Nadine Speirs, president of Metal Depot, seen here on July 31, 2019, shows the very large company phone bill she received from Bell.JOHN WOODS/The Globe and Mail
Some Canadian small-business owners are calling on the country’s largest telecommunications companies to do more to protect customers from being hacked by scammers who rack up tens of thousands of dollars in fraudulent long-distance calls by infiltrating their voicemail systems.
Nadine Speirs, owner of Winnipeg-based Metal Depot Ltd., said she received a 430-page bill from Bell MTS Inc. in May for more than $61,000 in calls abroad stemming from hacking that occurred in April and early May.
“I shouldn’t have to mortgage my house to pay a phone bill,” Ms. Speirs said.
Ms. Speirs said Bell offered to reduce her bill to $17,000, which she could pay in installments. But she still thinks that’s too high.
“I would rather pick up my phone and have it dead than have [this bill],” she said. “If it weren’t so tragic, it would be comical how poorly they have dealt with this.”
Scammers also targeted Durga Liske, Winnipeg-based owner of Daher Manufacturing Inc., around the same time. His bill after the hack totalled more than $12,000, while his usual bill is less than $200.
The scheme is a type of toll fraud called “personal branch exchange” (PBX) hacking. A PBX system allows a business to have a central number and multiple telephone lines with their own extensions and voicemail lines. But, according to a blog post from Bell, the voicemail system is a vulnerable point because it allows pass-code access to the PBX system so employees can check their messages remotely.
PBX hacking is relatively straightforward to execute, according to Luigi Calabrese, president of Toronto-based Frontier Networks Inc.
First, scammers call a business number, often after hours when they know no one is there. Then, they try password combinations to hack into the PBX system, often using an automated program. Businesses can be vulnerable if their voicemail PINs are easy to guess – either a series of easy numbers or the last four digits of their phone number.
“If I have your business card, I have your PIN,” Mr. Calabrese said.
Once someone has access to a PBX system remotely with its pass code, they can command it, often through a series of star or hash symbols, to do different things, Mr. Calabrese said. For example, hackers can make target phones call far-away places or premium numbers.
Mr. Calabrese suggested too-cheap-to-be-true, long-distance and conference calling rates advertised online could be using hacked lines as part of their business model. He also thought robo-call scams could be using fraudulent methods like these to make calls.
The Communications Fraud Control Association estimated in its 2017 fraud survey that PBX hacking accounted for US$1.94-billion in global losses. The survey also suggested PBX hacking was one of the most common types of telephone fraud. These types of scams have been affecting Canadians for at least a decade, according to the Canadian Anti-Fraud Centre.
Gord Cowan, president of a consulting business in Oakville, Ont., was the victim of a similar hack in 2009. His business phone provider, Bell Canada, decreased Mr. Cowan’s $75,000 bill for fraudulent calls abroad to about $7,000.
A decade after speaking to a local newspaper, Mr. Cowan said he still gets people who were targeted by similar scams reaching out every couple of months asking for help.
“I told them hang on for the ride,” he said. “It’s not going to be pretty.”
Telecommunications companies aren’t obliged to cover fraud as credit-card companies are, which leaves customers on the hook. Bell, Rogers and Shaw have pages on their websites affirming that customers are responsible for long-distance charges incurred from toll fraud.
Marc Choma, a Bell spokesperson, said the company has systems in place to detect and shut down fraudulent activity, but that scammers are always developing new tactics and can run up charges very quickly before Bell notices.
“This type of long-distance fraud can occur when a customer fails to properly protect their third-party PBX system,” he said.
Bell advises customers to change and strengthen the default passwords on their equipment and limit access to their telecom systems as security measures.
“Our terms of service also make clear that it is the customer’s responsibility to protect the systems they own from fraud,” Mr. Choma said.
But Bell will work with victims to reduce charges if possible, he added. That “usually also means additional costs for Bell, as we are still responsible for payments to any international long-distance providers whose services were used in the fraudulent activity.”
To protect themselves, business owners should consider:
- Blocking long-distance calls outside normal operating hours.
- Changing voicemail passwords periodically and avoiding ones that are easily guessed or the same as the phone’s extension.
- Deactivating unassigned voicemail boxes.
- Restricting the number of times someone can try to enter a voicemail password.