Better Business Bureau (BBB) serving Nebraska, South Dakota, The Kansas Plains and Southwest Iowa is warning about a relatively new kind of voice mail fraud that allows hackers to use a voice mail system and the default password to accept calls without the knowledge or permission of the business or the consumer.
An Omaha company told BBB that they received a call from the fraud department of their phone service provider. The business owner was informed that international calls had been made from their phone. This came as a surprise because the company does not make international calls and could not believe that this was a legitimate notification from their phone company. The owner called the phone company back, and it was confirmed that there were international calls charged to their account. To stop this, the business placed an “international call hold” on their phone system.
Approximately three weeks after the fraud notification, the business got its phone bill and found a charge of $300 for international calls that were placed the day before they were notified of fraud on their account. By researching this situation, the company found that the phone line had been accessed through their conferencing phone feature. They also learned that the service provider is not responsible, and the changes had to be paid by the customer.
According to the Federal Communications Commission (FCC), this scam is carried out by hackers who call into a voice mail system and search for voice mailboxes that still have the default passwords active or have passwords with easily guessed combinations like 1-2-3-4, 1-1-1-1 or the last four digits of the local phone number.
“Hackers know these common default passwords and keep trying them until they are able to break into the phone system,” stated BBB President and CEO Jim Hegarty. “They can tell what voice mail system is being used by listening to the prompting pattern. After finding the default password, the hackers look for a mailbox they can access. Once connected, the hacker uses the connection to make multiple international calls.”
Although this fraud usually occurs on business voice mail systems, consumers with residential voice mail could also be targeted. FCC reports that this kind of fraud frequently originates in and/or routed through the Philippines or Saudi Arabia, and they usually occur during holidays or on weekends, when a business is closed so the changing of the outgoing message goes unnoticed.
To avoid becoming a victim of this scam, the FCC recommends voice mail users to:
- Always change the default password from the one provided by the voice mail vendor.
- Choose a complex voice mail password of at least six digits, making it more difficult for hackers to detect.
- Change your voice mail password frequently.
- Don’t use obvious passwords such as an addresses, birth dates, phone numbers or repetitive or successive numbers.
- Check your recorded announcement frequently to make sure that the greeting is yours.
- If possible, consider blocking international calls.
- Consider disabling the remote notification, auto-attendant, call-forwarding and out-paging capabilities of voice mail if these features are not used.