Toll Fraud, yep it’s still around. How to protect yourself

We’ve heard lots about toll fraud over the years…criminals hacking into your company’s voicemail and racking up thousands of dollars of long distance charges. Things have been a little quieter for the past couple years, but seem to have been making headlines of late. It seems like businesses closed over the Christmas Holidays were irresistible to that element of society.

Here’s a synopsis on how companies are victimized, and some steps you can take to minimize the risk…

How it happens: The hacker calls into your business (sometimes it’s just random using an autodialler, sometimes you’re targeted). Once they reach the voicemail they try to gain access to a  voicemail box…either the general delivery, or an employees personal mailbox. They crack the password using an automatic password generator which try every series of letters/numbers until the password is discovered. It’s then as simple as dialing 0 or 1 for an outside line.

Protecting yourself: The standard “answer” is to make sure your employees choose non-dictionary words, include capital and lower case letters, as well as numerals. However, if the thief is using a password generation algorithm, it just means complex passwords will take longer to crack, not make it impossible.


1. If feasible for your business, have your carrier restrict overseas calls. A large percentage of fraud cases involve pipelining (selling access to your line to a calling card company).  If your carrier won’t limit access, you may want to find another carrier.

2. Set restrictions on your lines. Restrictions can be enabled on individual extensions, or individual lines. Make sure that any lines that don’t need to make long distance calls are restricted from dialing 011.

3. Disable DISA (Direct Inward System Access). This is a feature that automatically answers a line and provides a dial tone so the caller can dial an internal extension, but it can also be used to make an external call on the line.

4. Change your voicemail administration password (see a previous blog post).

0000 is just too easy to guess!