7/27/2019 CPE-PBX Fraud Management Guide and Checklist

1/6

AssuringBusiness all rights reserved

CPE/PBX Fraud

ManagementChecklist

An Overview of Key CPE/PBX Fraud Management Controls

7/27/2019 CPE-PBX Fraud Management Guide and Checklist

2/6

2

AssuringBusiness all rights reserved

Every business user of PBX, IVR, Voicemail and othertelecommunications equipment, products and services isexposed to telecoms fraud. Theres no need to wait for thebang. Take some immediate steps to control the risk; use thisguide and checklist to start and defuse the problem

Problem Snapshot

Many businesses utilise telecoms equipment for

their offices and customer contact channels, suchas PBX/PABX (Private Branch Exchange), Voicemailand Interactive Voice Response (IVR) systems;collectively CPE (Customer Premises Equipment) asits known in the telecoms industry.

But many do not realise how these systems mightexpose them to significant losses from telecomsfraud. Fraud attacks can affect all enterprises;corporates, government and SMEin fact anyonewho utilises CPE/PBX, even home-basedconsumers. Direct costs typically run from US $10kto $100k, but can run to millions of dollars on a

single major attack.

The really scary part is that, in most cases, theuser will be liable for the charges incurred;CPE/PBX users are generally held responsible for itssecurity and operation. These charges are hugewhen including fraud, and youll be lucky to getany waiver from your telecoms service provider.

In the main, CPE/PBX frauds focus on traffickingillicit international or premium rate calls. Butdepending on the nature of the attack, the directlosses are not the only issue. Often an attack can

cause business operations to grind to a halt,affecting sales and revenues. Or customers may beturned away because of IVR or voicemail hacking.

There are many attack variants each with differentimpacts. Go to www.assuringbusiness.comandfollow the links to CPE Fraud Business Impact for

more detailed information of how your businessmight be attacked and affected.

This Guide & Checklist

This document provides a very brief overview ofsome risk management steps to consider, and achecklist to help steer the way. However, itsimportant to know that every business environmentis different and so this document is merely a high-level guide to cover some of the commonchallenges and management opportunities. Everybusiness should examine its own specific risks and

control opportunities in detail to arrive at a planthat tackles their specific issues comprehensively.

Businesses need to be informed of their risks, andactive in their risk management practices. Failureto review, plan and act on such risks can lead tosignificant economic loss, and the possibility ofcritical business disruption. Why take the risk?

AssuringBusiness is here to guide and advise in allof your CPE/PBX fraud management activities, andprovide the tools to help. Drop us a line atask@assuringbusiness.com if youd like a little

more information on what we can do to help youdiffuse the problem.

Dean SmithCEO, AssuringBusinessPartnering in Profitability

7/27/2019 CPE-PBX Fraud Management Guide and Checklist

3/6

3

AssuringBusiness all rights reserved

Failure to act proactively to prevent, detect andmanage telecoms fraud can have a devastatingeconomic and operational effect.

CPE Fraud Management: Six Key Steps

1. Review access security protocols. Request information from the CPE supplier and/ormaintainer regarding the exact nature of security protocols deployed on the CPE/PBX,

ensuring that common or easily guessed access credentials are NOT used on any channel.The business should determine whether the nature of access controls are consistent withtheir own security policies or expectations. Ideally, multi-authentication access controlsshould be deployed incorporating some form of one-time password token.

2. Configure the CPE/PBX to reduce risk. Work with the telecoms manager and systemmaintainer to review and deploy sensible CPE configurations and options to limit risk.Consider what features the business really needs and the nature of user interfacecontrols such as PINs. Continuously review and audit this configuration to identifychanges that may present a risk.

3. Monitor usage, or seek protection. Investigate fraud and usage monitoring options onthe CPE itself (e.g. utilising the call records and logs generated by CPE). But also check

with the network operator/service provider they may offer a fraud protection service,or may consider introducing one if demand is sufficient. Businesses may also considercreating their own fraud control software if they have access to the appropriate data.

4. Deploy specialist anti-fraud tools. Consider the deployment of special fraud controlplatforms as an adjunct to the CPE, ideally to prevent fraud opportunities, or utilizing acall-accounting package that provides fraud monitoring reports. These tools take manyforms and may be available via the CPE provider or direct from specialist vendors.

5. Understand liability. Check terms and conditions of service and supply in all aspects ofthe telecoms environment (hardware, connectivity, usage etc.) to determine liability forissues should they occur. Businesses should be aware of the risks and these may betracked in their enterprise risk management or Business Assurance plan.

6. Review telecoms service billing. Check all service bills thoroughly to determinewhether the business has fallen victim to fraud (or other over-charging) that has notbeen detected. Pay particular attention to higher-cost services, or unusual service usagepatterns. Most network operators/service providers have standard processes formanaging enquiries or claims for fraud if the business believes it has been a victim.

7/27/2019 CPE-PBX Fraud Management Guide and Checklist

4/6

4

AssuringBusiness all rights reserved

The CFCA estimates CPE/PBXFraud to be costing around

US $4.42 billion annually.

