Enterprise Voice Network Security Myths

Executive Summary

While there may be clear distinctions between the various unwanted call intrusion tactics, the key to mitigation is not evident, leaving organizations wide-open to cyber attacks via the voice channel. This article takes a closer look at some of the common “myths” that are likely inhibiting meaningful action.

Introduction

FACT: Nearly 10% of calls entering business networks today are uninvited, unwanted and, increasingly, outright criminal.*

And yet, when it comes to addressing the proportion and severity of deceptive infiltrators exploiting the enterprise voice channel for their criminal gains, IT departments and enterprise security professionals are dangerously out of touch.

Perhaps that is because legacy telephone systems traditionally operated within their own silos, disconnected from other internal IT systems, and so were not recognized as a viable gateway for cybercrime.

Even as Internet connectivity has brought telephony into the unified communications fold, network security monitoring systems, infrastructure upgrades and training protocols are still primarily focused on attacks perpetrated through email, text and web.

And that is why cybercriminals have made their move to Voice.

The convergence of voice and data has clearly benefited enterprise workers with a more complete unified communications experience. However, legions of adept cybercriminals have seized upon this development as an unchallenged opportunity. Not only has Voice over IP (VoIP) made mass campaigns of robocalls technically possible and economically attractive, but it also provides a new, digital pathway into internal systems for an increasingly aggressive breed of profit-driven bad actors intent on theft, fraud and extortion.

Do You Believe in Myths?

Today, a growing percentage¹ of enterprise cybercrime is perpetrated through the Voice Channel. Belated efforts to stem the tide seem to be no match for the dexterity and adaptability of what has now become an entrenched criminal enterprise.

So why are business organizations so slow to act on this growing threat? Consider the following “myths” that may be feeding a false sense of complacency:

• Government Regulation will Solve the Problem
• Voice/UC Infrastructure has Integrated Protection
• Blocklists Will Take Care of it
• Unwanted Calls are a Nuisance but not a Real Problem for Businesses
• Employee Training is All that’s Required

*Index of Unwanted Voice Traffic – Mutare

Unwanted Voice Traffic Defined

The fact is, while attention is diverted elsewhere, criminal intrusions through the voice network are spreading, both in intensity and diversity. Here are just some of the current attack tactics, with more variations sure to emerge:

Robocalls
Auto-generated calls delivering a pre-recorded message. While legal in some instances (for instance, appointment reminders or emergency notifications), bad actors are also utilizing robocall technology to deliver an enormous number of calls to both targeted and random populations in hopes of luring even one vulnerable recipient into a scam.

Spam Calls
Unsolicited voice calls, often with a telemarketing message, that may be legal but, with increasingly frequency, used as cover for a scam.

Scam Calls
Phone calls from criminal agents intent on stealing information or money from their victims. Scam callers often claim to represent a financial, governmental or law enforcement agency with messaging designed to pressure vulnerable recipients into divulging personal information or making a payment.

Spoof Calls
Calls displaying a caller ID that has been manipulated to disguise the actual ID for that caller. While considered a legitimate practice when caller privacy is warranted, spoofing the Caller ID has become a common tactic used by illegal robo and scam callers. A spoofed number may be random or manipulated to display the same first few digits of the target’s own phone number (neighbor spoofing) or the ID of a trusted business (enterprise spoofing) to give it more credibility. Caller ID spoofing is often used in tandem with social engineering techniques to further entice the recipient to comply with the caller’s requests.

Vishing (Voice Phishing)
Criminal tactic where the caller uses impersonation and psychological manipulation to gain trust and then trick victims into divulging personal information or credentials that are then used to commit further fraud/theft. A vishing attack can take the form of a mass robocall campaign compelling call recipients to connect with a live agent who is part of a scam network, or a person-to-person call targeting a specific individual. In the enterprise, the intent is usually to uncover credentials for access to internal systems and data that can then be held hostage as part of a ransomware or extortion scheme.    

Smishing (SMS Phishing)
Text messages from what appears to be a reputable source used to entice recipients to click a malicious link or make a call to a criminal agent trained to extract personal information such as passwords or credit card numbers.

