If you don’t change the default password on your voice mailbox, you, or your company, could be in for a big – and expensive – surprise. The Federal Communications Commission (FCC) has become aware of a form of fraud that allows hackers to use a consumer’s or business’s voice mail system and the default password to accept collect calls without the knowledge or permission of the consumer.

The Scam Works Like This:

A hacker calls into a voice mail system and searches for voice mailboxes that still have the default passwords active or have passwords with easily-guessed combinations, like 1-2-3-4. (Hackers know common default passwords and are able to try out the common ones until they can break into the phone system.) The hacker then uses the password to access the phone system and to make international calls.

The hacker does this by first changing the voice mailbox’s outgoing greeting to something like “Yes, yes, yes, yes, yes, operator, I will accept the charges.” Then, the hacker places a collect call to the number they’ve just hacked. When the (automated) operator (which is usually programmed to “listen for” key words and phrases like “yes” or “I will accept the charges”) hears the outgoing “yes, yes, yes, yes, yes, operator, I will accept the charges” message, the collect call is connected. The hacker then uses this connection for long periods of time to make other international calls.

There is also another twist to this scam. A hacker breaks into voice mailboxes that have remote notification systems that forward calls or messages to the mailbox owner. The hacker programs the remote notification service to forward to an international number. The hacker is then able to make international calls.

What to Beware of:

• Hackers usually break into voice mail systems during holiday periods or weekends, when callers will not be calling; thus, the changing of the outgoing message goes unnoticed.

• Hackers are typically based internationally, with calls frequently originating in and/or routed through the Philippines or Saudi Arabia.

• Businesses that are victimized usually find out about the hacking when their phone company calls to report unusual activity or exceptionally high phone bills. (The fraud usually occurs on business voice mailbox systems, but consumers with residential voice mail could also become targets.)

• Consumers who are victimized may find out about the hacking when they receive unusually high phone bills.

What You Should Do to Prevent This Risk:

To avoid falling prey to this scam, the FCC recommends voice mail users do the following:

• Always change the default password from the one provided by the voice mail vendor;

• Choose a complex voice mail password of at least six digits, making it more difficult for a hacker to detect;

• Change your voice mail password frequently;

• Don’t use obvious passwords such as an address, birth date, phone number, or repeating or successive numbers, i.e. 000000, 123456;

• Check your recorded announcement regularly to ensure the greeting is indeed yours. Hackers tend to attack voice mailboxes at the start of weekends or holidays;

• Consider blocking international calls, if possible; and

• Consider disabling the remote notification, auto-attendant, call-forwarding, and out-paging capabilities of voice mail if these features are not used.

The FCC advises consumers to consult with their voice mail service provider for additional precautions they can take to assure the security of their voice mail systems.

If you believe your system has been hacked, call the phone company and report the incident to the police.

Filing a Complaint with the FCC:

Consumers who become victims of this scam are encouraged to file a written informal complaint with the FCC. There is no charge for this.

Your complaint letter should include your name, address, telephone number or numbers involved with your complaint, a telephone number where you can be reached during the business day, and the name of your long distance carrier. Your complaint letter should provide as much specific information as possible, such as:

• an explanation of the circumstances that led to your complaint;

• the names of all telephone or other companies involved with your complaint;

• the names and telephone numbers of the telephone company employees that you talked with in an effort to resolve your complaint;

• the dates that you talked with these employees; and

• any other information that would help the FCC to process your complaint.

You should mail your complaint to:

Federal Communications Commission
Consumer & Governmental Affairs Bureau
Consumer Inquiries and Complaints Division
445 12th Street, SW
Washington, DC 20554

To file a complaint electronically, go to www.fcc.gov/cgb/complaints.html and click on our complaint form. You can file by e-mail at fccinfo@fcc.gov or fax your complaint to (866) 418-0232.

For this or any other consumer publication in an accessible format
(electronic ASCII text, Braille, large print, or audio) please write or call us
at the address or phone number below, or send an e-mail to FCC504@fcc.gov.

To receive information on this and other FCC consumer topics through the Commission's
electronic subscriber service, click on http://www.fcc.gov/cgb/contacts/.

This document is for consumer education purposes only and is not intended to
affect any proceeding or cases involving this subject matter or related issues.

11/28/05

	Federal Communications Commission · Consumer & Governmental Affairs Bureau · 445 12th St. S.W. · Washington, DC 20554
	1-888-CALL-FCC (1-888-225-5322)  ·  TTY: 1-888-TELL-FCC (1-888-835-5322)  · Fax: 1-866-418-0232  · www.fcc.gov/cgb/