The Better Business Bureau has joined with the Federal Communications Commission (FCC) to warn businesses about a new form of fraud involving voice mail. Hackers are using voice mail systems and default passwords to make collect calls without the knowledge or permission of employees or their employer. Businesses that are victimized usually do not find out about the hacking until their phone company calls to report unusual activity or they receive an exceptionally high phone bill.
Here’s how it works. A hacker calls into a voice mail system and searches for voice mailboxes that still have the default passwords active or have passwords with easily-guessed combinations, like 1-2-3-4. Hackers know common default passwords and try each one until they can break into the phone system. The hacker then uses the password to access the phone system and change the voice mailbox's outgoing greeting to something like "Yes, yes, yes, yes, yes, operator, I will accept the charges." Next, the hacker places a collect call to the number they have just hacked. When the automated operator (which is usually programmed to "listen for" key words and phrases like "yes" or "I will accept the charges") hears the outgoing "yes, yes, yes, yes, yes, operator, I will accept the charges" message, the collect call is connected. The hacker is able to use this connection for long periods of time to make other international calls.
In another twist to this scam, the hacker breaks into voice mailboxes that have remote notification systems that forward calls or messages to the mailbox owner. The hacker programs the remote notification service to forward to an international number. The hacker is then able to make international calls that are billed to the business that owns the voice mail system.
The FCC reports that hackers usually break into voice mail systems during holiday periods or weekends, when there aren’t many incoming calls and the tampering of the outgoing message goes unnoticed. The agency has also learned that hackers are typically based internationally, with calls frequently originating in and/or routed through the Philippines or Saudi Arabia.
To avoid falling prey to this scam, the BBB and FCC recommends that business voice mail users do the following:
- Promptly change the default password from the one provided by the voice mail vendor;
- Choose a complex voice mail password of at least six digits;
- Change voice mail password frequently;
- Don't use obvious passwords such as an address, birth date, phone number or repeating or successive numbers;
- Check your recorded announcement regularly to ensure the greeting is indeed yours, especially during, vacation or holiday periods.
Employers might also want to consider blocking international calls, if not required to meet the needs of the business or its customers. Disabling voice mail features that are not used, such as remote notification, auto-attendant, call-forwarding and out-paging capabilities can also lessen the risk of voice mail fraud.
Businesses that believe their voice mail systems have been hacked should contact their phone company and report the incident to the police.