Hybrid Phishing/Vishing
Two-pronged tactic combining a scam email (phishing) with an embedded phone number connecting the recipient to a criminal agent trained to extract personal information. Because these scam emails do not contain malicious links that might be detected by email security filters, they not only evade email spam filter detection but are more likely to be trusted by the recipient.

Social Engineering
The act of mining personal information from social sites/Dark Web sources to provide greater credibility for vishing/smishing calls and text messages.

Spam Storm
A sudden influx of auto-generated scam robocalls targeting a specific population or, in the enterprise, a range of internal numbers (DIDs) with the intent to commit fraud, disrupt normal communications, or as part of a call center toll-fraud scheme.

Toll Fraud
A type of kick-back scheme perpetrated by a bad actor or criminal organization in partnership with a rogue carrier. The cybercriminal pumps auto-generated calls (robocalls), often with no message, to a contact center toll-free number in order to generate per-call income that is then shared between the criminal robocall perpetrator and complicit carrier. If the call reaches an IVR menu, the more sophisticated criminal systems will be programmed to apply random numbers or continuous pound signs that keep the call alive in the IVR loop as long as possible in order to generate as much revenue as possible. These events not only cost organizations in terms of wasted telecom fees, but also tie up agents who may eventually pick up the bogus call while response to legitimate customer calls is delayed.

Direct Nefarious Calls
Threatening calls used primarily for intimidation purposes.

Serious attempts by lawmakers to regulate telephone abuse extends back to 1991 when Congress passed the Telephone Consumer Protection Act (TCPA) designed to restrict telemarketing activity such as automatic dialing (robocalling) and Do Not Call list non-compliance. As defined in the Act, violators could be fined $500 per incident. However, of the $208.4 million in fines levied between 2015 and 2019, only $679,000 was actually collected. As cited in this Wall Street Journal² report, many of the violators are small operations that simply do not have the resources to pay the fines, or unethical operators who quietly “close up shop” and restart elsewhere. Others are operating in overseas countries beyond the reach of U.S. authority.

The FCC, additionally, is not an enforcement agency. It can only pass notice of violators to its Enforcement Bureau to investigate, report findings, follow up on appeals and, after having exhausted all efforts to gain compliance, pass those cases on to another agency with enforcement teeth – in this case the Department of Justice  – which likely has higher priorities. Notes Margot Saunders, senior counsel at consumer advocacy group National Consumer Law Center. “It’s great that we have these laws; it’s great that we have public enforcement, but because there are so many calls and so many callers, the public enforcement is a joke. It doesn’t even make a dent.”

Fast forward to 2022. It’s been nearly three years since the continual rising tide of unlawful robocalls prompted demands for additional legislative intervention. Recognizing the connect between spoofed numbers (numbers that have been digitally manipulated on the caller ID to mask the identity of the actual caller) and illegal robocallers, the Senate passed the TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act. This law requires phone companies to adopt a framework of protocols and procedures known as STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs).

To meet STIR/SHAKEN compliance, carriers must digitally “sign” the call record with an attestation confidence score affirming that the number used in the caller ID is actually authorized for use by the calling party. Poor or missing scores imply the likelihood that the caller ID has been spoofed. Terminating carriers must be able to verify the attestation data and may have the ability to block or, at the very least, label these calls as suspected scams.

So how’s it working out?

So far, it appears that the promise of STIR/SHAKEN implementation has fallen short of its primary goal to significantly reduce robocalls, for many of the same reasons former regulatory efforts have failed.

According to the YouMail Robocall Index³, 4.3 billion unwanted robocalls were placed in the U.S. during this past June alone, an 8.5% increase over the prior month. The reasons are many, but include:

1) Not all Unwanted Voice Traffic is Spoofed

Current STIR/SHAKEN regulations target only spoofed calls since call spoofing has traditionally been the trademark of criminal perpetrators intent on hiding their tracks. However, as these regulations begin to have an impact, bad actors are simply changing their tactics and purchasing blocks of real, authenticable phone numbers that pass the STIR/SHAKEN verification test.

