SAN
FRANCISCO — Bob Foreman’s architecture firm ran up a $166,000 phone
bill in a single weekend last March. But neither Mr. Foreman nor anyone
else at his seven-person company was in the office at the time.
“I thought: ‘This is crazy. It must be a mistake,’ ” Mr. Foreman said.
It
wasn’t. Hackers had broken into the phone network of the company,
Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls
from the firm to premium-rate telephone numbers in Gambia, Somalia and
the Maldives. It would have taken 34 years for the firm to run up those
charges legitimately, based on its typical phone bill, according to a
complaint it filed with the Federal Communications Commission.
The
firm, in Norcross, Ga., was the victim of an age-old fraud that has
found new life now that most corporate phone lines run over the
Internet.
The
swindle, which on the web is easier to pull off and more profitable,
affects mostly small businesses and cost victims $4.73 billion globally
last year. That is up nearly $1 billion from 2011, according to the
Communications Fraud Control Association, an industry group financed by
carriers and law-enforcement agencies to tackle communications fraud.
Major
carriers have sophisticated fraud systems in place to catch hackers
before they run up false six-figure charges, and they can afford to
credit customers for millions of fraudulent charges every year. But
small businesses often use local carriers, which lack such antifraud
systems. And some of those carriers are leaving customers to foot the
bill.
The
law is not much help, because no regulations require carriers to
reimburse customers for fraud the way credit card companies must.
Lawmakers have taken the issue up from time to time, but little progress
has been made.
Last year, Senator Charles E. Schumer,
Democrat of New York, pushed the Federal Communications Commission to
adopt new regulations after dozens of small businesses around Albany
were hit with the swindle. But the agency has not taken any action, and
the cause appears to have petered out. Representatives for the agency
and the senator’s office did not return requests for comment.
The
scheme works this way, telecommunications fraud experts say: Hackers
sign up to lease premium-rate phone numbers, often used for sexual-chat
or psychic lines, from one of dozens of web-based services
that charge dialers over $1 a minute and give the lessee a cut. In the
United States, premium-rate numbers are easily identified by 1-900
prefixes, and callers are informed they will be charged higher rates.
But elsewhere, like in Latvia and Estonia, they can be trickier to spot.
The payout to the lessees can be as high as 24 cents for every minute
spent on the phone.
Hackers
then break into a business’s phone system and make calls through it to
their premium number, typically over a weekend, when nobody is there to
notice. With high-speed computers, they can make hundreds of calls
simultaneously, forwarding as many as 220 minutes’ worth of phone calls a
minute to the pay line. The hacker gets a cut of the charges, typically
delivered through a Western Union, MoneyGram or wire transfer.
In
part because the plan is so profitable, premium rate number resellers
are multiplying rapidly. There were 17 in 2009; last year there were 85,
according to Yates Fraud Consulting, which is based in Britain.
In
2012, hackers hijacked the phone lines at 26 small businesses around
Albany and ran up phone bills as high as $200,000 per business over the
course of a few days. Those businesses that contracted with major
carriers received credit that covered much of the fraud, though some
ended up paying a few thousand dollars. Those who had signed up with a
local carrier, Tech Valley Communications, were not so lucky. Tech
Valley sued three of its clients to pay huge bills, according to court
filings.
Best
Cleaners, a dry cleaning chain that operates in three states, was one
victim. At that business, hackers placed more than 75,000 minutes of
premium calls, totaling $147,000. At American Energy Care, a small
consulting firm in Albany, the bill reached $200,353. A billboard
advertising business in Cohoes, N.Y., was charged $18,000.
All
settled their cases with Tech Valley. None would discuss the case
because of the terms of the settlement, but Best Cleaners said the cost
was enough to force it to cancel a planned expansion.
Industry
groups are trying to tackle the problem but say it is hard to keep up
with. Roberta Aronoff, the executive director of the Communications
Fraud Control Association, said she routinely loads fake “hot numbers”
into a fraud management system, sharing them with carriers so they can
be blocked.
Catching
the criminals is difficult because the crime can cross as many as three
jurisdictions. In 2011, the Federal Bureau of Investigation and police
in the Philippines arrested four men who used the scheme to make $2
million in fraudulent calls; revenue was directed to a Saudi Arabian
militant group that United States officials believe financed the 2008
Mumbai terrorist bombings.
Foreman
Seeley Fountain, the architecture firm, is disputing its $166,000 bill
with its carrier, TW Telecom. The bill now includes $17,000 in late
charges and termination fees.
In
addition to asking the F.C.C., the firm has asked the local police,
officials at the Georgia Public Service Commission, the F.B.I. and the
Department of Justice for help. The F.C.C. and Justice Department
declined to comment for this article, and the Georgia agency did not
return requests for comment. The local police said there had been no
progress in finding the hackers.
Joshua
Campbell, a spokesman for the F.B.I., said the bureau was working with
the industry to solve the problems but declined to discuss the specific
case.
Bob
Meldrum, vice president for corporate communications at TW Telecom,
said Foreman Seeley Fountain should have better protected its equipment
from hackers. “We had to pay for those calls,” he said. “Someone had to
pay for those calls.”
Mr. Foreman said his firm didn’t even realize this was a potential risk. Not many do.
“It’s
relentless,” said Jim Dalton, founder of TransNexus, which sells
Internet calling management software. “If you put a computer on the
Internet, it immediately starts getting probed for a weak point.”
To
avoid the same fate, Mr. Dalton and other telecom experts advise people
to turn off call forwarding and set up strong passwords for their voice
mail systems and for placing international calls. He also said
businesses needed to treat their phones as Internet-connected machines,
since criminals already were doing that.
“People don’t realize their phone is a six-figure liability waiting to happen,” Mr. Dalton added.
No comments:
Post a Comment