Stronger connectivity, significant cost reductions, and a centralized system are noticeable advantages of switching your telephone network to Voice over Internet Protocol (VoIP). And since you did it, your business is probably making the most of them.
But what they probably didn’t tell you about VoIP is the cybersecurity risks.
Sure, VoIP saves on network costs. But at what cost to security? How many new threats have you exposed your business to? How much staff training is now required to combat malicious hackers and software?
VoIP networks are much more connected to the internet than your previous traditional telephone service. That means they’re also more open to attack.
In this article, we’ll take a look at 6 of the most common cybersecurity risks that you and your business need to be aware of.
1. Denial of Service (DoS) Attacks
Many of the cybersecurity risks we’ll discuss in this article are only possible due to advanced technology and software. DoS attacks, on the other hand, don’t require that much sophistication. One of the biggest concerns is that they are also very low-cost to operate.
Anybody who wants to perform a DoS attack can do so with modest funding and little technological capability.
Implementation of a VoIP system can leave your Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports at risk. Ignore that risk, and they could be used as part of a distributed DoS attack.
Hackers will overwhelm your VoIP server with Session Initial Protocol (SIP) call-signaling messages. And they don’t even need to penetrate your whole network.
Image source: https://computer.howstuffworks.com/zombie-computer3.htm
Instead, these messages flood your VoIP server with incomplete requests and consume all of the available bandwidth. Your system will slow down and, in some cases, might stop entirely due to the traffic.
DoS attacks have become so frequent and so disruptive that the FBI and Department of Homeland Security have issued warnings about the possible risks. Even so, you might be surprised to learn that it isn’t just the huge networks hackers are after.
It turns out that no company is too small for a DoS attack. It has already cost established companies millions of dollars in disruption and lost business. Now SMEs are paying this price to as 70% of small businesses experienced cyberattacks in 2018.
2. Viruses and Malware
Viruses and malware can affect almost every item of technology you own. VoIP networks are no different.
Just like most internet applications, your VoIP network is exposed to worms, malware, and other viruses. That’s because your VoIP configuration is using softphones – software which mimics the action of a telephone.
Just about every VoIP implementation uses softphones and, along with computer software, they’re a common target. These viruses might perform any number of unwanted system interruptions. They’ll sabotage valuable information, steal access to protected data, and take over an entire computer system.
So it’s important to install and regularly update effective anti-virus software. Staff training is also important, as many viruses will trick users into installing them.
Mobile malware is a significant issue with VoIP networks too. Away from the desk, many users make VoIP calls with their smartphones. Once malware and other malicious software infiltrate your smartphone, it can access and steal all sorts of valuable information.
No, it’s no typo. Vishing is the voice-based counterpart of malicious email phishing. Clever word-play, right? But it’s not nearly as clever as some of the carefully-constructed vishing schemes used every single day.
Fraud tactics are used to trick employees. But they could trick suppliers, and even clients, into sharing sensitive information too. Usually, this fraud strategy will target financial details and personal information which can be easily manipulated.
But what would a vishing attack mean for your business? Well, if these schemes can trick staff into sharing information that is used to access protected networks such as passwords, they could effectively control much more than accounting.
This is one of the few cybersecurity risks that targets the user instead of the software and hardware. This unique trait makes it one of the more difficult risks to prevent.
But hackers will use vishing in another way too.
Image source: https://securityaffairs.co/wordpress/24553/cyber-crime/vishing-attacks-targeting-dozens-banks.html
Typically, these attacks target people with an electronic message or email. They’ll be warned of a threat to their account security and asked to call a number to discuss it.
Unbeknown to the user, that number will connect them to the hacker’s private VoIP branch. A prepared interactive voice response (IVR) will play, which mimics a conventional business system. Users will then be vulnerable to sharing account details, PIN codes, and more sensitive data.
Phreaking is the first of two VoIP call fraud techniques we’ll discuss. The end goal of call fraud is similar to vishing: gaining permission to protected networks and abusing them.
