Are There Security Risks with a Voicemail System

written by Chris Griesemer

Most people don’t think about voicemail at work being a high risk piece of technology. What risks could possibly be involved with voicemail? Maybe you have a client that leaves his/her name and phone number? At the very worst you might have a client who leaves name, phone number and social security number. Let’s really go out on a limb. Your customer is late on a payment, calls after work, goes to voicemail, leaves name, phone number, social security number and credit card number including expiration date. And although we all discourage this kind of information being left as a message to someone, it is really only a vulnerability if someone has hacked into the voicemail system, snooping voicemail boxes and listening to messages.

Weak Link

Believe it or not, voicemail is one of the weakest links into a company. It might not connect with the entire network but it can allow someone through the virtual front door. So what can a hacker do with a voicemail system if they get in? Below I will illustrate, from a hacker's standpoint, how easy it is to commit voicemail system fraud.

How it's Done

The first thing I do is find a company who closes at 5 and then turns their automatic attendant on. For those who don’t know, the automatic attendant is the system that answers calls after hours. It allows callers to have the ability to leave messages for someone at that business at anytime. It also allows employees of that business to call into the system and check their messages on voicemail.

Usually by pressing a button, the voicemail system will bring up an menu that allow employees to gain access to the voicemail system. By the way, that button is usually star ( * ) or pound ( # ). The first time I called, I would not press the bypass button, instead I would go to the directory in an attempt to find the extensions of the people that work there. I would get about 5 extensions. Then I would hang up.

Next I would call back and this time I would press the bypass button (either star or pound) and gain access to the voice mail system. I would attempt to access one of the mail box numbers and when it asked what the password is, I would enter that number again. If that didn’t work I would enter 1234 or 9999.

If I got in, I would do one of two things: If available, I would utilize Pass-Through dialing, which would allow me to make calls from this company's phone system. If that feature was not available, I would forward multiple extensions to different numbers of my choosing.

What kind of number would I have these companies dial? You guessed it, a 900 number that I setup in a different country non-traceable to me. A number that, when called, would charge the caller a price per minute and would be deposited into an account I would access later.

If I was really crafty I would go through as many voicemail boxes as possible and look for the ones that had an excessive amount of voicemail messages. More than likely these employees are no longer working there and more difficult for the company to find who is making the calls.

Pretty sneaky huh? Of course customer information is important but there are other risks involved.

Best Practices

So what can be done to make sure this doesn’t happen to your business? Here are some best practices:

1. Make sure all voicemail boxes have unique passwords.
2. Change passwords throughout the year.
3. Disable the pass-through feature so calls cannot be made from your voicemail account.
4. Remove users mailboxes who no longer work at your business.
5. Block the ability to dial 900 numbers and any other number in which the company can be charged.
6. Block international calling to only locations the business has customers.
7. If you have to have the call forwarding feature, periodically run reports verifying valid call forwarding numbers.

If you are still uncertain or have questions, please feel free to contact Chris Griesemer at 417.881.0145.