Cloud communications fraud - a hidden threat?

A person at a laptop with a secure lock symbol in a cloud floating above it.
(Image credit: Shutterstock / laymanzoom)

Despite the rapid growth of cloud communication services, there’s not enough being said about the emerging risk of cloud fraud for enterprises. While the financial implications can be huge, low awareness and poor visibility mean businesses are often unaware of the problem until it's too late.

Dark clouds - how big of a problem is cloud fraud?

The birth of cloud communications has, on the whole, been highly beneficial for enterprises. It means they no longer have to deal with installing and managing fixed telecoms infrastructure, reducing costs, time-to-market and general complexity. Forecasts predict that cloud communications will grow 20% year-on-year into a $51B industry by 2030. Despite this, awareness of cloud fraud and its potential impact on businesses is low. Plenty of attention is given to the seriousness of cyber risks and network outages, yet fraudsters go comparatively unnoticed in the grand scheme of things.

This is a big part of the issue. Despite a steady increase in fraud impacting new communications platforms, attacks (which can range from identity theft or account takeover to hacks generating calls to expensive destinations or numbers) can remain undetected for weeks at a time, resulting in as much as six-figure revenue losses. The reasons for this are poor awareness of fraud at the enterprise level, the race for new customer acquisitions from cloud comms providers resulting in weaker vetting processes, and the increasingly complex multi-layered ecosystem these communications exist within.

But how do these fraudsters get access to a private communications network? A company’s Private Branch Exchange (PBX), a private cloud-based telephone network, can be hacked or simply the account itself broken into. Cloud-based numbers can also be a key target for fraud, with their misuse having potentially huge financial implications for the cloud communications provider. For example, conferencing services utilising cloud-based numbers can be exploited over long periods to allow fraudulent traffic to be passed through at scale - one case of this saw a conferencing service provider fall victim to this for over two months, resulting in a financial impact of almost half a million dollars.

Katia Gonzales

Katia Gonzales is the Head of Fraud and Security at BICS.

A clouded issue - why are the fraudsters thriving?

That’s not to suggest these cloud services are less secure than traditional infrastructure - this issue isn’t unique to cloud comms. The telecoms industry has been struggling against fraud since the 1800s (no, really). While this is still ongoing, the telco industry has made significant ground in the fight against telco fraud. Still, since enterprises are new to this, many of them aren’t aware of the risk and some assume that it's not their problem to solve or that fraudsters will not look their way.

This low awareness is the root of the issue. It means most enterprises don’t partake in proactive monitoring of fraud across their communications services. This poor visibility makes it far easier for fraudsters to target cloud numbers or take advantage of any loopholes. Ultimately, this means scams are up and running far longer than they should be before they are finally detected and shut down - and every minute can mean thousands in revenue lost.

Another factor making this tricky is international borders. Part of this is the different compliance challenges that come with operating in certain countries. Regulations like GDPR, for example, can be barriers for organizations wanting to adopt more proactive security measures. Similarly, international borders can mean conflicting definitions and approaches to fraud, as well as jurisdiction challenges which can make solving the issue incredibly complex. The challenges are certainly not insurmountable, but they add to the complexity. Moving forward as in industry, we would certainly benefit from more uniform approaches to tackling fraud.

Silver linings - what can be done?

Thankfully, preventing cloud comms fraud is possible, but it requires cloud communication providers and the enterprises using these services to be slightly more proactive. A dedicated and collaborative approach is needed - the best way they can do this is to enlist the help of an experienced telecom provider who has experience preventing traditional telecom fraud. The lessons learned and knowledge of preventing fraud in the traditional communication sphere are invaluable and can be applied almost wholesale in the cloud communications space.

Building visibility to enable proactive monitoring of fraud is essential. While monitoring the traffic of cloud comms to identify suspicious activity goes a long way, widening this visibility by collaborating with a telco partner can take this even further. Fraudsters don’t exist in a vacuum, in a single network, or across a single cloud comms platform. By working together the industry has more visibility and more data to monitor trends and activity on a larger scale. This makes it possible to identify patterns and use more advanced analytics including ML to spot and stop fraud earlier and earlier.

A common question I hear asked when we talk about fraud, whether it's for traditional telco or in the cloud, is: “who is responsible for stopping these attacks?” The answer is that the onus isn’t just on whoever ends up out of pocket from fraud - is everyone’s responsibility, and the communications industry has to work together. In the last ten years, we’ve made great strides in building “global connectivity” where people and businesses are more digitally-connected than ever. But we need to rationalize this and apply some ethics here, building connectivity can’t be at the expense of fraud victims.

To really solve the problem the industry needs to come together and work on the bigger picture, if the scale is too small, fraudsters will go somewhere else. We need to work together and put these rules in place at scale - only then will the problem start to shrink.

We've featured the best online cybersecurity courses. 

Katia Gonzales is the Head of Fraud and Security at BICS. She is also Chair of the i3forum’s Fight Fraud Group, a position she has occupied since 2011.