Common telephone cybersecurity risks for businesses

team working on headset telephones

Posted on April 5, 2022 by Rob May

When answering the phones, being scammed is easier than you may realise. What seems like a harmless business call could lead to an employee giving away confidential company information and buying time for hackers to gain access to your system.

From revealing passwords, bank details or sensitive information regarding the whereabouts of certain files or systems, telephone calls can reveal a lot about a business and cost them millions.

So, what are common telephone cybersecurity risks, and how can companies be aware of them, and train their staff to spot potentially dangerous calls?

Common telephone cybersecurity risks

Telephony can often be overlooked or even ignored by cybersecurity strategies, but it’s an easy way for criminals to gain access to important files and information that can lead to breaches.

Common hacks and risks include:

  1. DoS (Denial of Service) Attacks
  2. Vishing
  3. Toll Fraud
  4. Eavesdropping
  5. Smishing

1. DoS (Denial of Service) attacks

What is it? Denial of Service (DoS) is a simple yet effective hack that involves flooding a network with calls or call signals to bring it down.

Who does it affect? Any business with a phone number. You don’t need to have a lot of extensions to be affected either.

What happens during a DoS attack? A hacker will flood a network, whether this is a phone number, domain, or broadband address, with incomplete call requests, causing the telephone service to become overwhelmed, and bringing the service down or making it increasingly slow.

How do I prevent it? You can help to prevent DoS attacks by limiting the number of people who can access a server, and ensure you have good encryption in place. However, sometimes DoS attacks happen regardless.

2. Vishing attacks

What is Vishing? It’s the voice-based counterpart of phishing and uses scam calls to try and get company details or important information.

Who does it affect? Vishing attacks commonly attack high-value industries, where company information could be worth millions. However, anyone could be vulnerable to a vishing attack.

How does vishing happen? Vishing will happen, commonly, in one of two ways:

  1. A phone call is made to a number, trying to trick staff to share confidential information such as passwords.
  2. An email is sent, saying an account has been compromised, and the recipient is told to ring a number to recover the account. When the number is rung, an automated response is played, asking the person to share account information.

How can I prevent a vishing attack? When it comes to prevention, educating staff is critical. Train your staff to be your human firewall and alert them to popular scam attacks, so they can read the signs of a cyber scam before it happens.

3. Toll fraud

What is it? Toll fraud occurs when hackers use a phone line to make calls to premium rate numbers continually. It’s successful because the hacker gets revenue share of each premium call rate made.

Who does it affect? This will affect anyone who can make a call to the public telephone network.

How does toll fraud happen? Some toll fraud happens through vulnerable phone systems, where a hacker will access a phone number and sell codes for dial-in access to allow people to use a company phone line to ring premium rate numbers.

The other type of toll fraud happens through modern telephone systems, where unsecure access to a phone system allows a hacker to log in and make hidden calls to premium rate numbers. Unless a company regularly checks their phone bill, it can go undetected for weeks.

How to prevent toll fraud: Limit the number of international calls someone can make and limit the spend in each country to prevent excessive spend. A regular budget review of phone spend, as well as tech audits, can help to uncover issues.

4. Eavesdropping

What is eavesdropping in telecoms? On phone lines that aren’t secure, anyone could, theoretically, listen in to your conversation without you knowing.

Who does it affect? Anyone could be at risk of this type of scam. Eavesdropping technology is used by governments, but any hacker could access any phone call at any point in time.

How does it work? All phone calls are transmitted through a phone line, and if that line isn’t secure, or a rogue employee gives someone access, then anyone can listen in to a phone call, and steal important information.

Ways to prevent eavesdropping: Use a secured phone line, and never share sensitive data over the phone.

5. Smishing

What is smishing in telecoms? Smishing is when a malicious text message is sent to a number, often pertaining to collecting information around tax or bank details, or getting you to send over sensitive information, such as healthcare or addresses.

Who does it affect? Smishing is targeted at mobile phone users, and when a mobile phone number is public, such as a work number, this can put a number at greater risk.

How does it work? A malicious text is received which contains a link that either contains a form designed to steal information, or a virus that is installed on a phone.

Ways to prevent smishing: Training is one core way to ensure that people know what to look out for. Similarly, by setting up spam filters and blocklists on your phone, you can remove known spam. Another part of this is being aware of genuine messages, and what isn’t a genuine message. As a general rule of thumb, never click on a link if it seems too good to be true.

How ramsac can help

ramsac provide cybersecurity training for teams and companies looking to create a human firewall and educate their staff on common scams and attacks. As with any ramsac service, everything we do is jargon-free, and helps to make IT simple.

If you’re looking for a jargon-free cybersecurity training company, get in touch today.

Related Posts

  • How to set up a secure password policy in Microsoft 365
    March 6th, 2024

    How to set up a secure password policy in Microsoft 365

    Cybersecurity

    Discover the essentials of a robust password policy for cybersecurity in Microsoft 365. Learn what to include and what to avoid. Read the blog today. [...]

    Read article

  • A guide to sensitivity labels and how to apply them
    March 4th, 2024

    A guide to sensitivity labels and how to apply them

    Cybersecurity

    Sensitivity labels allow you to manage, organise, and protect sensitive emails, files, and documents as part of the Microsoft 365 suite. Read on. [...]

    Read article

  • MFA vs 2FA: What’s the Difference?
    March 1st, 2024

    MFA vs 2FA: What’s the Difference?

    Cybersecurity

    Features like user facial recognition that are difficult to replicate means multi-factor authentication offers more cybersecurity layers than two-factor authentication. Find out more. [...]

    Read article

  • Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year
    February 23rd, 2024

    Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year

    Cybersecurity

    secure+ has detected and responded to over 8000 security alerts in its first year [...]

    Read article

  • MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.
    February 6th, 2024

    MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.

    Cybersecurity

    MFA Fatigue is a problem organisations need to be aware of, in this blog we break down why and what organisations can do to combat it. [...]

    Read article

  • Data Protection Day – Protecting your information on social media.
    January 28th, 2024

    Data Protection Day – Protecting your information on social media.

    Cybersecurity

    The 28th of January is Data Protection day, to mark this day we have created a blog with tips on how people can keep their personal data safe on [...]

    Read article