A comprehensive approach to deterring and preventing Private Automatic Branch Exchange (PABX) Fraud (White Paper)

december 4, 2020 News Releases 0 Comments

§1     Private Automatic Branch Exchange (PABX) Fraud

§1.1. The Nature of Private Automatic Branch Exchange (PABX) Fraud

A substantial increase in your telephone bill is an indication your company could be the victim of Private Automatic Branch Exchange (PABX) fraud. Detailed billing will assist in identifying any potential unauthorised calls, usually International calls but they can also be National telephone calls. Another indicator is where customers trying to dial, in or employees trying to dial out, find that the lines are always busy.

Private Automatic Branch Exchange (PABX) fraud is defined as the unauthorized use of a company’s phone system. It is a theft of long-distance services by a) un unrelated third party, b) a staff member of a long-distance carrier, local telecom or vendor, or c) the user’s staff member. 

§1.2. Who commits Private Automatic Branch Exchange (PABX) fraud?

As is the case with any other unlawful act, fraudsters in this industry, who are referred to as “hackers,” do it mainly for the money. Other fraudsters do it for fun, professional challenge and/or out of boredom. Still other fraudsters know how easy it is, know the codes, have the proper equipment and cannot resist the temptation. In most cases, fraudsters can recognize the manufacturer/brand by the prompts and determine which password ranges on which to concentrate. With some luck and persistence, fraudsters will “hack” into their first system within the hour. Most of the activity is through call/sell operators who operate in urban communities, mainly by immigrants for immigrants who call to countries like the Dominican Republic, China, Pakistan and Egypt at a rate of €10 for a 30- to 45-minute call. These telephone calls usually take place after regular business hours or on weekends where the excessive Private Automatic Branch Exchange (PABX) traffic will go on unnoticed and uninterrupted.

§1.3. How do hackers get the numbers?

There are different methods of obtaining telephone codes: (a) “Dumpster divers” (fraudsters who go through your trash and look for phone bills, computer printouts or product manuals); (b) “Shoulder surfers” (fraudsters who stand particularly close to you at a pay phone (in airports, bus terminals, etc.) while you dial your Direct Inwards System Access (DISA) password, voice mail code or calling card number so fraudsters can capture your dialling sequence; or (c) Hackers publish their findings in magazines, BBS and even on the Internet.

§1.4. What do they do with these codes once fraudsters have obtained them?

Since the primary motive is money, fraudsters look for buyers. On the streets of New York City, for example, where 60 percent of Private Automatic Branch Exchange (PABX) fraud attempts originate, a good number will go for $3,000 to $5,000 depending on the supply/ demand at that time.

§1.5. Why are Private Automatic Branch Exchanges a perfect target

Today’s Private Automatic Branch Exchanges are feature-rich, and more and more features are developed each day as the various Private Automatic Branch Exchange (PABX) manufacturers attempt to gain a competitive edge. These features are all software, and therefore programmable, which in most cases means fraudsters can be accessed remotely. In addition, maintenance and service is provided by interconnects from remote service centers via modem lines. All of this creates a very familiar environment for the hacker to operate in with very little risk of being identified.

§1.6. What are hackers looking for in your Private Branch Exchange (PBX)?

The easiest vehicle for fraudsters is to gain control of your direct inward service access (Direct Inwards System Access (DISA)) where a remote user can gain access to an outside line from your Private Branch Exchange (PBX) by punching some “long” authorization codes. Most companies use it for the travelling employee.

Second, fraudsters would love to “take over” your maintenance port. By controlling that port, which is the heart of your Private Branch Exchange (PBX), fraudsters can do whatever they want, including changing your routings and passwords and deleting/adding extensions. And, if their intent is vicious, fraudsters can actually shut down your Private Branch Exchange (PBX) and take you out of business. Voice mail is probably the most popular vehicle of Private Automatic Branch Exchange (PABX) fraud these days. Like Private Branch Exchanges, voice mail systems are also very sophisticated and full of features.

A fraud perpetrator can, among other things, sit on the beach in Trinidad and Tabaco and program your voice mail box in Frankfurt to place any inbound call on temporary hold, grab another line, call his cellular phone then conference the two lines–all within seconds. Meanwhile, the caller has no idea that you are actually enjoying the sun and sipping Jamaican rum. Hackers want to use exactly that feature to forward calls to a “phantom” mail box that will give just a dial tone. Then, fraudsters dial the rest from any public phone in Washington D.C., Dubai or Amsterdam.

§2.    The role of The Serious Fraud Investigation Office

§2.1. Serious Fraud Investigation Office

The Serious Fraud Investigation Office is an international specialist bureau for independent forensic examination of fraud-related crime involving complex issues of criminal law or procedure. We examine serious and complex cases of corporate fraud, commercial fraud, insurance fraud, cheque and payment card fraud, counterfeit currency, money laundering, computer crime and breaches of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Official Journal No. L.119 of 4 May 2016, p. 1 et seq. (General Data Protection Regulation).

