The following information was gleaned from a "Black Hat" security briefing on the web, and I composed these notes to put the vulnerability into the context of our typical call center client. - Ron.

Most companies have dozens, hundreds, or more phone numbers provisioned by the phone company for use with their telephone services. Unfortunately, most companies do not manage these numbers as a corporate asset. There is an important reason to actively manage a short, "defined purpose" (e.g. 'support', 'advertising tracking', etc.) set of numbers, and to publish only the necessary and few numbers  for use by the calling customer.

Scam artists can rent and use the same, inexpensive SIP trunk, Voice over IP, and "Asterisk software-as-PBX" technology that we use to lower phone costs and improve call center metrics. If they can get your customers to think -their- 800 or local telephone 'scam' number is really -yours-, then this is what happens.

1. The scammer leaves a "please call me back" voicemail or email. ("This is YourBank". Please call our fraud department at 800-xxx-yyyy). "RoboCall" technology is a potential delivery method to spread the scam quickly to as many people as possible.

2. The caller calls the number and is connected to YourBank Fraud =ROUTED THROUGH= the SCAMMER systems. Every word of a conversation can be recorded, or a scammer IVR can be inserted in front of the bank IVR to ask for credit card and other information.

3.  The caller is unaware they are being monitored, because the number they dialed connected them with an authentic bank call center - who has customer records and can verify their authenticity. Both caller and call center are (by now) familiar with the need and methods to verify identity over the phone.

4. Thanks to "cloud" computing, where all of the components to execute this scam is available as a utility service anywhere in the world, the skimming of information can take place anywhere in the world. A scammer anywhere in the world can remotely set up the necessary systems at any service provider and skim calls without ever leaving their desktop computer!

Like webpage fraud, this kind of scam can run until it is discovered and shut down, but a company's "telephone identity" is often not managed as carefully as its web domain name. Since Direct dial to individual desks is so common, and since most companies have large inventories of phone numbers that they do not manage - most customer service people cannot answer this question.

"I dialed 800-xxx-yyyy. Is that a valid YourBank number I should have called to reach -your- desk?"

Since most call centers have over-enthusiastically embraced tools to create impossibly complex "skill" and "load balancing" routing, and almost NO tools to predict where individual  calls actually go, it is rare to find -anyone- who can assure management and customers that a short published list of phone numbers AND ONLY THOSE NUMBERS terminate in authorized customer facing call centers.

Finally, companies that actively drive customers to self service by -failing- to prominately publish voice service phone numbers may be -more- vulnerable as the means of entering the voice services process are not prominently displayed.

Summary: Make sure that you inventory EVERY phone number that your company owns. The purpose and termination point of every number should be clearly stated and this information is kept current and accurate.  The list of numbers which may be dialed by customers should be accessible and well known to customer facing employees, and the list of numbers published for dial-in use should be as few as possible.

Although everyone likes to be greeted on the phone by a live voice, one published number that becomes identified with a company's brand coupled with a simple and well-planned IVR may be in your customer's best interest.