If you don’t change the default password on all your voicemail accounts, you or your company could be in for a big – and expensive – surprise. Hackers know how to compromise voicemail systems to accept and make international collect calls without your knowledge or permission.
How the scam works
A hacker calls into a voicemail system searching for mailboxes that still have the default passwords active or have passwords with easily-guessed combinations, such as “1-2-3-4.” After finding such a number, the perpetrator changes the outgoing greeting to something like, “Yes, yes, yes, yes, yes, operator, I will accept the charges.” Automated collect call operating systems are programmed to listen for such key words and phrases. The hacker then places a collect call to the number. When the operator hears the outgoing message, the collect call is connected. The hacker can then use the connection for long periods of time to make other international calls.
In another version of this scam, a hacker breaks into a voicemail system with call forwarding, programs the system to forward calls to an international number, then uses it to make calls.
Hackers typically target business voicemail systems, but consumers with residential voicemail should also beware.
You should know
- Hackers usually break into business voicemail systems during holiday periods or weekends, when changes to outgoing messages are less likely to be noticed.
- Hackers are typically based internationally, with calls originating in, and routing through, many countries around the world.
- Business victims usually find out they’ve been hacked when their phone company reports unusual activity, but residential victims may not find out until they receive unusually high phone bills.
Tips to minimize your risk
To avoid falling prey to this scam, follow these helpful tips:
- Always change default passwords for all voicemail boxes.
- Choose a complex voicemail password of at least six digits.
- Change your voicemail password frequently.
- Don’t use obvious passwords such as an address, birth date, phone number, repeating numbers, such as 000000, or successive numbers, such as 123456.
- Check your recorded announcement regularly to ensure the greeting is indeed yours.
- Consider blocking international calls.
- Disable remote notification, auto-attendant, call-forwarding and out-paging features if you don’t use them.
- Consult your voicemail service provider about additional security precautions.
If you think you’ve been hacked, report the incident to both your service provider and the police.
Voicemail System Hacking (pdf)