Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
JULY 2019
PFA-SFIO
Bas A.S. van Leeuwen, LL.M., Esq.
A comprehensive approach to
deterring and preventing
Private Automatic Branch
Exchange (PABX) Fraud
White Paper
PFA-SFIO
2
A comprehensive approach to
deterring and preventing
Private Automatic Branch Exchange
(PABX) Fraud
White Paper
PFA-SFIO
3
CONTENTS
Preface
Chapter 1 – Private Automatic Branch Exchange (PABX) Fraud
1.1. The Nature of Private Automatic Branch Exchange (PABX) Fraud
1.2. Who commits Private Automatic Branch Exchange (PABX) Fraud?
1.3. How do hackers get the numbers?
1.4. What do they do with these codes once fraudsters have obtained them?
1.5. Why are Private Automatic Branch Exchanges a perfect target
1.6. What are hackers looking for in your Private Branch Exchange (PBX)?
Chapter 2 – The role of Praetor Forensic Auditing
2.1. Serious Fraud Investigation Office
2.2. Create a culture of honesty, openness, and assistance
2.3. Eliminate opportunities for Private Automatic Branch Exchange (PABX) Fraud
2.4. Comprehensive approach to preventing and deterring Private Automatic Branch Exchange (PABX)
Fraud
2.5. Proactive Fraud Auditing
Chapter 3 – Our Strategic Analysis, Advisory Services and Operational Support
3.1. Fraud Risk Assessment
3.2. Fraud Risk Management
3.3. Fraud Investigation
Chapter 4 – Taking action to reduce fraud risk
Contact
PFA-SFIO
4
PREFACE
Private Automatic Branch Exchange (PABX) Fraud has serious consequences for organizations operating in an
international business environment. In such an environment, organizations are operating under serious pressure,
competition is stiff and margins are tight. This, in conjunction with trying to adapt to unfamiliar legal systems,
conventions and specific political circumstances, can make doing business in an international environment very
difficult. There is therefore much depending on whether an organization can win a contract, obtain a license or
market a product in good time.
Praetor Forensic Auditing provides the services required to help private and public organizations identity the
nature and extent of the problem and deliver appropriate remedies. This publication is part of Praetor Forensic
Auditing ’s series on Business Fraud Investigation - a comprehensive approach to deterring and preventing
fraud. A more comprehensive fraud-fighting approach would involve:
creating the right kind of modeling and tone at the top,
educating and training employees about fraud,
assessing risks and putting proper controls in place,
having reporting and monitoring systems in place,
proactively auditing for fraud and then, when fraud does occur,
investigating and following up on the fraud.
The concepts and viewpoint presented here build upon and complement other publications in these series. To
access all the white papers in the Business Fraud Investigation series, visit: www.praetor-
forensics.com/whitepapers.
We encourage you to share this white paper with your colleagues.
PFA-SFIO
5
CHAPTER 1
PRIVATE AUTOMATIC BRANCH EXCHANGE (PABX) FRAUD
1.1. The Nature of Private Automatic Branch Exchange (PABX) Fraud
A substantial increase in your telephone bill is an indication your company could be the victim of Private
Automatic Branch Exchange (PABX) fraud. Detailed billing will assist in identifying any potential unauthorised
calls, usually International calls but they can also be National telephone calls. Another indicator is where
customers trying to dial, in or employees trying to dial out, find that the lines are always busy.
Private Automatic Branch Exchange (PABX) fraud is defined as the unauthorized use of a company’s phone
system. It is a theft of long-distance services by a) un unrelated third party, b) a staff member of a long-distance
carrier, local telecom or vendor, or c) the user’s staff member.
1.2. Who commits Private Automatic Branch Exchange (PABX) fraud?
As is the case with any other unlawful act, fraudsters in this industry, who are referred to as "hackers," do it
mainly for the money. Other fraudsters do it for fun, professional challenge and/or out of boredom. Still other
fraudsters know how easy it is, know the codes, have the proper equipment and cannot resist the temptation. In
most cases, fraudsters can recognize the manufacturer/brand by the prompts and determine which password
ranges on which to concentrate. With some luck and persistence, fraudsters will "hack" into their first system
within the hour. Most of the activity is through call/sell operators who operate in urban communities, mainly by
immigrants for immigrants who call to countries like the Dominican Republic, China, Pakistan and Egypt at a rate
of €10 for a 30- to 45-minute call. These telephone calls usually take place after regular business hours or on
weekends where the excessive Private Automatic Branch Exchange (PABX) traffic will go on unnoticed and
uninterrupted.
