A law firm phone hacking incident has resulted in an Alexandria, VA attorney being sent a staggering $65,000 phone bill. The attorney’s phone system was hacked and used to make a slew of international phone calls in the middle of the night to numbers in Algeria and Serbia.

In total, 195 phone calls were made through the law firm’s phone system in just 45 minutes. Since the incident occurred in the middle of the night, no one noticed. The small law firm only employs three people, none of whom were in the office at the time.

Attorney David Chamowitz was informed by his service provider via email about the calls and the charges.  This law firm phone hacking incident was not a one off. Even though the attorney changed the password on his system, he was attacked again suggesting the hacker had a backdoor into the system. To ensure that future calls were not made, the attorney has had to switch off long distance call capabilities.

The hacker responsible was unlikely to be looking to speak to friends and relatives abroad. This type of scam involves making calls to premium rate international numbers, with the hackers making money from those calls. The charges for the calls can be extortionate, as Chamowitz discovered. Many other small to medium sized businesses have been targeted by hackers and have had to foot the bill for the calls. Phone charges totaling tens of thousands of dollars can easily be racked up.

As was the case with Chamowitz, the attack occurred at a time when it was unlikely to be noticed. Calls are usually made outside of business hours, often in the middle of the night.

Flaws in security systems are exploited to gain access to voicemail systems, although more commonly, hackers take advantage of poor security controls such as default login credentials left active on voicemail systems. Small businesses may implement firewalls and a host of security measures to protect their computers from attack, yet do not realize that voicemail system hacks are also possible.

The default credentials can easily be found online via the search engines or they can be easily guessed. Usernames of ‘admin’ are common and passwords are often set to 1234.

As this law firm phone hacking incident shows, any system that can be accessed externally can be hacked. Whether that is a computer, server, router, IoT device or phone/voicemail system.

To protect against voicemail system hacks it is important to ensure that default credentials are changed and strong passwords are set. A PBX firewall should be employed and calls logs should be monitored. If there is no need for your business to make international or premium rate calls, speak to your service provider and try to block those calls. Also, consider setting the system to not permit outbound calls at certain times (outside of office hours) and disable external access to the phone system/voicemail when the office is closed.