VoIP is the modern alternative to the traditional landline telephone. It offers a myriad of business benefits, ranging from scalability and flexibility to cost savings and cutting-edge features.
The vulnerability of VoIP technology to security threats, however, is one of its few shortcomings. And because VoIP can be new territory for many small to medium-sized businesses (SMBs) in South Africa, its cybersecurity risks and mitigation methods can be overlooked by non-tech-savvy business owners and managers alike.
In this article, we examine VoIP security risks to watch out for. We also cover some best practices that can be implemented against such risks.
The VoIP Security Risks Your Small Business Needs to Know About
Telephony Denial of Service (T-DoS)
A T-DoS attack is designed to overload VoIP systems with a flood of incoming data. For example, thousands of fake calls every second. The VoIP line and server infrastructure becomes so busy and overwhelmed with fake traffic, that service is practically denied for legitimate users.
The total inability to make or receive calls company-wide is the primary consequence. Cybercriminals may use T-DoS attacks to extort money, inflict downtime and reputational damage, or act a diversion for another cybercrime.
Related:
DDoS Attacks Surge 35% in Q3 2021 as VoIP is Targeted
Toll Fraud
Toll fraud involves third parties making calls from your VoIP network, at your expense.
Typically, bulk calls are made to premium-rate international numbers which racks up exorbitant fees in a short space of time. Some companies only realize they’ve fallen victim after receiving a massive bill at the end of the month. Hackers make a commission off the bill.
Toll fraud works by cybercriminals hacking into your company’s VoIP network, perhaps through a compromised server or a compromised employee account.
Call Tampering
The goal of call tampering is to disrupt active calls. Hackers attack your system with data packets that disrupt communication channels.
Symptoms include poor audio quality, system delays, and long periods of silence. Prolonged call tampering attacks can be damaging to customer satisfaction and business reputation.
VoIP Eavesdropping
There are several flavours of VoIP eavesdropping attacks. These vary in the intent and expertise of the cybercriminal.
In call hijacking, call tapping, and VoIP main-in-the-middle attacks, hackers can listen in on active calls. They may record all your company VoIP communication and/or access your own archive of recordings.
And because VoIP is a complex software-based system (as opposed to traditional landlines), other valuable business data is also at risk. This includes company VoIP usernames, passwords, phone numbers, location data, voicemail, customer lists, call forwarding, DNS records, billing details, marketing sequences, and more.
It must be noted that VoIP eavesdropping is not limited to voice communication. If your business uses a VoIP system for virtual conferencing, online marketing, CRM, SMS, and the like, then even video and conference calls between your company and others can be exposed. Eavesdropping thus poses a wide-reaching VoIP security risk for business privacy.
Related:
PwnPhone: Default VoIP Phone Passwords Allow Covert Surveillance
Spamming over Internet Telephony (SPIT)
SPIT is a type of phishing technique specific to VoIP. In a SPIT attack, your company VoIP system receives bulk and unsolicited robot calls, voicemails, and/or text messages.
At one level, the bulk spam serves as an annoyance by clogging up VoIP systems and storage spaces, such as the voicemail box.
Whereas some SPIT attacks might be a vector for infiltrating the company with computer viruses, malware, or worms. Once broken in, hackers may exploit that access to support further attacks across the company network, like ransomware.
Alternatively, hackers might be after confidential data where information like passwords, credit cards details, or OTPs are phished from unsuspecting employees. This is similar to vishing.
Six (Actionable) Ways to Protect Your Business from VoIP Security Risks
- Update Regularly. Along with VoIP software and IP phone firmware, ensure that all company networks, computers, operating systems, web browsers, and cybersecurity software remain up to date.
- Use Strong Passwords. Password best practices must apply to every device, account, and system in your company. VoIP is no exception. A common error is that IP phones and VoIP accounts are left with default credentials, e.g., the username is ‘admin’ and the password is ‘password.’ Investigate password use in your company and hold employees accountable. Weak passwords are one of the easiest ways for VoIP hackers to break through.
- Specify Geographic/International Permissions. If your business neither makes nor receives international calls, then simply block international features and disable access to your VoIP network from non-South African countries. This can nip many VoIP security risks in the bud, such as toll fraud. (You can always whitelist or blacklist certain regions if the need arises.)
- Audit for VoIP Security Threats / Run Vulnerability Scans. Call tampering, eavesdropping, and malware tend to leave digital footprints which can be detected with technical monitoring. Monitoring should include assessing and auditing VoIP gateways, SIP proxy servers, firewall configurations, patch management, and intrusion detection systems at the least.
- Implement Stringent Access Control. Only senior IT admins require complete access to your VoIP management console. Other employees have no real need to view settings and configuration values – let alone make changes. Therefore, limit access and permissions by user and/or IP address. This will limit the reach of hackers if an employee’s account is compromised.
- Be Alert! Employees and management must be on the lookout for any abnormal VoIP activity. This applies more to public-facing company numbers, such as reception and customer service. As described above, many VoIP security risks have obvious symptoms. Ensure employees are educated about cybersecurity threats and are encouraged to immediately report anything suspicious.
Get A Free VoIP Cybersecurity Consult for Your South African Business
Established in 2008, iSite Computers is a Managed IT Services provider and an official partner of global VoIP provider 3CX. We specialise in helping South African SMBs with state-of-the-art ICT solutions for VoIP, cybersecurity, business continuity, and beyond.
Get in touch today for a free, no-obligation consult on your VoIP network security posture. Request a free assessment, or call us directly on 031 812 9650.
0 Comments