1.3. How do hackers get the numbers?
There are different methods of obtaining telephone codes: (a) "Dumpster divers” (fraudsters who go through your
trash and look for phone bills, computer printouts or product manuals); (b) "Shoulder surfers" (fraudsters who
stand particularly close to you at a pay phone (in airports, bus terminals, etc.) while you dial your Direct Inwards
PFA-SFIO
6
System Access (DISA) password, voice mail code or calling card number so fraudsters can capture your dialling
sequence; or (c) Hackers publish their findings in magazines, BBS and even on the Internet.
1.4. What do they do with these codes once fraudsters have obtained them?
Since the primary motive is money, fraudsters look for buyers. On the streets of New York City, for example,
where 60 percent of Private Automatic Branch Exchange (PABX) fraud attempts originate, a good number will go
for $3,000 to $5,000 depending on the supply/ demand at that time.
1.5. Why are Private Automatic Branch Exchanges a perfect target
Today's Private Automatic Branch Exchanges are feature-rich, and more and more features are developed each
day as the various Private Automatic Branch Exchange (PABX) manufacturers attempt to gain a competitive
edge. These features are all software, and therefore programmable, which in most cases means fraudsters can
be accessed remotely. In addition, maintenance and service is provided by interconnects from remote service
centres via modem lines. All of this creates a very familiar environment for the hacker to operate in with very little
risk of being identified.
1.6. What are hackers looking for in your Private Branch Exchange (PBX)?
The easiest vehicle for fraudsters is to gain control of your direct inward service access (Direct Inwards System
Access (DISA)) where a remote user can gain access to an outside line from your Private Branch Exchange
(PBX) by punching some "long" authorization codes. Most companies use it for the travelling employee.
Second, fraudsters would love to "take over" your maintenance port. By controlling that port, which is the heart of
your Private Branch Exchange (PBX), fraudsters can do whatever they want, including changing your routings
and passwords and deleting/adding extensions. And, if their intent is vicious, fraudsters can actually shut down
your Private Branch Exchange (PBX) and take you out of business. Voice mail is probably the most popular
vehicle of Private Automatic Branch Exchange (PABX) fraud these days. Like Private Branch Exchanges, voice
mail systems are also very sophisticated and full of features.
A fraud perpetrator can, among other things, sit on the beach in Trinidad and Tabaco and program your voice
mail box in Frankfurt to place any inbound call on temporary hold, grab another line, call his cellular phone then
conference the two lines--all within seconds. Meanwhile, the caller has no idea that you are actually enjoying the
PFA-SFIO
7
sun and sipping Jamaican rum. Hackers want to use exactly that feature to forward calls to a "phantom" mail box
that will give just a dial tone. Then, fraudsters dial the rest from any public phone in Washington D.C., Dubai or
Amsterdam.
PFA-SFIO
8
CHAPTER 2
THE ROLE OF PRAETOR FORENSIC AUDITING
2.1. Serious Fraud Investigation Office
Praetor Forensic Auditing is an international specialist bureau for independent forensic examination of fraud-
related crime involving complex issues of criminal law or procedure. We examine serious and complex cases of
corporate fraud, commercial fraud, insurance fraud, cheque and payment card fraud, counterfeit currency, money
laundering, computer crime and breaches of the Regulation 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data, Official Journal No. L.119 of 4 May 2016, p. 1 et seq. (General Data
Protection Regulation).
2.2. Create a culture of honesty, openness, and assistance
Creating a culture of honesty, openness, and assistance includes three (3) factors: (1) hiring honest people and
providing fraud awareness training; (2) creating a positive work environment, which means having a well-defined
code of conduct, having an open-door policing, not operating on a crisis basis, and having a low-fraud
atmosphere; and (3) providing an employee assistance program that helps employees deal with personal
pressures.
2.3. Eliminate opportunities for Private Automatic Branch Exchange (PABX) Fraud
The five (5) ways to eliminate Private Automatic Branch Exchange (PABX) Fraud opportunities are: (1) having
good internal controls; (2) discouraging collusion between employees and customers or vendors and clearly
informing vendors and other outside contacts of your company’s policies against fraud; (3) monitoring employees
and providing a hotline (whistle-blowing system) for anonymous tips; (4) creating an expectation of punishment;
and (5) conducting proactive auditing.
2.4. Comprehensive approach to preventing and deterring Private Automatic Branch Exchange
(PABX) Fraud
Most organizations do not have a comprehensive approach to preventing and deterring Private Automatic Branch
Exchange (PABX) Fraud. In fact, most companies don’t think about fraud until they experience one. When fraud
occurs, they go into crisis mode, investigate and try to resolve the fraud, and then wait until another fraud occurs.