§2.2. Create a culture of honesty, openness, and assistance

Creating a culture of honesty, openness, and assistance includes three (3) factors: (1) hiring honest people and providing fraud awareness training; (2) creating a positive work environment, which means having a well-defined code of conduct, having an open-door policing, not operating on a crisis basis, and having a low-fraud atmosphere; and (3) providing an employee assistance program that helps employees deal with personal pressures.

§2.3. Eliminate opportunities for Private Automatic Branch Exchange (PABX) Fraud

The five (5) ways to eliminate Private Automatic Branch Exchange (PABX) Fraud opportunities are: (1) having good internal controls; (2) discouraging collusion between employees and customers or vendors and clearly informing vendors and other outside contacts of your company’s policies against fraud; (3) monitoring employees and providing a hotline (whistle-blowing system) for anonymous tips; (4) creating an expectation of punishment; and (5) conducting proactive auditing.

§2.4. Comprehensive approach to preventing and deterring Private Automatic Branch Exchange (PABX) Fraud

Most organizations do not have a comprehensive approach to preventing and deterring Private Automatic Branch Exchange (PABX) Fraud. In fact, most companies don’t think about fraud until they experience one. When fraud occurs, they go into crisis mode, investigate and try to resolve the fraud, and then wait until another fraud occurs. A more comprehensive fraud-fighting approach would involve:

  • creating the right kind of modeling and tone at the top,
  • educating and training employees about fraud,
  • assessing risks and putting proper controls in place,
  • having reporting and monitoring systems in place,
  • proactively auditing for fraud and then, when fraud does occur,
  • investigating and following up on the fraud.

The first element of a good fraud-fighting system is having management, the board of directors, and others at the top of an organization positive “tone at the top.” This involves two (2) steps: (1) caring enough about having a positive organization that effective fraud teaching and training is conducted throughout your organization and a well-defined corporate code of conduct is promoted and (2) setting a proper example or modelling appropriate management behavior.

The second element of a good fraud-fighting system is educating employees and others about the seriousness of fraud and informing them what to do if fraud is suspected. An awareness training might help your organization to prevent fraud and ensure that fraud do occur are detected at early stages, limiting financial exposure to the corporation and minimizing the negative impact on the work environment.

The third element of a good fraud-fighting system involves integrity risk assessment and having a good internal control system. Having a good system of controls means that there will be an explicit study of all frauds and why they occurred, together with implementation of control activities necessary to prevent future occurrences of the same types of frauds. Our analysis involves determinations by people in management, the board of directors, and others at the top, audit, security, human resources, control and finance of why and how the fraud involved. Such analysis are focused on the individuals who were involved, the controls that were compromised or absent, the environment that facilitated the fraud, and related factors. The results are important in understanding the kinds of preventive measures that are needed within the environment in which the fraud occurred.

The fourth element of a good fraud-fighting system includes having a system of reporting and monitoring.

The fifth element of a good fraud-fighting system involves having proactive fraud detection methods in place. Proactive active fraud detection methods are not only effective in detecting fraud, but knowledge of their use is a good fraud deterrent.

The sixth element of a good fraud-fighting system involves having effective investigation and follow up when fraud occurs. Effective investigation means your organization must have formal fraud polices stating who will carry out all elements of an investigation. Your investigation procedures must include: (a) who will conduct the investigation, (b) how the matter will be communicated to management, (c) whether and when law enforcement officials will be contacted, (d) who will determine the scope of investigation, (e) who will determine the investigation methods, (f) who will follow up on tips of suspected fraud, (g) who will conduct interview, review documents, and perform other investigation steps, (h) who will ultimately determine the corporate response to fraud, disciplines, control, etc. A strong prosecution policy must have the support of your board of directors, and others at the top, and must be informed if someone commits fraud and is not prosecuted. The single greatest factor in deterring dishonest acts is the fear of punishment. In order to obtain cooperation from law enforcement officers and the justice system, it is almost always necessary to conduct a thorough an complete investigation (usually including obtaining a signed confession) before the overworked law enforcement agencies and criminal justice systems can accommodate the prosecution.

§2.5. Proactive Fraud Auditing

Very few organizations actively audit for Private Automatic Branch Exchange (PABX) Fraud. Rather, their auditors are content to conduct financial, operational and compliance audits and to investigate Private Automatic Branch Exchange (PABX) Fraud only when symptoms are so egregious that fraud is suspected. Organizations that proactively audit for Private Automatic Branch Exchange (PABX) Fraud create awareness among employees that their actions are subject to review at any time. By increasing the fear of getting caught, proactive auditing reduces fraudulent behavior.

§3.    Our Strategic Analysis, Advisory Services and Operational Support

§3.1. Fraud Risk Assessment

Anti-Fraud provides an independent and objective assessment of the organizations existing anti-fraud program, gaps in the existing controls and suggest measures to mitigate the gaps.