2) Regulations Only Apply to U.S. Carriers

Calls originating from carriers outside of the U.S. are not subject to FCC regulations and therefore do not have to comply with STIR/SHAKEN call attestation obligations. Because of this, a large percentage of illegal robocall activity – 65% by FCC estimates ⁴  – is now generated by overseas sources or the gateway providers who pass those foreign-based calls through to U.S. networks. While there is little they can do to stop illegal calls generated from sources outside of the U.S., regulators are currently working to place more accountability on those U.S. gateway providers. ⁵

This past May, the FCC imposed a series of new obligations on phone companies involved in bringing foreign-originating calls into the U.S., including a requirement to submit certifications and mitigation plans to the FCC’s Robocall Mitigation Database (RMD); mandatory compliance with 24-hour traceback verification for all calls being passed through; and mandatory call blocking for traffic deemed “highly likely” to be illegal.

If FCC regulators determine a provider is not doing enough to mitigate the problem, they can direct other carriers to reject any calls coming from non-compliant organizations.

Because illicit activities are likely confined to just a small subset of otherwise reputable gateway providers, these regulatory efforts have met with vigorous resistance⁶ from some telecom leaders who cite “a substantial burden for some providers for an insubstantial benefit.”

3) High Hurdles for Small Carriers

For STIR/SHAKEN attestation scores to be accessible to the terminating carrier, they must be passed intact throughout the carrier path as part of the call data, and that requires an end-to-end IP (Internet Protocol) connection that can carry the attestation data in the call record SIP header. One break in the chain due to a non-compliant carrier will result in a ”No Telephone Number Validation” status when the call arrives at its destination.

While all major U.S. telephone service providers have, for some time, utilized Internet-based Voice over Internet (VoIP) technology, there are still hundreds of small carriers who, due to financial and technical burdens, have asked for more time to make the necessary upgrades to the needed infrastructure and call tracing procedures. According the FCC itself, the cost to implement the STIR/SHAKEN framework can be upwards to $300,000⁷, which is no small change for a small business servicing a limited, regional customer base.

The FCC had originally granted a two-year grace period for these organizations but has since moved that up a year. Why? Because they have discovered a surge of unwanted robocall traffic now generated through a subset of small carriers passing unverified traffic. True to form, polished cybercriminals have been quick to find the weaknesses in the system and are diverting their business through these as-yet non-compliant providers to avoid STIR/SHAKEN detection. As those holes get plugged, it stands to reason (and historical pattern) that the bad actors will simply find another loophole.

4) Rewards Outweigh the Risks

Penalties do not seem to deter cybercriminals when the profit incentives far outweigh the risks. Fraudulent activity carried out through voice calls is exceptionally profitable for the perpetrator who, thanks to Internet-based calling technology, can place hundreds of auto-generated, pre-recorded calls in seconds from anywhere in the world for mere micro-pennies per call. These calls are not just annoyances. Embedded in a significant proportion are attempts to gain access to the recipient’s personal information, finances, or employer networks and data.

In 2021, nearly 60 million ⁸  Americans – or 1 in 3 –   fell victim to phone fraud, with total losses of $29.8 billion⁹. These figures are not only testament to the prevalence of illegal activity taking place over phone networks, but also speak to the unique power of the voice to successfully perpetrate fraud. Federal regulations designed to criminalize rogue robocall activity have, thus far, proven inadequate in the face of a determined criminal network that has become increasingly adept at circumventing attempts to curb their activity.

5) Call Blocking Not Included

STIR/SHAKEN simply adds a piece of data to the call record. Carriers are only required to attest to the validity of the data and then pass it to the endpoint without any obligation to take mitigating actions.

In other words, despite the attested level of confidence in the call source, STIR/SHAKEN vetting will not stop those with poor results (including spoofed robocalls, spam calls, scam calls and vishers) from ringing through. It will, at best, give the terminating carriers the data they need to add a “SCAM LIKELY” or similar label to the Caller Name ID, and only if they choose to or are requested to do so. Rather than assume responsibility for blocking suspicious calls, carriers are leaving that to the end customer. In the case where that customer is an enterprise, STIR/SHAKEN does little to protect employees from incessant unwanted calls that are disrupting workflow, filling voicemail inboxes, and carrying potential threats.