A more comprehensive fraud-fighting approach would involve:
PFA-SFIO
9
- creating the right kind of modeling and tone at the top,
- educating and training employees about fraud,
- assessing risks and putting proper controls in place,
- having reporting and monitoring systems in place,
- proactively auditing for fraud and then, when fraud does occur,
- investigating and following up on the fraud.
The first element of a good fraud-fighting system is having management, the board of directors, and others at the
top of an organization positive “tone at the top.” This involves two (2) steps: (1) caring enough about having a
positive organization that effective fraud teaching and training is conducted throughout your organization and a
well-defined corporate code of conduct is promoted and (2) setting a proper example or modelling appropriate
management behavior.
The second element of a good fraud-fighting system is educating employees and others about the seriousness of
fraud and informing them what to do if fraud is suspected. An awareness training might help your organization to
prevent fraud and ensure that fraud do occur are detected at early stages, limiting financial exposure to the
corporation and minimizing the negative impact on the work environment.
The third element of a good fraud-fighting system involves integrity risk assessment and having a good internal
control system. Having a good system of controls means that there will be an explicit study of all frauds and why
they occurred, together with implementation of control activities necessary to prevent future occurrences of the
same types of frauds. Our analysis involves determinations by people in management, the board of directors, and
others at the top, audit, security, human resources, control and finance of why and how the fraud involved. Such
analysis are focused on the individuals who were involved, the controls that were compromised or absent, the
environment that facilitated the fraud, and related factors. The results are important in understanding the kinds of
preventive measures that are needed within the environment in which the fraud occurred.
The fourth element of a good fraud-fighting system includes having a system of reporting and monitoring.
The fifth element of a good fraud-fighting system involves having proactive fraud detection methods in place.
Proactive active fraud detection methods are not only effective in detecting fraud, but knowledge of their use is a
good fraud deterrent.
PFA-SFIO
10
The sixth element of a good fraud-fighting system involves having effective investigation and follow up when fraud
occurs. Effective investigation means your organization must have formal fraud polices stating who will carry out
all elements of an investigation. Your investigation procedures must include: (a) who will conduct the
investigation, (b) how the matter will be communicated to management, (c) whether and when law enforcement
officials will be contacted, (d) who will determine the scope of investigation, (e) who will determine the
investigation methods, (f) who will follow up on tips of suspected fraud, (g) who will conduct interview, review
documents, and perform other investigation steps, (h) who will ultimately determine the corporate response to
fraud, disciplines, control, etc. A strong prosecution policy must have the support of your board of directors, and
others at the top, and must be informed if someone commits fraud and is not prosecuted. The single greatest
factor in deterring dishonest acts is the fear of punishment. In order to obtain cooperation from law enforcement
officers and the justice system, it is almost always necessary to conduct a thorough an complete investigation
(usually including obtaining a signed confession) before the overworked law enforcement agencies and criminal
justice systems can accommodate the prosecution.
2.5. Proactive Fraud Auditing
Very few organizations actively audit for Private Automatic Branch Exchange (PABX) Fraud. Rather, their
auditors are content to conduct financial, operational and compliance audits and to investigate Private Automatic
Branch Exchange (PABX) Fraud only when symptoms are so egregious that fraud is suspected. Organizations
that proactively audit for Private Automatic Branch Exchange (PABX) Fraud create awareness among employees
that their actions are subject to review at any time. By increasing the fear of getting caught, proactive auditing
reduces fraudulent behavior.
PFA-SFIO
11
CHAPTER 3
OUR STRATEGIC ANALYSIS, ADVISORY SERVICES AND OPERATIONAL SUPPORT
3.1. Fraud Risk Assessment
Anti-Fraud provides an independent and objective assessment of the organizations existing anti-fraud program,
gaps in the existing controls and suggest measures to mitigate the gaps.
We assist our clients in setting up a monitoring framework, developing relevant checking procedures and
identifying key risk indicators of Private Automatic Branch Exchange (PABX) fraud. We also develop training
programs for employees, and help to create a continuously evolving control environment reflective of the risk
landscape.
3.2. Fraud Risk Management
To deter the occurrence of Private Automatic Branch Exchange (PABX) fraud, we provide clients with expertise to
set-up and implement a visible and transparent fraud risk management program that allows to create an anti-
fraud environment.
We assist private and public organizations with turning critical and complex issues into opportunities for resilience
and long-term advantage. This involves identification of modus operandi as to how did the Private Automatic
Branch Exchange (PABX) fraud occur, who was involved, what were the extent of losses, and how can it be
prevented from recurring.
