CloudTalk is proud to provide a variety of security measures that you can use to improve personal data protection and security. The following steps will help you make your CloudTalk even more secure.
Tip: If you have any questions or doubts related to security, feel free to contact our customer support at [email protected]. We will be happy to answer any questions or help you configure the right settings.
What is toll fraud?
Toll fraud is a scheme which fraudsters use to artificially generate a high volume of international calls on expensive numbers (routes). Fraudsters make calls to numbers that are known as premium rate numbers. Despite the fact that there are many other fraudulent schemes used in the telecom sector, toll fraud is the most common one and since 2013, it has grown six-fold. In the telecom industry, the total losses from toll fraud are estimated to be 10 billion USD annually. This number has further increased in the last couple of years.
What can I do to protect myself?
As you might imagine, there are no magical solutions for toll fraud and hacking. The best prevention strategy is a combination of various measures to limit the fraudster’s access to the caller and setting limits and other barriers. Make sure that you have considered each of the following security recommendations. However, even the most bulletproof security policies will be useless if they are not followed. We recommend you to provide your employees with security trainings to make sure that they follow best practices and rules.
Increase the security of your agents’ passwords
Using safe passwords can prevent attackers from guessing your password and controlling your account. You should also require your admins, agents and other users to use unique passwords for their CloudTalk account. In other words, they should not use the same password as they are using for other external systems, such as Salesforce, Zendesk, Gmail, etc. If one account is attacked and a password is exposed, the hacker will be able to access just that one account. This will reduce risks and threats.
Minimize the number of agents with admin access
Administrators have access to parts of your CloudTalk account that are not accessible to your agents or CloudTalk users. For example, all security features described in this article, including agent management, are only available to admins. By restricting the number of agents with admin access, you reduce security risks.
Never disclose user names, email addresses and passwords
There’s a very thin line between meeting your users’ needs and maintaining high security. The number one recommendation is that admins or other users should never give out user names, email addresses or passwords.
If you are using standard login via CloudTalk, the only secure way to reset your password is to click on the "Forgot my password" link on CloudTalk’s login page. CloudTalk will ask the user to enter a valid email address (already verified in your account as an authorized user) and they will receive an email with a link to reset their password. Then the user creates a new password and logs in.
Bear in mind that hackers sometimes use social engineering techniques to force people to give them passwords. In some cases, they contact your customer center staff during weekends or evenings when there are fewer agents working. They might claim that there’s been a security breach and that they need the password to solve the issue.
Some hackers use tools that allow them to send emails from addresses that look just like your business address. Agents might think that they were contacted by your staff, although it’s not true. If you are contacted by a person who claims to be an administrator or user of your account, you should verify this information. If in doubt, never provide any sensitive information and do not make changes in someone else’s name.
We recommend that you educate your employees about these security risks and create security policy so that everybody knows what to do when any of these incidents occur. This will help you in other cases as well, not just within CloudTalk.
Block international calls to unsafe countries
Many telecom attacks consist from the attacker getting control over your account and calling expensive international phone numbers. This will help you block international calls to countries which are not relevant for you. We recommend you to restrict calling only to the countries that you actually need. Some of the problematic countries are African countries, Taiwan, but also EU countries such as Latvia or Lithuania. You can find these settings under Account > Settings > International calls.
TOP 10 destinations for telecom fraud:
This is just a selection of the current TOP 10 most dangerous countries. Obviously, fraud is committed in other countries as well, although to a smaller extent.
Restrict login to the countries that you actually need
Your agents will log in to their phones or apps only from certain countries that you know of in advance. You definitely don’t need to allow login from all over the world. Select these countries in CloudTalk to allow users to access their account only from the countries that you actually use. Attackers often try to gain access over the agent’s user account and then abuse it. This simple setup will make their attempt much harder. You can find these settings under Account > Settings > Agent login abroad.
Restrict maximum daily limit
You can also increase the security of your call center by specifying a maximum daily limit. Calculate your average call center spending per day. This will help you setup a realistic maximum daily rate limit. You can find these settings under Account > Settings > Security. The maximum value that you can choose is EUR 200. If you need to set up a higher maximum rate, please contact us.
Compile a blacklist of unsolicited phone numbers. This will block inbound calls which are not relevant for your business, e.g. those made by robots or spammers. Some numbers are scam and we recommend you to include those that you know into your blacklist, so that you don’t have to deal with them ever again. Please check this article for more information on blacklist.
All data sent via CloudTalk REST API are encrypted (TLS/SSL). Access to API is restricted only to authorized users with login and security API tokens. Never share your API key with unauthorized persons and make sure to store your API key only where necessary. If you are using Git (or any other repository), make sure that your API key is not stored there.
Monitor your staff’s activities via Audit Log
CloudTalk provides Audit Log interface which allows you to track who accessed your data. You will immediately see what data was accessed, when and by whom, and resolve any suspicious activities. Audit Log is accessible to admins under Settings > History of actions.