When telecom managers and security administrators think of voice network integrity, their focus inevitably turns to closing vulnerabilities in data transfer systems such as VPNs, routers, or servers. While this approach may have been satisfactory 15 years ago, hardening infrastructure alone is inadequate when the phone has become the new attack gateway for a virtual army of amorphous cyber criminals.

The integrity of the hardware and software supporting enterprise telephony is critical for business continuity, but it provides minimal protection from the complex web of intruders traversing the voice traffic itself.

To better understand, it is useful to take a look at the basic elements of an enterprise-grade telephony system:

The PBX (Private Branch Exchange)

This is the internal enterprise switching system that connects to the external Public Switched Telephone Network (PSTN) through central lines, or “trunks.” These lines are shared by multiple internal users for incoming and outgoing calls. The PBX system also supports intercommunication between all internal users (extensions) without the need to cycle those calls through the external network. Before the development of Voice over IP (VoIP) protocol, the PBX was a hardware-intensive system built on internal servers and cables connected to the traditional, hard-wired external public telephone system for transmission of analog voice data. With the digitalization of voice and adoption of worldwide standards for Internet VoIP connectivity, organizations were able to interface their internal systems to the Internet infrastructure for swift, cost-effective, and endlessly scalable worldwide call connectivity. It also paved the way not only for Voice over Internet but also the transmission of video, graphics, text, and other multi-media communications services.

Sessions Initiation Protocol (SIP) and Real-Time Transport Protocol (RTP)

To accommodate this influx of multi-media traffic from divergent technologies, the Sessions Initiation Protocol (SIP) was developed as a standard signaling technology used to initiate, maintain, and terminate communication sessions over the Internet. SIP is primarily used to set up and take down VoIP calls, and it can also be used to send multimedia messages over the Internet using computers and mobile devices. Specific data defining the call origination, type, and pathway accompanies every SIP transaction and assures that the call is routed correctly to the intended recipient. Real-time Transport Protocol is the accompanying technology that supports and optimizes real-time streaming of audio or video data in Internet telephony, VoIP and IP video telecommunications.  

Within the enterprise IT infrastructure, Internet-based, virtual SIP lines (trunks) have now predominantly replaced traditional physical analog lines connecting an organization’s PBX to the external telephone network.

Sessions Border Controller (SBC)

The Sessions Border Controller is an element of most modern enterprise telephony systems. It helps regulate end-to-end delivery of communication traffic via SIP-based VoIP networks. The SBC defines and monitors the quality of service (QoS) status for all sessions and normalizes conflicts in signalizing that might interfere with smooth transactions. The SBC does not replace the PBX but, rather, sits between the PBX and the external service provider.

The SBC also adds some level of protection for the enterprise voice network. It can, for instance, add encryption to render traffic content invisible to hackers while in transit. Network operators can program the SBC to recognize and redirect certain types of suspicious activity such as a sudden influx of voice traffic carrying the markings of a TDoS (Telephone Denial of Service) attack that might threaten network operations. The SBC can also be configured to limit the number of active sessions traversing the network as a way to assure consistent call quality.

The continuing growth of the VoIP networks is placing increasing demands on SBC capabilities, mandating a higher level of adaptability, capacity, and complexity. In response, some organizations without the internal resources needed to manage SBC programming have opted for cloud-based providers, but in the process are giving up control over any custom configurations.

Those organizations that prefer maintaining control over an on-premise SBC (and that is the case with most larger enterprises) are finding that custom configurations is a manual, cumbersome process that requires a high level of programming skills. What’s more, its effectiveness to actually stem the flow of unwanted traffic in all its evolving forms is limited at best. By the time new configurations are made, cybercriminals have already moved on to other attack strategies. 

Why This Matters

A well-designed and stable infrastructure is essential for IT operational efficiency and business continuity. However, even the strongest house built with the best materials will take on damage in the path of a tornado. Focusing on infrastructure without addressing the integrity of the voice traffic itself is an oversight that leaves the organization defenseless against determined adversaries.

