How to minimize the risk of toll fraud

Get tips on minimizing the risk of toll fraud

Knowledge is your best defence


  • Know the vulnerabilities and security features of your phone system
  • Ask your supplier how to make your system as secure as possible
  • Ensure the staff is trained and understands your systems and general security procedures

Know the access paths that open doors to fraud


Thieves can gain access to your telephone equipment via:

  • Direct Inward System Access (DISA)
  • PBX or switchboards
  • Voice-Mail Systems
  • Remote System Administration (maintenance ports)
  • Direct Inward Dialing
  • Tie Trunks and Tandem Network Services
  • Modems/routers

Monitor and analyze your systems information


  • Study call detail records. Exception reports can provide early warning signs
  • Review voice-mail reports and billing records
  • Familiarize yourself with calling patterns and review them along with the system reports regularly
  • Monitor valid and invalid calling attempts as often as possible

Recognize signs of a security breach


  • Sudden changes in normal calling patterns
  • Complaints that customers can't call in because the system is always busy
  • Increases in wrong number calls or silent hang-ups
  • Increases in night, weekend and holiday traffic
  • Increases in your toll-free traffic
  • Increase in international calling
  • Increase in abnormal calls, i.e. crank and obscene calls
  • Toll calls originating in voice-mail
  • Long holding times
  • Unexplained 900 calls
  • High tolls for any unauthorized trunk/extension

Secure your systems


PBX (Private Branch Exchange), DISA (Direct Inward System Access) and Remote Access Ports

  • Never publish a DISA telephone number and Change the DISA access telephone number periodically
  • Use longer DISA authorization codes which are ideally 9 digits long. Never choose one less than 7 digits
  • Issue a different DISA authorization code for all users
  • Warn DISA users not to write down authorization codes
  • Restrict DISA access at night, and on weekends and holidays, as these are the prime times for fraud
  • Block or restrict overseas access or only allow access to certain country or area codes
  • Program your system to answer with silence after five or six rings (most systems are programmed to answer with a steady tone after two rings and this is what hackers look for)
  • If possible, route invalid access attempts to your operator
  • If possible, program your PBX to generate an alarm if an unusual number of invalid attempts are made
  • Program your PBX so that the port will disable itself after a set number of invalid attempts
  • Disconnect all telephone extensions the moment they are no longer needed
  • Block access to remote maintenance/administration ports or use maximum length passwords and change them frequently
  • Do not use sequential access numbers
  • Disconnect modems that are not in use
  • Block access to all 10-10 (dial around) calling, or only allow access to those 10-10 codes which relate to an internally approved business arrangement

Voice-mail systems

  • Assign and change passwords regularly
  • Increase password length, and prohibit the use of trivial, simple passwords such as 222 or 123
  • Prohibit the sharing or posting of passwords, or entering them into programmable keys or speed dial buttons
  • Limit the number of consecutive login attempts to five or less
  • Keep time-out limits short
  • Change all factory-installed passwords
  • Change the maintenance password regularly and limit distribution
  • Block access to long-distance trunking facilities
  • Block collect call options on the auto attendant
  • Delete all inactive mailboxes
  • Restrict access to directories that give directions on how to get into the voice-mail system
  • Restrict out-calling
  • In systems that allow callers to transfer to other extensions, block any digits that hackers could use to get outside lines, especially trunk access codes
  • Use maximum length passwords for system manager box and maintenance ports

Long-distance calling

  • Restrict access to specific times and limit calling ranges
  • Restrict access to business hours only
  • Block all toll calls at night, on weekends and on holidays
  • Block or limit access to overseas calls. If your company has no requirement to call overseas, block overseas calls completely

General security policies


  • Secure telephone equipment rooms and/or wiring frames, and allow access only to authorized personnel
  • Secure all system documentation, including manuals, configuration records and system printouts
  • Require positive ID checks from supplier staff and maintain an entry log
  • Restrict call forwarding to local calls only
  • Delete a code immediately when an employee leaves your company, and do not reassign it to a new employee
  • Ensure cards and passwords are returned when an employee leaves your company
  • Keep telephone numbers private
  • Impress upon your staff that your telephone number plan must never be discussed outside the company
  • Eliminate the paper trail and foil 'dumpster divers.' Shred call detail reports and records. Destroy internal telephone directories
  • Establish policies on the accepting of collect calls and providing access to outside lines
  • If you use cellular phones, never discuss or give out system access codes over the cellular network
  • If you own a cellular phone, ensure that all calls billed to you were in fact made from your telephone. Thieves may 'clone' or copy your phone and have their calls billed to you. To minimize the risk, keep your cell phone off when not required
  • Review security procedures regularly
  • Always check your monthly statement

Educate your staff


  • Brief your staff on security procedures and toll fraud detection regularly, i.e. warning signs and alarms
  • Warn staff about 'shoulder surfing' and ensure they know who to notify if they believe the company access codes have been compromised
  • Warn switchboard operators, receptionists and employees about 'social engineering,' i.e. con-artists impersonating as security investigators, phone company installers or telecom managers trying to obtain calling access or be transferred to an outside telephone line through your phone system
  • Establish procedures for the staff to report suspected security breaches immediately

Search Support