Canada’s Commissioner for Complaints for Telecommunications Services (CCTS) yesterday urged small and medium sized businesses to monitor their private branch exchange (PBXs) for suspicious activities following a resurgence of complaints about long distance toll fraud.
The CCTS, an organization funded by the telecom industry to resolve complaints against companies in the sector, also reported that complaints about wireless and home phone services more than doubled in 2010-11 compared to what the commission received in 2009-10.
According to the CCTS’s Annual Report – Restoring Connections, Canadians filled 8,007 complaints for the period between August 2010 and July 31, 2011. That was a 114 per cent increase from the previous year’s 3,747 complaints, said Howard Maker, commissioner of the CCTS. The commissioner attributed the growing number of complaints to increased public awareness of the CCTS’s existence.
Maker also said that more than 52 per cent of the complaints filed in 2010-11 concerned wireless services, up from 51 per cent in the preceding year. Nearly 80 per cent of all complaints were either about billing errors (45 per cent) or contract disputes (34 per cent).
The top four providers to receive complaints were:
Bell Canada – 29.3 per cent
Telus – 17.3 per cent
Rogers – 16.9 per cent
Fideo – 8.2 per cent
When asked how he could account for this trend which also surfaced last year, Maker said competition in the sector is tough and often results in the rapid deployment of innovative products, varied services and price packages. “This is a good thing, but it can also result in confusion in billing, data usage, services and contracts,” said Maker. “It’s a trend we’ve seen over the last four years and we see no signs of it subsiding.”
Long distance toll fraud
Numerous Canadian businesses continue to fall victim to long distance toll fraud, according to the CCTS. This scheme involves hackers breaching a company’s PBX system and controlling the telephone equipment to dial long distance calls through a long distance service provider.
Another fraudster tactic is using the PBX dial through or call through function by placing a call to a business and then requesting to be transferred to “9-0” or some other outside toll number. The call is made to appear it originated from the business instead of the original fraudulent caller. Subsequently the call is charged to the company’s next phone bill.
The result is that victims often find themselves billed tens of thousands of dollars for long distance calls. The report did not say exactly how many businesses have complained to the CCTS about long distance toll fraud.
“Although we did not receive many of these types of complaints in 2009-10, we are seeing a resurgence of these complaints in 2010-11. The bills sometimes amount to five or six figures,” said Maker.
The CCTS report said their investigation revealed that in most instances the service providers did not install or sell the PBX equipment to the customer and did not have any contractual obligation to ensure the equipment’s security. Maker said, after CCTS intervened most providers agreed to waive significant portions of the charges, leaving the customer to pay only for those charges that the provider itself is required to remit to the international carriers on whose network the calls were made.
In one case study presented in the report, a business’s telephone system was breached by a third party who used it to make long distance calls for which the business was billed. The total charges amounted to more than $20,000 when the normal monthly long distance bill of the business was only $5.
Acting on behalf of the complainant, the CCTS found glaring differences between the provider’s Customer Terms of Service and the Business Terms.
While the provider’s Terms of Service for its business customers clearly show that the provider has no contractual obligation to ensure the customer’s telephone equipment, or monitor long distance calling actively for the customer’s benefit, the document was unclear as to the customer’s liability for charges incurred as a result of unauthorized use of the service.
“We were able to use this interpretation of the contract to have the provider waive the charges,” said Maker.
How to guard against fraud
SMBs should contact a security expert to determine how they can best protect their communication system, but Maker said businesses can also lessen their chances of falling victim to fraud by doing the following:
- Replace factory default PBX log-ins and passwords with secure passwords that are changed regularly
- Consider if you really need “call through” functionality for your business. This is frequently used by hackers as a window to penetrate a business’s PBX system. If call through is not needed, disable it
- Regularly review your long distance bills so that you can spot any irregularities early on
- Notify both your security provider and system provider of any suspicious activity
- Go through the customer obligations of your service contract. In most cases the provider’s Terms of Service states that the customer is responsible for all calls made through their line, regardless of who made it
“A few minutes thinking about the security configuration of your PBX system will be time well spent,” said Maker.