Could Phones Be The Next Frontier For Hackers?
Could your internet connected/VOIP phone system be the next target for hackers? Cyber related breaches and social engineering (otherwise known as CEO fraud) have made a lot of waves in 2015 which are expected to continue in frequency and severity into 2016. Cyber breaches are generally employed in the form of malicious code, and social engineering in the form of fraudulent emails, however, with many companies using internet connected/VOIP phones today consider the potential damage of a hacker gaining access to your phone systems. Scenarios could include:
- Shadowing a call or listening to saved conversations to gain PII, employee or account information...or in the event of corporate espionage, inside corporate confidential information.
- Forwarding/redirecting an incoming call to a hacker posing as an employee in your accounting department
- Making a call appear (on caller ID) as though it is coming from an internal office line, to build trust when attempting to gain financial/account information.
- Gaining access of your phone lines for the use of spamming others (which could result in a violation of CAN-SPAM and other anti-spam laws)
This is just a short list of potential scenarios but they pose some interesting coverage questions. Would such a breach trigger coverage in a cyber or crime policy? How is "unauthorized access" and "insured system" defined? Would the scope of that definition extend to internet connected phone systems? In terms of any social engineering coverage, are "oral requests" for information covered? Would an oral request over a VOIP system be considered an "electronic request"? And most importantly, how secure are your phone systems and internal controls?