We assist our clients in setting up a monitoring framework, developing relevant checking procedures and identifying key risk indicators of Private Automatic Branch Exchange (PABX) fraud. We also develop training programs for employees, and help to create a continuously evolving control environment reflective of the risk landscape.

§3.2. Fraud Risk Management

To deter the occurrence of Private Automatic Branch Exchange (PABX) fraud, we provide clients with expertise to set-up and implement a visible and transparent fraud risk management program that allows to create an anti-fraud environment.

We assist private and public organizations with turning critical and complex issues into opportunities for resilience and long-term advantage. This involves identification of modus operandi as to how did the Private Automatic Branch Exchange (PABX) fraud occur, who was involved, what were the extent of losses, and how can it be prevented from recurring.

§3.2.1.       Our Anti-Fraud Strategy

Our anti-fraud strategy has four (4) main components: a) Prevention, b) Detection, c) Response, and d) Deterrence. The various elements of an effective anti-fraud strategy are closely interlinked and each plays a significant role in combating fraud. The combination of effective fraud prevention, detection and response measures will create an effective fraud deterrent.

§3.2.2.       Fraud Prevention

The attitudes within your organization lay the foundation for a high or low fraud risk environment. Where minor unethical practices may be overlooked, larger frauds may also be treated in a similar lenient fashion. In such an environment there may be a risk of total collapse of your organization either through a single catastrophic fraud or through the combined weight of many smaller frauds.

A sound ethical culture and sound internal control systems are essential key components of a fraud prevention strategy.

§3.2.3.       Fraud Detection

There are a range of Private Automatic Branch Exchange (PABX) fraud indicators – both warning signs and fraud alerts – which can provide early warning that something is not quite right and increase the likelihood that the fraudster will be discovered.

§3.2.4.       Fraud Response

Any organization should set out its approach to dealing with Private Automatic Branch Exchange (PABX) fraud in its fraud policy and fraud response plan. Organizations should ensure that this includes provision for learning lessons from fraud incidents and appropriate, prompt follow-up action.

§3.3. Fraud Investigation

Fraud Investigation helps organizations manage the risk an vulnerabilities that come from global corruption, from high profile and complex financial matters to employee, cash, cybercrime and Private Automatic Branch Exchange (PABX) Fraud. 

We assist our clients with investigation of alleged fraud or corruption perpetrated against corporate and government entities, including, but not limited to, vendor fraud, payables fraud and embezzlement. We also assist with factual, often privileged, investigation of alleged corporate wrongdoing, including, but not limited to, investigation of alleged financial statement misrepresentations and violations of anti-corruption regulations. Our investigation work includes forensic imaging of computers, data analysis, collection and analysis of data, interviews of individuals and review of documents.

§4.    Taking action to reduce fraud risk

The following are some basic steps you might want to consider adopting in the fight against Private Automatic Branch Exchange (PABX) fraud:


Firstly, get yourself and your immediate staff acquainted with Private Automatic Branch Exchange (PABX) fraud. Periodically remind all employees who have been issued authorization codes (Direct Inwards System Access (DISA), voice mail, etc.) of the importance of keeping these codes secret and the need to change them frequently. Also, warn all employees about “shoulder surfers” and advise them not to write their codes in public or yell them out in a crowded area.

Secondly, educate yourself with the many features of your Private Automatic Branch Exchange (PABX), voice mail and/or Automatic Call Distribution (ACD). Shut down all of those not in use or not in service, and change your PBX passwords as frequently as possible.


Install a “dial back” modem on your maintenance port, and always have your service provider call you before accessing your Private Automatic Branch Exchange (PABX).


Block access to destinations where your company does not do business. If circumstances do not permit this, at least block calls to some or all of the 10 most popular fraud destinations.

Voice Mail:

Make sure your voice mail system is a “closed loop” and cannot be manipulated to get an outgoing dial tone. Check your valid mailbox list and delete any box that is no longer in service. Disconnect callers after three unsuccessful attempts at dialling their mailbox code. Instruct employees to change their voice mail passwords and delete “old” messages.


Choose random. lengthy passwords (10 digits or more) and change them frequently to make it harder for hackers to discover them. Keep these codes in a safe place and never write them on the wall next to the Private Branch Exchange (PABX).

Direct Inwards System Access (DISA):

Consider disconnecting Direct Inwards System Access (DISA). If this feature is necessary, ensure that only those employees who have a real need for international calls will be allowed to use it.

Telecom Filtering:

More and more companies are demanding, and being provided with, extra value services form their Telecom providers. Filtering and Early warning permits the owner of the Private Automatic Branch Exchange (PABX) to limit their cost exposure for this type of crime.

This publication contains general information. The Serious Fraud Investigation Office (Van Leeuwen Law Firm | Praetor Forensic Auditing) is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. The Serious Fraud Investigation Office (Van Leeuwen Law Firm | Praetor Forensic Auditing) shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright © 2020 The Serious Fraud Investigation Office (Van Leeuwen Law Firm | Praetor Forensic Auditing), All rights reserved.