Phreaking is when a hacker accesses your business VoIP network and uses it to their advantage. This type of fraud focuses on stealing from the service provider and racking up expensive network calls.
To do that, hackers will access the VoIP service provider information. They’ll be able to capture and manipulate access codes, account numbers, and more.
Image source: https://transnexus.com/whitepapers/introduction-to-voip-fraud/
First of all, they’ll be able to use that information to steal even more data from the business. But more worryingly, they’ll be able to abuse the VoIP service. Hackers using phreaking often add phone extensions so that they can use the network unnoticed. They’ll make expensive calls and run up eye-watering service provider bills.
Even worse, they could change the network plan completely. Hackers will add credit, remove credit, and change the service plan to allow for the expensive calls they’re making. Much of this activity will go unnoticed until the first super-expensive bill is processed.
Eavesdropping is another one of the more common cybersecurity threats and the second of our call fraud techniques. It can also be incredibly challenging to defend against.
Hackers gain access to VoIP calls and, as the name suggests, listen in on them. To begin with, they’ll capture unencrypted VoIP traffic without permission. Tapping into audio stream data packets (read VoIP traffic) that travel across the internet is straightforward. They’ll then use easily obtained software to convert those packets into phone conversations.
From that point on, they have unlimited access to all sorts of sensitive business information. And to make things worse, cybercriminals can do this from any location they want.
Usually, they’ll be listening out for staff details and passwords. Perhaps they’ll hear account numbers, phone numbers, and other staff details. With that data, the hacker can access service plans, voicemail, and internal admin portals.
Identity theft and VoIP service theft are easily done once hackers have this personal information. To protect yourself and your business against it, consider encrypting your VoIP signals.
6. Spam Over Internet Technology (SPIT)
As VoIP continues to develop and become more commonly-used, so too does spam. The internet and spam will always go hand-in-hand.
Anybody that has ever used email will be aware of spam. Essentially, spam is unwanted, unsolicited communication. Spam is designed to advertise on a huge scale. But dangerous phishing schemes are often hidden within spam content as well. VoIP spam is no different.
Each VoIP system has a unique IP address. That means that yours does too. This allows spammers to capture thousands of IP addresses and bombard each of them with as many messages and voicemails as they like.
When VoIP spam arrives, it’s usually in the form of a voicemail. And that spam arrives on your VoIP system with two intentions.
First, it could be a simple marketing ploy. We say simple, but it won’t look like a simple fix when hundreds – perhaps thousands – of messages appear on your VoIP system voicemail overnight. You’ll waste much of your time with that mass-advertising campaign. Frustratingly, your voicemail is clogged up and useless.
Second, the spam on your voicemail could also be linked to a phishing scheme. So you’ll need to be sure that you’re not accidentally exposing valuable business information too.
Your Risk-Based Approach with Tetra Defense
Many of these cybersecurity risks are bad news for your business. At best, you’ll have a timely and frustrating voicemail-clog. But it could be so much worse:
- Staff details could be exposed and used to manipulate your VoIP service
- Your entire computer network could be shut down
- You might lose all access to the valuable information that you need
- Sensitive customer information could be stolen and abused
These are risks that your business quite simply can’t afford to take.
At Tetra, we work alongside your team to minimize these risks. Our new approach to Cyber Security Management will provide your business with the solution it needs. Once we’ve conducted a full analysis of your IT network, we’ll know the best way to protect your data.
The threat of these risks is very real. Cybersecurity risk management with the Tetra team makes sure that you leave the hard work with them. That way, your team can get back to making the most of your new VoIP network.
Sam O’Brien is the Senior Website Optimisation & User Experience Manager for EMEA at RingCentral, a global UCaaS systems provider. Sam has a passion for innovation and loves exploring ways to collaborate more with dispersed teams. He has written for websites such as BambooHR and Vault.