Long Distance Fraud Tips and Tricks

April 22, 2022


Theft of long-distance voice services (“Toll-Fraud”) can occur for small and large businesses alike. Whether your business uses line services attached to phones or a PBX (Private Branch Exchange), it is still vulnerable to Toll-Fraud. Tens of thousands of dollars of Toll-Fraud can occur in just days and sometimes hours depending on the size of your company’s telephone system. Businesses that take precautions against it most often deter bad actors, thereby avoiding the cost and inconvenience of addressing unauthorized phone system access.

While GCI makes considerable effort to detect and inhibit fraud, bad actors continually adapt and create new approaches to committing fraud. The information provided below is intended to aid our customers in strengthening their defense on the parts of the system that are out GCI’s ability to control. We hope this information is helpful, but it is not necessarily comprehensive, and should not be taken to be a replacement for other security assessments or practices your business may wish to implement. 

Common types of toll fraud

Unauthorized Voicemail Access       

This occurs when perpetrators access your voicemail illegally by determining your access password and placing outbound calls from the system. Some voicemail systems allow this while others do not.

Unauthorized Call Forward/ Transfer

Similarly, if your PBX voicemail system is breached, often Call Forward or Call Transfer can be invoked by bad actors to send inbound calls to an unauthorized destination. In some cases, transferred calls can take place for several hours or days before detection.

Direct Inward System Access (DISA)       

This telephone system feature allows an outside caller to dial directly into the telephone system and access all of the system’s features and functions. DISA is typically used by company employees to make long-distance and international calls over their company’s phone lines, which may be published. It is also the most common way Toll-Fraud is committed by unauthorized individuals. Often DISA port access is provided by way of a Toll Free number. If this Toll Free number gets into the wrong hands, Toll-Fraud can occur.

Social Engineering

A fraudster persuades a company employee to provide dial tone access — e.g. the fraudster pretends to be calling from a telephone company and asks an employee for help in getting an outside line (e.g. dialing a 1-900 number or transferring to 9011, which is often set up to get to an international number). The fraudster may also seek sensitive information such as PINs, passwords, social security numbers, credit card numbers, etc. Fraudsters may even attempt to convince company employees to accept chargeable (3rd party billed, collect) calls.

Fraud prevention techniques

The list below contains methods that can and should be employed to reduce fraud exposure, particularly if the international dialing feature is enabled for your business.


Change all phone system factory default passwords, including voicemail and system access. This should be done often. Every 60-120 days is recommended.

Disable International Calling

Ask GCI or your PBX maintenance provider to turn off international calling functionality if your company does not need it. Keep in mind that GCI provides two types of international calling capability: access to 011 (outside of North America) and 01 (Caribbean) calling areas. It is important to disable both international access codes on all appropriate telephone numbers.

For customers who have a lot of telephone numbers, but only a few need international calling capability, ask GCI to disable the telephone numbers which do not require international calling. This reduces exposure to fraud.

If you have a PBX and require some form of international calling, your system often will allow you to block certain country and city code combinations. Ask your PBX maintenance manager for further details about this functionality.

Inappropriate Information Requests

Educate your employees. If they receive suspicious calls requesting transfers or passwords, they should redirect the call to the phone system administrator or other knowledgeable individual.

Voicemail Call Forward

Be sure your phone system's voicemail Call Forward functionality has not been involuntarily activated. If it has, turn it off and change your passwords.

Review Monthly Invoice

Review voice service bills each month. Does the call detail show normal calling patterns? If not, be sure to contact your phone system administrator and GCI.

Review Phone System Records

Review the Call Detail Records from your phone system daily or weekly and look for unauthorized calls.

Phone System Security Audit

Consider having a phone system security audit done by an independent third party to identify potential vulnerabilities.

Disable Former Employee Access

Remove former employee access to the phone system - either block their service access or change the password settings on the phone system.

Review International Calling Needs

If your company needs international calling capabilities and your PBX supports access codes, require them for international calling purposes. If your company doesn’t require international calling capabilities, ask GCI to remove that functionality from your service.


If the voicemail on your phone system allows out-dialing functionality and your company doesn’t need it, turn it off.

PBX Audit

Do a PBX audit with your PBX vendor if you haven’t done so recently.

Unauthorized activity

If you suspect unauthorized activity, restrict access to your PBX to authorized administrators and call GCI immediately.

PBX Lock-down

Consider PBX lock-down activities such as:

Place the PBX in a secure room for both business and after hours

Install intrusion-detection alarms for the PBX room

Store critical information and passwords securely; don’t display them publicly

Provide remote access only to those who need it

Keep anti-virus protection activated with voice packets encryption activated

Disable or restrict unnecessary services or ports

Password Protection

Creating and maintaining strong passwords for your devices and systems will help protect your account, and valuable information within your business. When creating a password, consider the following:

  • Avoid using the word “password”, as well as personal identifiers such as your name, birthday, account name or company address.
  • Create passwords longer than 8 characters.
  • Use combinations of numbers and letters and include special characters.
  • Avoid use of words. Interleave lower and upper case characters, numbers and/or special characters in words.
  • Avoid sequential patterns such as ABCD and 1234.

Customer responsibility

GCI Business recognizes the potential for Toll-Fraud and strives to minimize the impact to customers should it occur. Nonetheless, as detailed in GCI Business Terms and Conditions, GCI Business does not bear responsibility for Toll-Fraud. Your company is responsible for securing its phone system and paying for any usage charges that may occur through fraudulent activity.

Links to informative sources

Links where you can better educate yourself or report an incident are provided below.

For additional GCI Business Help & Support, please visit gci.com/business/resources.