3.2.1. Our Anti-Fraud Strategy
Our anti-fraud strategy has four (4) main components: a) Prevention, b) Detection, c) Response, and d)
Deterrence. The various elements of an effective anti-fraud strategy are closely interlinked and each plays a
significant role in combating fraud. The combination of effective fraud prevention, detection and response
measures will create an effective fraud deterrent.
3.2.2. Fraud Prevention
The attitudes within your organization lay the foundation for a high or low fraud risk environment. Where minor
unethical practices may be overlooked, larger frauds may also be treated in a similar lenient fashion. In such an
environment there may be a risk of total collapse of your organization either through a single catastrophic fraud or
through the combined weight of many smaller frauds.
PFA-SFIO
12
A sound ethical culture and sound internal control systems are essential key components of a fraud prevention
strategy.
3.2.3. Fraud Detection
There are a range of Private Automatic Branch Exchange (PABX) fraud indicators – both warning signs and fraud
alerts – which can provide early warning that something is not quite right and increase the likelihood that the
fraudster will be discovered.
3.2.4. Fraud Response
Any organization should set out its approach to dealing with Private Automatic Branch Exchange (PABX) fraud in
its fraud policy and fraud response plan. Organizations should ensure that this includes provision for learning
lessons from fraud incidents and appropriate, prompt follow-up action.
3.3. Fraud Investigation
Fraud Investigation helps organizations manage the risk an vulnerabilities that come from global corruption, from
high profile and complex financial matters to employee, cash, cybercrime and Private Automatic Branch
Exchange (PABX) Fraud.
We assist our clients with investigation of alleged fraud or corruption perpetrated against corporate and
government entities, including, but not limited to, vendor fraud, payables fraud and embezzlement. We also assist
with factual, often privileged, investigation of alleged corporate wrongdoing, including, but not limited to,
investigation of alleged financial statement misrepresentations and violations of anti-corruption regulations. Our
investigation work includes forensic imaging of computers, data analysis, collection and analysis of data,
interviews of individuals and review of documents.
PFA-SFIO
13
CHAPTER 4
TAKING ACTION TO REDUCE FRAUD RISK
The following are some basic steps you might want to consider adopting in the fight against Private Automatic
Branch Exchange (PABX) fraud:
Education:
Firstly, get yourself and your immediate staff acquainted with Private Automatic Branch Exchange (PABX) fraud.
Periodically remind all employees who have been issued authorization codes (Direct Inwards System Access
(DISA), voice mail, etc.) of the importance of keeping these codes secret and the need to change them
frequently. Also, warn all employees about "shoulder surfers" and advise them not to write their codes in public or
yell them out in a crowded area.
Secondly, educate yourself with the many features of your Private Automatic Branch Exchange (PABX), voice
mail and/or Automatic Call Distribution (ACD). Shut down all of those not in use or not in service, and change
your PBX passwords as frequently as possible.
Ports:
Install a "dial back" modem on your maintenance port, and always have your service provider call you before
accessing your Private Automatic Branch Exchange (PABX).
Block:
Block access to destinations where your company does not do business. If circumstances do not permit this, at
least block calls to some or all of the 10 most popular fraud destinations.
PFA-SFIO
14
Voice Mail:
Make sure your voice mail system is a "closed loop" and cannot be manipulated to get an outgoing dial tone.
Check your valid mailbox list and delete any box that is no longer in service. Disconnect callers after three
unsuccessful attempts at dialling their mailbox code. Instruct employees to change their voice mail passwords
and delete "old" messages.
Codes:
Choose random. lengthy passwords (10 digits or more) and change them frequently to make it harder for hackers
to discover them. Keep these codes in a safe place and never write them on the wall next to the Private Branch
Exchange (PABX).
Direct Inwards System Access (DISA):
Consider disconnecting Direct Inwards System Access (DISA). If this feature is necessary, ensure that only those
employees who have a real need for international calls will be allowed to use it.
Telecom Filtering:
More and more companies are demanding, and being provided with, extra value services form their Telecom
providers. Filtering and Early warning permits the owner of the Private Automatic Branch Exchange (PABX) to
limit their cost exposure for this type of crime.
PFA-SFIO
15
CONTACT
To learn more, contact:
Bas A.S. van Leeuwen, LL.M., Esq.
Attorney at Law
Forensic Auditor
M. +31 (0) 6 8700 6770
PFA-SFIO
16
This publication contains general information. Praetor Forensic Auditing (Serious Fraud Investigation Office) is not, by means of this
publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is
not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your
business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor. Praetor Forensic Auditing (Serious Fraud Investigation Office) shall not be responsible for any loss sustained by any person who
relies on this publication.
Copyright © 2019 Praetor Forensic Auditing, All rights reserved.