In the same survey, the totalglobal losses to telecoms fraudare estimated to be US $46.3

billion, a year-on-year increaseof 0.21% from 2011.

Checklist

Ownership, Policy and Awareness

Make somebody, perhaps the Telecoms or ITSecurity Manager, responsible for maintainingthe security of your CPE/PBX platforms. Ensurethat they develop a good understanding of therisks and management opportunities.

Ensure you have a company telecoms securityand user policy and it is communicatedeffectively. The policy should align with existingsecurity and employee policies.

Understand your liability in case there is fraud.Plan ahead. Track risk on the Enterprise RiskManagement or Business Assurance plan.

Educate your employees on the fraud potential;show them what to look out for and how theycan help, including how to spot socialengineering and similar con artists. In particularwatch out for bogus callers asking to be

connected to the switchboard operator posing asa company employee, collect calls, and forrequests for information from pseudo officials.

Treat internal telephone directories, userguides, system administration manuals andsystem admin reports as confidentialinformation. Dispose of securely.

Strictly control access to the equipment itself.Not only could it be configured for fraud, butcircuit boards and components are high valuecommodities susceptible to theft.

Access and Feature Control and UseStrictly control access to your systems remotemaintenance port. Use multi-authentication andone-time password tokens where possible.

Ensure that any system passwords are changedafter installation (often default codes are left inplace) and that these are changed regularly,preferably monthly, and when personnel change.

Ensure that passwords/access credentials areconsidered and formatted to enhance security(e.g. no repeats or sequences, adequate lengthand character mix, no easy-guess or common

formats etc.). The structure should align withthe security principles of your other sensitivesystems.

Always protect any necessary risky featureswith PIN/access codes - the longer the better and do not allow easy guess PIN/codes.

Avoid using tones to prompt for PIN entry - manyhacking programs listen for this.

Secure the storage and distribution of PINs,passwords etc. within your company.

Prompt Voicemail users to record daily greetings

- it will be easier to spot seized mail-boxes.Lock surplus mail-boxes until allocated to users.

When employees leave, disable their services,lock mail-boxes and revoke all systems accesscodes.

CPE Configuration

De-activate all unnecessary features. Onlyenable what you really need. Especially considerdeactivating DISA (Direct Inward System Access)and voicemail features that allow calls to berouted/diverted through your systems.

Bar calls to international and Premium RateService (PRS/Audiotext) and common RevenueShare destinations as standard. Allow access onlyon specified business need.

Ensure that automated answering equipmentdoes not allow access to dial tone.

Look for telephone extensions diverted to longdistance or international destinations(particularly those not in use for long periods). Alocal call to the extension will onward connect.

Implement controls to ensure that new systemfeatures or changes to the existing configurationdo not compromise security.

Review system configuration and securityregularly. Follow-up on any irregularities.

Monitoring and Control

Always check your CPE usage logging reports or

itemised bills for suspicious activity andinvestigate anomalies. Remember that a totalabsence of usage is also suspicious where someactivity is expected.

Review CPE/PBX audit logs to monitor andidentify high-risk configuration or securitychanges or events.

Some systems allow for alarms to be raised ifusage exceeds a defined parameter, e.g. callduration. If available, use these facilities tomonitor and/or block suspicious activity.

Consider using call-accounting packages or

specialist fraud control bolt-on tools toproactively prevent and/or detect fraud attack.

Have clearly defined and communicatedreporting and response mechanisms in place tocontrol risks, including outside office hours.

7/27/2019 CPE-PBX Fraud Management Guide and Checklist

5/6

5

AssuringBusiness all rights reserved

About AssuringBusiness

AssuringBusiness delivers Business Assurance Solutions and Services. Operating globally,we are a Business Assurance thought-leader.

Business Assurance manages risk whilstleveraging organisation, technology andoperations to enable sustainable businessgrowth, performance and profitability.

Good Business Assurance does not slow anenterprise down, it helps it move faster;strengthening revenues, reducing costs andenhancing customer experience whilemaintaining a sensible risk balance.

AssuringBusiness expertise is often combinedwith established and specialised technologies,or simply applied to improve existing businessinfrastructure and processes. Our innovativeyet pragmatic approach is profiting our clientsby millions of dollars every year.

Offerings include advisory, right-sourcing and human capital services alongside a richportfolio of leading-edge technologies, some in collaboration with other dynamic vendorsto further optimise client investment.

AssuringBusiness senior resources have been applying their specialised domain knowledgeincluding supporting the fight against CPE/PBX Fraud around the world for over 24 years.

If your business would like to understand its telecoms risks, raise fraud awareness, or putin place a risk management strategy, drop us a line to ask@assuringbusiness.com

Or go to www.assuringbusiness.com to learn more.

Partnering in Profitability

7/27/2019 CPE-PBX Fraud Management Guide and Checklist

6/6

AssuringBusiness all rights reserved

Partnering inProfitabilityBusiness Assurance Solutions and ServicesRevenue Assurance | Fraud Management | Receivables Management | Security

www.assuringbusiness.comask@assuringbusiness.com

Offices or representatives:

London | Mumbai | Singapore | Kuala Lumpur | Dubai | Sao Paulo | Washington DC