That's what happened to Innovative Technologies, based in Wheeling, West Virginia. It was hacked in early October, apparently by Romanian cyber criminals who used its VoIP system to make telephone-based phishing calls to customers of Liberty Bank, a small regional bank with offices in California.
"They had scanned a whole bunch of IP addresses on the Internet in order to find [VoIP] servers," said Terry Lewis, CEO of Innovative Technologies.
On Oct. 3, Lewis started getting voicemail from Liberty customers who had received the scam calls. He checked his VoIP system logs the next day and found that the hackers had made about 300 calls over the weekend -- not so many calls that it would normally have even been noticed.
Once the VoIP system is hacked, the criminals use it to perform phone-based phishing attacks, sometimes called vishing. Vishing attacks have been around for a few years now, but they've largely flown under the radar, because they often target smaller regional banks rather than high-profile national institutions. The scammers move from bank to bank each week after completing their campaigns.
According to Liberty Bank, other regional institutions have also been hit with vishing attacks from hacked VoIP systems in recent weeks.
Lewis was lucky that he didn't get hit with major phone charges. Depending on how their systems are configured, businesses can be held responsible for any phone charges -- international call charges, for example -- that arise from the incident.
"If someone starts abusing your telephone system, you are potentially on the hook for a lot of money," Digium's Todd said.
Liberty Bank First Vice President Jill Hitchman believes that the scammers who targeted her bank probably hit between 30 and 35 businesses and were making between 20,000 and 30,000 phone calls per day. "I don't think these companies realize they're probably going to be getting charges," Hitchman said. "The bigger issue is, how are these phone systems being accessed and why can't we stop it?"
Only a few Liberty customers fell for the scam, Hitchman said, but the attackers knew what they were doing. First they would sign up for AOL accounts, to test that the card numbers worked. Because AOL offers free trial memberships, these charges do not show up for months. By that time, the scammers have put the information on fake ATM cards and emptied the bank accounts.
Businesses could prevent a lot of these attacks by changing the port they use for Session Initiation Protocol (SIP) connections on their VoIP systems, by blocking connections after a certain number of failures, and by simply using better passwords on their voice systems, security experts say.
The problem is that for most small and medium-sized businesses, security is just not a priority. "People care way more about whether their conference calls are going to have decent phone quality," said Rodney Thayer, chief technology officer with VoIP security company Secorix.
They don't think about their VoIP systems as vulnerable to Internet attacks just like Web or e-mail servers, and that's a mistake, Thayer said. "They think about it as a different system, and it's not," he said. "It's all the same stuff; it's all data going over a network."