IT helpdesk staff are usually the first to know about an influx of unwanted spam calls because they receive the trouble tickets from annoyed employees. They have the burden of blocking those numbers individually through SBC or PBX configurations. It is a cumbersome task and largely futile as spammers constantly change their numbers and techniques.

The majority of robocalls are currently generated from ever-changing spoofed numbers (those with manipulated Caller IDs that mask the source of the call) but bad actors are also simply buying up large blocks of available numbers and deploying them in small batches to evade detection.

In other words, blocking numbers one-by-one will do little to stop the influx of unwanted and nefarious calls as cybercriminals literally have nine billion numbers they can tap. It’s like trying to clear a sidewalk with a spoon in a blizzard.

A Mutare Voice Traffic Filter¹⁰ analysis of more than 100 million enterprise call records from a cross-section of industries reveals that, at minimum, between 6 to 15 percent of all incoming calls are unwanted. While annoying and disruptive, is this really a problem?

The answer is an unqualified “Yes,” as nearly 45% of those calls were found to be nefarious in nature, generated by malicious hackers, scammers, saboteurs, extortionists and cyber thieves intent on defrauding employees, infiltrating networks, and stealing money or credentials.

While financial gain is the ultimate goal, a large percentage of these intrusions starts with the intent to steal data, as data has become the new currency for criminal enterprises operating on the Dark Web. A single piece of Personal Identifying Information (PII), such as a credit card or social security number, currently sells for around $6 to $8  ¹¹ on the dark market. The appeal of accessing thousands of such records through a single hack, then, is strong, and the cost of operation when perpetrated by phone is small.  

So what happens when that criminal campaign actually leads to a data breach? As revealed in the IBM Cost of a Data Breach 2022 Report ¹², the average cost to the hacked organization is now $4.5 million per breach.  For organizations with large stores of personal customer data – such as in the healthcare¹³ and financial sectors, ¹⁴ that amount can be significantly higher.

Case in point: When online stock trading platform provider Robinhood ¹⁵  fell victim to a massive data breach in late 2021, the successful hack compromised the personal identifying information of approximately 40,000 customers¹⁶, including names, email addresses, date of birth, and zip codes – information that can easily be sold on the Dark Web to those intent on identity theft and future fraud. And it all happened because a skilled con artist was able to dupe an unsuspecting customer support employee into divulging credentials for database access over the phone. As a result, the multi-billion dollar corporation was hit with a class-action lawsuit¹⁷ claiming “failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect PII.” The case, recently settled, will cost the company upwards to $20 million, including monetary compensation and two years of credit monitoring and identity theft protection for hacked customers.

And that doesn’t even cover the untold damages from loss of public trust and future investors.

Similarly, social media giant Twitter¹⁸ suffered both financial and reputational damages at the hands of a 17-year-old who gained access to internal systems through a simple call to an unwitting staffer. Once in, the hacker and two collaborators hijacked numerous high-profile accounts, including that of Barack Obama, Elon Musk, Bill Gates, and Kim Kardashian, to advance a bitcoin scam.

Even AT&T¹⁹, a company that surely understands the power of a phone call, fell victim to a massive identity theft attack when phone scammers impersonating employees called customer service and managed to gain access to accounts which they then raided to the tune of half a million dollars.

Clearly, even the most advanced technology companies are not immune to cyber-intrusion when the weapon of choice is the human voice.

While consumers are increasingly adopting the practice of ignoring calls from unknown sources, it is not a viable option for organizations that depend on voice communications as their core value proposition and service offering. Cybercriminals recognize this unique vulnerability and have been quick to exploit it using vishing and social engineering tactics directed at employees, particularly in customer support²⁰, in order to gain access to protected information and data.

Indeed, as businesses move to tighten security around their data networks, vishing attacks through the voice network are accelerating, having increased nearly 550%²¹ over the 12 months since May 2021 with no signs of abating soon.

The problem is real and getting worse.

