Extn 900 Scam

	Long Distance Facts

Last update:

09/17/2004

The "Extension 900" Scam

In this scam, the hacker calls your main number or toll free number and ask your receptionist to transfer him to extension 900. In most business systems, 9 is the access code for an outside line and 00 is the international operator. If the receptionist transfers the call, he is connected to an operator who then politely assist the caller in his connection to an international number. On the businesses dime.

Here is how this scam works.

Most hackers/thieves understand that not all systems are blocked from this kind of attack. It's a simple matter of calling your main number and asking to be transferred to an extension. This is extension 900. Most companies do not have and extension 900. Most companies do not have ANY numbers beginning with a 9. The digit 9 is almost always used to access outside lines. So if the caller is successful in having his call transferred to 900, he is connected to an international operator. So the actual code is: 9(outside line) + 00(international operator).

A good receptionist will understand that there is no extension 900. They will usually know most of their extensions by heart and who they belong to. That's why when you call a business and ask for Mr. Smith, you are sometimes transferred before you can even finish saying the name. This is where the intimidation comes in. If the receptionist tells the caller that they don't have an extension 900, the caller will say something on the order of the president of the company told him to ask for that extension and was waiting for his call. If the receptionist insist that there is no extension 900 the caller will become threatening.

I happened to be in a building servicing a phone system that had about 200 extensions on it. I was just wrapping up my service when the receptionist ran up to me in a panic and explained that someone was trying to get in touch with the president of the company and she couldn't transfer him. I followed her back to the console and asked her to show me what was going on so she took the calling off of hold and dialed 900. Fortunately I always block this kind of transfer unless specifically requested so the call always failed. I took the call from her and just hung up on the caller. He didn't call back. I then explained to her what this was: a toll fraud attempt.

She then gave me further details of what transpired. The caller called in and asked for extension 900. She told him that they didn't have an extension 900. The caller insisted they did and that the president was waiting for his call. She then tried to transfer the caller. It failed and she was reconnected to the caller. The receptionist then tried again and again it failed. The caller then began to get hostile and threatened to have her fired if she did not transfer him to extension 900. She tried again and again it failed so she put the call on hold and came running for me.

How to Protect Your Business

The most important thing to remember is to educate your user. Especially your receptionist or operators. Bear in mind that it doesn't have to be the receptionist who answers the call in order to make this work. For example, if you can dial and direct number, you can ask that person to transfer you. That person could be the warehouse clerk or janitor, it doesn't matter. So be sure to educate your users at least once a year.

Here are some more things you can do to stop this kind of attack.

Block calls to 9-00. If your company has no need to call an international operator, then it should be blocked. I would also include any international numbers if they are not needed.

Ask your carrier to block international calling. If your company has no need to dial international calls or rarely makes such calls, then ask your carrier to block them. If you need to make the calls on the rare occasion, then use a prepaid calling card. You can get some incredible deals with these cards and you will limit your loss liability.

Block any Trunk to Trunk calls. If a call comes into your PBX or Key System, and you transfer it back out, that is a trunk to trunk call also a tandem call. This can be blocked on most systems. Bear in mind what this may effect: do your executives call in and have their secretaries transfer them to an outside number? Do you have an after hours service that requires caller to be transferred to an outside service? If you don't need to do these things then you should block trunk to trunk calls.

Restrict phones from being able to transfer callers to outside numbers. You may need this feature for some people but certainly not everyone needs it. Work with your telephone system vendor to set up the Classes of Service that will block this ability.

Monitor your phone bills. It's easier to get away with this scam the if you never check your phone bills. You need to watch for unusual calls.

If phones need the ability to transfer to outside lines then restrict the calling area they need to transfer to. Even if a phone needs to transfer callers to an outside line, does it need to transfer to an international number? Or even a number outside your business area? If a phone has no reason to call outside your business area then why give access to that ability? If you can't call a long distance number then you can't transfer to a long distance number.

Finally, be sure your phone vendor even knows what toll fraud is. This may be surprising considering that they are supposed to be the experts, but I've met many technicians that really don't think about such things. Most have never had even the most rudimentary training regarding toll fraud. I ran into one technician that was highly though of by our mutual customer. I noticed that a trunk to trunk transfer was enabled on the class of service of his voice mail system and insisted that it be removed. When I explained why, he even asked "Why would any one do that?" Well now you know. Be sure your vendor does.