By Ralph Willett
Toll fraud is, or should be, a concern for any business with a telephone system. There are many scams that
hackers may use to attempt to steal your business telephone system potentially costing your business thousands of
dollars over a single weekend. The purpose of this article is to discuss a social engineer scam called the
"Extension 900 Scam".
In this scam, the hacker calls your main number or toll free number and ask your receptionist to transfer him
to extension 900. In most business telephone systems, "9" is the access code for an outside line and 00 is the
number for the international operator. If the receptionist transfers the call, he is connected to an international
operator who will then politely assist the caller with his connection to an international number. Your business
will pay for this fraudulent call.
How this scam works.
Most hackers/thieves understand that not all systems are blocked from this kind of attack. It's a simple matter
of calling your main number and asking to be transferred to extension 900. Most companies do not have an extension
900. Most companies do not have ANY numbers beginning with a 9. The digit 9 is almost always exclusively used to
access outside lines. So if the caller is successful in having his call transferred to 900, he is connected to an
international operator. The actual code is: 9(outside line) + 00(international operator).
A good receptionist will understand that there is not an extension 900. They will usually know most of their
internal extensions by heart. If the receptionist tells the caller that they don't have an extension 900, the
caller will say something on the order of "the president of the company told him to ask for that extension and was
waiting for his call". If the receptionist insists that they do not have an extension 900 the caller may very well
become threatening and try and intimidate her into transferring the call.
How to Protect Your Business
The most important thing is to educate your end users, especially your receptionist or operators. Bear in mind
that it doesn't have to be the receptionist who answers the call in order to make this work. For example, if you
can dial a direct number to any office in your building, you can ask any one to transfer you. That person could be
the warehouse clerk or janitor, it doesn't matter. So be sure to educate your users at least once a year.
Here are some more things you can do to stop this kind of attack.
1) Block calls to 9-00. If your company has no need to call an international operator, then it should be
blocked. I would also include all international calling (9-011) if it is not needed by asking your carrier to
block it. If you need to make the calls on the rare occasion, then use a prepaid calling card. You can get some
incredible deals with these cards and you will limit your loss liability.
2) Block any Trunk to Trunk calls. If a call comes into your PBX or Key System, and you transfer it back out,
that is a "trunk to trunk" call also called a tandem call. This can be blocked on most systems. Keep in mind what
this may effect: do your executives call in and have their secretaries transfer them to an outside number? Do you
have an after hours service that requires callers to be transferred to an outside service? If you don't need to do
these things then you should block trunk to trunk calls.
3) Restrict phones from being able to transfer callers to outside numbers. You may need this feature for some
people but certainly not everyone needs it. Work with your telephone system vendor to set up the Classes of
Service that will block this ability.
4) Restrict the calling areas telephones can call. Does every telephone in your business need the ability to
call international numbers, or even to a number outside your business area? If a phone has no reason to call
outside your business area then why give access to that ability? If you can't call a long distance number then you
can't transfer a fraudulent caller to a long distance number.
5) Monitor your phone bills. It's easier to get away with any toll fraud scam if you never check your phone
bills. You need to watch for unusual calls.
6) Finally, be sure your phone vendor even knows what toll fraud is. This may be surprising considering that
they are supposed to be the experts, but I've met many technicians that really don't think about such things. Most
have never had even the most rudimentary training regarding toll fraud security. I ran into one technician that
was highly though of by our mutual customer. I noticed that a trunk to trunk transfer was enabled on the class of
service of his voice mail system and insisted that it be removed. When I explained why, he even asked "Why would
any one do that?" Now that you know be sure your vendor does.
Ralph Willett is a Voice Communications Specialist. His website can be found at
If you've found this article useful please