Skip navigation


TELUS First Level Navigation

TELUS Second Level Navigation

Marquee Widget


Minimize risk
of toll fraud

  • Print
  • Share

How to Minimize the risk of Toll Fraud

Knowledge is your best defence


Know your systems, your risks, and how to recognize security breaches

  • Know the vulnerabilities and security features of your phone system - ask your supplier how to make your system as secure as possible.
  • Ensure staff is trained in system and general security procedures.

Know the access paths that open doors to fraud.

Thieves can gain access to your telephone equipment via:

  • Direct Inward System Access (DISA)
  • Voice-Mail Systems
  • Remote System Administration (Maintenance Ports)
  • Direct Inward Dialing
  • Tie Trunks and Tandem Network Services
  • Modems

Monitor and analyze your systems information

  • Study call detail records - exception reports can provide early warning signs.
  • Review voice-mail reports and billing records.
  • Familiarize yourself with calling patterns and review them & system reports regularly.
  • Monitor valid and invalid calling attempts as often as possible.

Recognize these signs of a security breach

  • Sudden changes in normal calling patterns.
  • Complaints that customers can't call in because the system is always busy.
  • Increases in wrong number calls or silent hang-ups.
  • Increases in night, weekend and holiday traffic.
  • Increases in your Toll Free traffic.
  • Increase in international calling.
  • Increase in abnormal calls i.e. crank and obscene calls.
  • Toll calls originating in voice-mail.
  • Long holding times.
  • Unexplained 900 calls.
  • High tolls for any unauthorized trunk/extension.

Secure your systems

Security measures for your phone systems, voice mail and long-distance service

PBX (Private Branch Exchange), DISA (Direct Inward System Access) and Remote Access Ports:

  • Never publish a DISA telephone number and change the DISA access telephone number periodically.
  • Use longer DISA authorization codes - 9 digits ideally, never less than 7.
  • Issue a different DISA authorization code for all users.
  • Warn DISA users not to write down authorization codes.
  • Restrict DISA access at night, and on weekends and holidays, as these are prime times for fraud.
  • Block or restrict overseas access, or only allow access to certain country or area codes.
  • Program your system to answer with silence after five or six rings. (Most systems are programmed to answer with a steady tone after two rings and this is what hackers look for.)
  • If possible, route invalid access attempts to your operator.
  • If possible, program your PBX to generate an alarm if an unusual number of invalid attempts are made.
  • Program your PBX so that the port will disable itself after a set number of invalid attempts.
  • Disconnect all telephone extensions the moment they are no longer needed.
  • Block access to remote maintenance/administration ports, or use maximum length passwords and change them frequently. Do not use sequential access numbers.
  • Block access to all 10-10 (Dial Around) calling, or only allow access to those 10-10 codes which relate to an internally approved business arrangement.
  • Disconnect modems that are not in use.


Voice-mail systems

  • Assign and change passwords regularly.
  • Increase password length, and prohibit the use of trivial, simple passwords such as 222 or 123.
  • Prohibit the sharing or posting of passwords, or entering them into programmable keys or speed dial buttons.
  • Limit the number of consecutive login attempts to five or less.
  • Keep time-out limits short.
  • Change all factory-installed passwords.
  • Change the maintenance password regularly, and limit distribution.
  • Block access to long-distance trunking facilities.
  • Block collect call options on the auto attendant.
  • Delete all inactive mailboxes.
  • Restrict access to directories that give directions on how to get into the voice-mail system.
  • Restrict out-calling.
  • In systems that allow callers to transfer to other extensions, block any digits that hackers could use to get outside lines, especially trunk access codes.
  • Use maximum length passwords for system manager box & maintenance ports.


Long-distance calling

  • Restrict access to specific times & limit calling ranges.
  • Restrict access to business hours only.
  • Block all toll calls at night, on weekends and on holidays.
  • Block or limit access to overseas calls. If your company has no requirement to call overseas, block overseas calls completely.


General security policies


Tips for Calling Card™ security, long-distance blocking, staff education, ID codes & passwords, and more

  • Secure telephone equipment rooms and/or wiring frames, and allow access only to authorized personnel.
  • Secure all system documentation, including manuals, configuration records and system printouts.
  • Require positive ID checks from supplier staff and maintain an entry log.
  • Restrict call forwarding to local calls only.
  • Delete a code immediately when an employee leaves your company, and do not reassign it to a new employee.
  • Ensure cards and passwords are returned when an employee leaves your company.
  • Keep telephone numbers private.
  • Impress upon your staff that your telephone number plan must never be discussed outside the company.
  • Eliminate the paper trail and foil 'dumpster divers'. Shred call detail reports and records. Destroy internal telephone directories.
  • Establish policies on the accepting of collect calls and providing access to outside lines.
  • If you use cellular phones, never discuss or give out system access codes or Calling Card numbers over the cellular network.
  • If you own a cellular phone, ensure that all calls billed to you were in fact made from your telephone. Thieves may 'clone' or copy your phone and have their calls billed to you. To minimize the risk, keep your cellular phone off when not required.
  • Protect your Calling Card number and PIN at all times. Retain in a secure place, or destroy the backing sheet to which your Calling Card is attached when it is mailed.
  • When employees leave the company, cancel their Calling Card or change the PIN.
  • When using your Calling Card in public, be aware that people near you may be 'shoulder surfing' to observe the card information for their use.
  • Never leave your Calling Cards unattended; protect them and keep them confidential; treat them like your personal credit cards.
  • Review security procedures regularly.
  • Always check your monthly statement.


Educate your staff

  • Brief your staff on security procedures and toll fraud detection regularly (i.e. warning signs, alarms).
  • Warn staff about 'shoulder surfing' and ensure they know who to notify if they believe their company Calling Card or access codes have been compromised.
  • Warn switchboard operators, receptionists and employees about 'social engineering' i.e. con-artists impersonating security investigators, phone company installers, or telecom managers trying to obtain calling access or be transferred to an outside telephone line through your phone system.
  • Establish procedures for staff to report suspected security breaches immediately.
  • Establish procedures for Calling Cards or access codes that are misplaced, lost, stolen or compromised.

TELUS Low Level Navigation