do not publish all of your staff members’ names and contact numbers on your website or the Internet. This information gives would-be fraudsters an 'in" to hack into your PBX.
• Do not allow an unlimited number of unsuccessful attempts to log in to voicemail. Configure your system to lock a voicemail box after three failed attempts.
• Disable administrator, contractor or employee voicemail accounts when they leave your company.
• Schedule regular PBX checks and form an ongoing risk management strategy to limit system vulnerabilities.