A recent Stanford University study ²²  revealed that approximately 88% of data breaches are caused by human error. What’s more, 50% of employees surveyed admitted that they are “very” or “pretty” certain they have made mistakes at work that could have led to a security issue for their company. The fact that nearly half of US organizations reported data breaches in the past year points to one clear conclusion: Humans are the critical weak link in enterprise cybersecurity defense.

Despite the fact that the security awareness training market is now a $1 billion industry²³ and growing by nearly 13% year over year, scammers remain remarkably adept at uncovering and exploiting vulnerable human targets. These employees may be trained to look out for suspicious links, create complex passwords, and avoid putting sensitive information in an email, but they are open prey for phone fraud.

Ignoring calls from unknown sources may be common practice on a personal phone, but businesses cannot afford to dismiss calls that could be from a potential customer, prospect, patient or partner, let alone those related to a possible emergency. The fact is, unlike an email, there is no opportunity to examine the content of a call before taking it.

What’s more, once that contact is made, the voice is a uniquely powerful tool of persuasion. Employees, especially customer support, are conditioned to be helpful, to represent their organization positively, and to be receptive and helpful to those who choose to contact them. Their reluctance to harm a potential customer or prospect relationship by presenting with a skeptical attitude makes them particularly vulnerable to the psychological manipulations of a sophisticated con artist.

What’s more, as quickly as organizations become aware of new threat tactics and integrate that knowledge into employee training, threat actors are already devising new ways to reach their targets. They know that companies are becoming better protected against malware and have been honing their threat intel capabilities, but the weak link – human contact – is constant.

This is not to say organizations derive no benefit from cybercrime employee training. However, when the attack surface is the ubiquitous phone, the better investment may be technologies that limit the opportunities for intruders to reach their human targets in the first place.

Conclusion

The enterprise voice network is an overlooked, unprotected, and increasingly targeted entryway for unwanted intrusions and criminal attacks. Regulatory efforts, hardware upgrades, blocklists and training all can be helpful but may also be fueling a false sense of security as evidenced by the unabated level of criminal activity now perpetrated by phone. Organizations need to stop relying on obsolete and misguided perceptions and take action now to illuminate, understand, and eradicate the enemy within their own voice traffic.

No doubt cybercriminals continue to find a multitude of ways to uncover and exploit vulnerabilities in enterprise network access points to perpetrate fraud, data theft, extortion and sabotage.  As quickly as security experts put in place measures and patches to thwart known intrusions, bad actors morph their tactics and continue their assaults.

Until recently, enterprise cybersecurity experts have focused primarily on securing digital communication networks and the infrastructures that supports them. In response, enterprising threat actors have simply found other ways to gain access to internal systems and data stores. As evidenced by the dramatic increase in malicious voice traffic, that new pathway of choice is now the commonplace phone call.

But, we have a solution. 

Robocalls, spoofed calls, spam storms, vishing attacks – they are not only taking a huge bite out of operational efficiency, but they are also serving as cover for sophisticated reconnaissance as cybercriminals search for the weak link – the human contact that they need to complete their missions.

Unlike an email, the content of a voice call is unknown until it is answered, and business cannot afford to ignore incoming calls. The only solution is to make sure those calls never reach their human targets in the first place.

However, cleansing enterprise voice traffic of these unwanted and dangerous interlopers is not an easy task.  Regulatory measures, call-handling policies, manual blocklists, robocall filtering services and databases – all can do some good but none, on its own, can provide the full spectrum of spam and nefarious call detection capabilities needed to fully protect the voice network from threat actors and their ever-evolving tactics.

But there is a solution. The Mutare Voice Traffic Filter creates a firewall for the enterprise voice network using five distinct layers of filtering protection. The Mutare Voice Traffic Filter is powerful enough yet, at the same time, sensitive enough, to detect and deflect nuisance and nefarious voice calls in all of their various and evolving forms at the network edge while assuring that only the important calls ring through.

Want to learn more? Don’t get fooled by the myths. It’s time to do something real to protect your voice network, your organization and your people. Contact Mutare and learn about the multi-layered firewall of protection provided through the Mutare Voice Traffic Filter. ²⁴