As if worrying about online hacking isn’t enough, small businesses face an emerging kind of data breach: phone hacking.
Fraudsters are increasingly hacking into small companies’ phone systems and racking up large telephone bills. How it works: The hacker gets the general number for a company’s automated telephone system and then keeps attempting to guess an employee or business owner’s personal identification number (PIN) code, until finding the right one. (This can be easy, of course, if the employee or owner uses an easy-to-crack PIN such as “1234” or his or her birthdate.)
Unlike guessing online passwords—where a hacker would typically be locked out after several incorrect guesses—business phone systems often don’t provide the same security measure. A hacker can thus keep calling back into the system and guessing more PINs until they score. Moreover, some hackers are using computerized programs and “brute force” tactics to attempt passwords.
Once the hacker has the PIN code, they can use that to listen to voicemails or make calls—often over the weekend when no one is around to notice. They use computers to make hundreds of calls per minute to high-rate phone numbers, often in foreign countries, and then get a cut of the charges, which may be delivered to them through Western Union or wire transfer.
Phone hacking scams cost businesses $4.73 billion globally in 2013, up from just $1 billion in 2011, the Communications Fraud Control Association recently told the New York Times. Small businesses are targeted most often because they often have less-secure phone systems.
"The problem has been getting much worse over the past three years," Adam Simpson, CEO of Easy Office Phone, a company that provides phone service to small and midsized businesses, told SmallBusinessComputing.com.
Foreman Seeley Fountain Architecture, a Norcross, Georgia architecture firm with seven employees, was a target of a phone hacking attack. Last March, the company rang up $166,000 in phone charges over a single weekend with several calls to premium-rate phone numbers in Gambia, Somalia and the Maldives. It filed a complaint with the Federal Communications Commission but is still disputing the charge with its corporate telecom provider, TW Telecom, and has racked up $17,000 in late charges during the dispute period.
Telecom security experts say small companies can take measures to protect themselves from phone hacking, such as turning off call forwarding (since that feature is often used in hacking scams), ensuring all employees and phone system users set hard-to-crack passwords for voicemail access and requiring extra authorization to place international calls from the company phone system.
Read more articles on data security.