Common telephone cybersecurity risks for businesses

team working on headset telephones

When answering the phones, being scammed is easier than you may realise. What seems like a harmless business call could lead to an employee giving away confidential company information and buying time for hackers to gain access to your system.

From revealing passwords, bank details or sensitive information regarding the whereabouts of certain files or systems, telephone calls can reveal a lot about a business and cost them millions.

So, what are common telephone cybersecurity risks, and how can companies be aware of them, and train their staff to spot potentially dangerous calls?

Common telephone cybersecurity risks

Telephony can often be overlooked or even ignored by cybersecurity strategies, but it’s an easy way for criminals to gain access to important files and information that can lead to breaches.

Common hacks and risks include:

  1. DoS (Denial of Service) Attacks
  2. Vishing
  3. Toll Fraud
  4. Eavesdropping
  5. Smishing

1. DoS (Denial of Service) attacks

What is it? Denial of Service (DoS) is a simple yet effective hack that involves flooding a network with calls or call signals to bring it down.

Who does it affect? Any business with a phone number. You don’t need to have a lot of extensions to be affected either.

What happens during a DoS attack? A hacker will flood a network, whether this is a phone number, domain, or broadband address, with incomplete call requests, causing the telephone service to become overwhelmed, and bringing the service down or making it increasingly slow.

How do I prevent it? You can help to prevent DoS attacks by limiting the number of people who can access a server, and ensure you have good encryption in place. However, sometimes DoS attacks happen regardless.

2. Vishing attacks

What is Vishing? It’s the voice-based counterpart of phishing and uses scam calls to try and get company details or important information.

Who does it affect? Vishing attacks commonly attack high-value industries, where company information could be worth millions. However, anyone could be vulnerable to a vishing attack.

How does vishing happen? Vishing will happen, commonly, in one of two ways:

  1. A phone call is made to a number, trying to trick staff to share confidential information such as passwords.
  2. An email is sent, saying an account has been compromised, and the recipient is told to ring a number to recover the account. When the number is rung, an automated response is played, asking the person to share account information.

How can I prevent a vishing attack? When it comes to prevention, educating staff is critical. Train your staff to be your human firewall and alert them to popular scam attacks, so they can read the signs of a cyber scam before it happens.

3. Toll fraud

What is it? Toll fraud occurs when hackers use a phone line to make calls to premium rate numbers continually. It’s successful because the hacker gets revenue share of each premium call rate made.

Who does it affect? This will affect anyone who can make a call to the public telephone network.

How does toll fraud happen? Some toll fraud happens through vulnerable phone systems, where a hacker will access a phone number and sell codes for dial-in access to allow people to use a company phone line to ring premium rate numbers.

The other type of toll fraud happens through modern telephone systems, where unsecure access to a phone system allows a hacker to log in and make hidden calls to premium rate numbers. Unless a company regularly checks their phone bill, it can go undetected for weeks.

How to prevent toll fraud: Limit the number of international calls someone can make and limit the spend in each country to prevent excessive spend. A regular budget review of phone spend, as well as tech audits, can help to uncover issues.

4. Eavesdropping

What is eavesdropping in telecoms? On phone lines that aren’t secure, anyone could, theoretically, listen in to your conversation without you knowing.

Who does it affect? Anyone could be at risk of this type of scam. Eavesdropping technology is used by governments, but any hacker could access any phone call at any point in time.

How does it work? All phone calls are transmitted through a phone line, and if that line isn’t secure, or a rogue employee gives someone access, then anyone can listen in to a phone call, and steal important information.

Ways to prevent eavesdropping: Use a secured phone line, and never share sensitive data over the phone.

5. Smishing

What is smishing in telecoms? Smishing is when a malicious text message is sent to a number, often pertaining to collecting information around tax or bank details, or getting you to send over sensitive information, such as healthcare or addresses.

Who does it affect? Smishing is targeted at mobile phone users, and when a mobile phone number is public, such as a work number, this can put a number at greater risk.

How does it work? A malicious text is received which contains a link that either contains a form designed to steal information, or a virus that is installed on a phone.

Ways to prevent smishing: Training is one core way to ensure that people know what to look out for. Similarly, by setting up spam filters and blocklists on your phone, you can remove known spam. Another part of this is being aware of genuine messages, and what isn’t a genuine message. As a general rule of thumb, never click on a link if it seems too good to be true.

How ramsac can help

ramsac provide cybersecurity training for teams and companies looking to create a human firewall and educate their staff on common scams and attacks. As with any ramsac service, everything we do is jargon-free, and helps to make IT simple.

If you’re looking for a jargon-free cybersecurity training company, get in touch today.

Related Posts

  • Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK


    In this blog, we'll explore the concept of the ICO Regulatory Sandbox and its objectives in the data protection landscape in the UK [...]

    Read article

  • What is a break glass account?

    What is a break glass account?


    If you’re creating a business continuity plan, have you considered a break glass account? Learn what one is and how to create one here. [...]

    Read article

  • Cybersecurity vs cyber resilience – what is the difference?

    Cybersecurity vs cyber resilience – what is the difference?


    What’s the difference between cybersecurity and cyber resilience, and how can you implement them? We cover this and more. [...]

    Read article

  • Celebrating 20 Years of Cybersecurity Awareness Month

    Celebrating 20 Years of Cybersecurity Awareness Month


    October is Cybersecurity awareness month, follow us on LinkedIn or Twitter for daily tips on how you can protect your organisation against Cybercrime. [...]

    Read article

  • How much should businesses invest in cyber resilience? 

    How much should businesses invest in cyber resilience? 


    In this blog we explore how much organisations should invest in cyber resilience to protect against cybercrime [...]

    Read article

  • The European Cyber Resilience Act explained – how it impacts your business

    The European Cyber Resilience Act explained – how it impacts your business


    On the 15th of September 2022, the European Commission published its proposal for new regulation regarding cybersecurity requirements for products with digital elements (such as smart fridges, cameras, TVs [...]

    Read article