Skip links

Back to Basics: Business Phone System Attacks

By Tony Maher, Director Operations and Membership Services, the Telecommunications UK Fraud Forum (TUFF)

“Like it or not, we live in interesting times,” Robert F. Kennedy said in his Day of Affirmation Address at the University of Cape Town, South Africa on 6 June 1966. How appropriate his observation remains nearly half a century later, as our lifestyles and work methods have been profoundly revised to cope with the COVID-19 pandemic.

Plenty has been written on security awareness when working from home, dealing with the demands of working parents, gaming children, and the use of social media within the same household (often concurrently). The threat of email scams, ransomware, smishing and phishing, et al are still with us, often with a COVID-19-slant rather than any novel form of delivery.

Going back to fundamentals, businesses also remain vulnerable to attacks against their phone systems: both Private Branch Exchanges (PBX) — see note 1 — and Internet Protocol Private Branch Exchanges (IPPBX) — see note 2. These types of attack are not new but, with fewer business premises manned, fraudsters have many more opportunities to carry out strikes that would, historically, have been perpetrated over holidays, on weekends, and outside working hours.

No business or organisation (of any size) is immune to this type of fraudulent attention. It works like this (based on real events):


As a result of the COVID-19 crisis, staff at an SME (small and medium-sized enterprises) closed up the office on a Friday to work from home, self-isolate, or furlough. The office telephone system (PBX/IPPBX) was switched to automatic.

On the following Friday, the regular quarterly telephone bill arrived showing more than £50k worth of calls. The normal quarterly bill for this company would be around £10k.

Conversation with the telephone service provider established that the bill was correct and accurately reflected traffic over the period. International calls to the value of more than £40k had been made over the first few days of the PBX being switched to automatic.

What Happened

The PBX was hacked by fraudsters/organised crime, who called international high revenue numbers (from which they received a very high percentage of call revenue).

Hacking in this case was remote but could have easily involved social engineering to establish passwords and office routines. The hackers took advantage of reduced manning due to COVID-19.


  • Utilise all available PBX/IPPBX security mechanisms — understand the capabilities of your system — test them regularly
  • Use a secure password — absolutely not the default supplied with the system — change it frequently
  • Ensure a physical PBX is in a secure location — restrict access to reduce insider threat
  • Set the firewall on an IPPBX to only allow traffic from specific, trusted IP addresses or IP address ranges
  • Do not allow firewall ports to be opened either intentionally or by accident
  • Set a spending cap on outgoing calls
  • Monitor your systems — don’t just assume all is well
  • Fraudsters have always been and will always be with us. As opportunists, they can be dislocated by putting robust security measures in place
Translate »