PBX, Private Branch Exchange, Hacking is one of five prevalent advancement in technology leveraged in scams in the US and Canada. While it is not widely known or understood, it stands to be of the most common and significant threats to telecommunications safety for businesses. In 2021 alone US enterprises reported a loss of $1.82 billion USD to the CFCA, Communications Fraud Control Association.¹

A PBX is a private telephone system used within an organization to communicate internally between users, while also connecting to an external network through shared number of phone lines. While reducing operating costs for businesses, they provide ample opportunity for hacking and fraud through initiating international calls resulting in unauthorized charges for the PBX owner if left unprotected. Users are often unaware of the threat PBX hacking poses and fail to implement protective measures.

How to protect yourself

• Change passwords: Avoid using the default passwords provided by your service provider, as they can be found online and in user manuals. Also, regularly change voicemail passcodes, to non-generic ones.
• Do not post a public call directory: Although you would like your staff to be available to clients, providing a complete list of DID, direct inward dialing numbers (phone numbers), will provide hackers a plethora of options to attempt hacking into, or target individuals directly by name and phone number.
• Use secure VoIP methods: Using VoIP over secure transports (similar to SSL for websites), VPN Virtual Private Network, or non-standard SIP, Session Interent Protocol, ports deters hackers exponentially. SIP uses TLS, Transport Layer Security to encrypt traffic and packets between client devices and SIP servers. VPN allows SIP traffic to flow between client devices and SIP servers over public internet as if they exist in the same network. Use of non-standard SIP ports can help hide SIP devices/access from port scanners and sniffers when TLS or VPN is not available.
• Close unactive accounts: When an employee is no longer working for the company it is important to swiftly disable their access and close their mailbox.
• Restrict password attempts: Configure your system so access to outgoing calls and voicemails are locked after three failed password attempts.
• Choose SIPSTACK: Enabling and managing security measures on every aspect of your telecommunications can be overwhelming. SIPSTACK provides its clients with the utmost security so that you can focus on making your business a success. Contact us to learn more.

References

^{1 https://cfca.org/wp-content/uploads/2021/12/CFCA-Fraud-Loss-Survey-2021-2.pdf}