Jump to content

 

BankFodder BankFodder


onestopshop123

Big problem.... £3500 of fraudulent calls and BT want me to pay!

style="text-align:center;"> Please note that this topic has not had any new posts for the last 1875 days.

If you are trying to post a different story then you should start your own new thread. Posting on this thread is likely to mean that you won't get the help and advice that you need.

If you are trying to post information which is relevant to the story in this thread then please flag it up to the site team and they will allow you to post.

Thank you

Recommended Posts

Hi,

 

First time post here. I have a problem which I am hoping forum members can offer their opinions and advice on please.

 

I run a small business which has an office based phone system.

 

Hackers somehow accessed our office phone system one night in January. They managed to remotely make hundreds of calls, one after the other, to a premium rate number in the Solomon Islands. Each time the call connected, it cost £50. The total cost of the fraudulent calls is £3,500.

 

BT contacted us the following morning to say it looked like our system had been hacked,

due to the unusual overnight call activity to premium rate numbers.

We immediately found and patched the loophole which had allowed the remote access.

 

I then contacted our BT business account manager and asked them to place the disputed bill on hold whilst it was investigated.

Subsequently, BT have written me to advise that, according to their terms and conditions, we are liable for the fraudulent calls.

They have offered a payment plan, but won't reduce the bill.

 

BT have also advised me that because the premium rate numbers are outside of the UK, they are not controlled via a UK regulatory body.

They also tell me that they are under no obligation to monitor or identify fraudulent use of the network.

Because the calls were made to the Solomon Islands they also advised there is no way they can recover the cost back.

 

So, BT's view is that I have to pay the bill.

They also suggested to recover the cost from the IT company which manages our network

or from the Phone company which manages our phone system.

Both of those companies are small business, and they say it wasn't their fault, and in any event they can't afford to pay.

 

I should probably also add that BT agree that they accept that the phone calls have been fraudulently by criminals.

I have also reported the details to Action Fraud to get my crime reference number.

 

I've written back to BT and said asked the following question;

 

i) As the fraud was identified straight away and BT agree it was fraud,

BT wouldn't pay the company in the Solomon Islands immediately

- it must go through some form of invoice process which would take some days to process.

 

 

As I asked BT to not make the payment to the company in the Solomon Island when I first found out about the fraud,

my logic is that, if BT don't pay the invoice to the Solomon Islands,

then there is no need to pursue me for the costs.

 

ii) Can BT then confirm they have notified the company in the Solomon Islands of the fraud?

When did they notify the company?

 

I have also asserted, if BT do go ahead and make the payment to the Solomon Islands,

for a payment which they know to the fraudulent, and then the recover the cost from me,

they will be benefiting from the proceeds of crime, which is definitely immoral and probably illegal.

 

Whilst their terms and condition state that I am responsible for the fraudulent use of their network,

they also have some responsibility to prevent fraudulent use of their network.

 

 

They know for example from our call history, we never phone premium rate numbers,

we never phone the Solomon Islands,

we never phone in the middle of night,

and we don't make repeated calls to the same premium rate number one after the other.

Our normal call bill with BT is £200 / month by the way.

 

BT have replied saying they are seeking a legal view. Of course their solicitor will say BT are in the right.

I've replied to say, they need to be sure of their facts as if they insist on taking the payment from my account,

I will raise a moneyclaim on-line, and we can let a County Court judge decide if they agree with BT's view.

 

 

In my mind, the crux is whether BT make the payment to the Solomon Islands straight away,

or whether they actually have an opportinity to prevent the invoice from being made straight away whist it is being investigated.

If they don't make any attempt to prevent the fraud from being completed,

I believe this would be unreasonable and it would help my case.

 

Can anyone offer any suggestions or advice or how I should progress this?

Edited by citizenB

Share this post


Link to post
Share on other sites

Was there any weak / insecure password set on the extensions? if so who set these?

Share this post


Link to post
Share on other sites

Once you've paid BT, sue or sack whoever was responsible for the loophole in your systems that you patched the next day.

Share this post


Link to post
Share on other sites
Was there any weak / insecure password set on the extensions? if so who set these?

 

Yes, the password between the extension and server were weak, as they were never supposed to be accessible to the outside world.

 

The answer as to who set them up. I setup myself originally when I was considering using 3cx phone system. That was 4 years ago. Once I decided it was a good system, I engaged a professional phone system company to manage it for me.

 

From the point they took over, the phone company had complete control of the system. They were responsible for all software updates, all changes to the phone server, new extensions etc. They were told the passwords of course they needed to know this as the existing phones have needed reconfiguring over time.

 

They could have changed what I originally did over the course of 4 years if they thought it wasn't right.

 

Moving forward, does anyone know the process BT use to make payments to overseas providers of premium rate international numbers? I really think I have a potential case if BT have say 30 days to make the payment to the Solomon Islands though some form of clearing house. Because I notified them immediately of the fraud and asked them to withhold payment to their provider, and I hoping this might give some leverage.

 

Forgive me if it sounds like I am clutching as straws....

 

All ideas and comments welcome :)

Share this post


Link to post
Share on other sites

Background Information

1. onestopshop123 uses a VoIP PBX which is hosted at his business address and connected to a BT VDSL Internet using a basic BT Router.

 

 

2. The VoIP PBX requires that the BT Router be setup to do port forwarding of Port 5060 (SIP Port) However the BT Router does not offer any level of protection. You either allow all tariff in on port 5060 or nothing at all. The PBX Provider does not manage the router.

 

 

3. The PBX is connected to both ISDN and VoIP Providers and this is why port forwarding is enabled.

 

 

4. The PBX Provider was not party to the original Installation and the PBX Provider provides for a small monthly retainer fee less than £40.00 per month offers an unlimited remote support service (NOT a Consultancy Service). This covers onestopshop123 for any support needed on the PBX. onestopshop123 would call the Provider to request this support on a per issue bases. This is not a fully managed service. onestopshop123, the I.T Support Company and The PBX Provider have unrestricted access to the PBX.

 

 

5. The remote hacker had guessed the passwords for the phone system (of which was someone’s first name. This password was not set by either the I.T Provider nor the PBX Provider but that of onestopshop123

 

 

6. Upon being notified by onestopshop123 of the hacking of this PBX, it was also discovered that the mail server which is used by the PBX to send out notifications was changed but not updated on the PBX so the PBX was unable to send out any warnings. Not only this the notification address was changed to an email address that of the I.T Guy.

 

 

7. BT offer no network protection or fraud monitoring and there does not appear to be any credit limit set on the account which allowed the phone bill to reach in excess of £3k

 

 

8. If the calls had routed over the VoIP Network and not BT ISDN, the PBX provider would have been notified within a short period of time and the VoIP account features a credit limit which is set just above the usual monthly call spend. Therefore if the VoIP Network can offer levels of protection why can’t BT?

 

 

9. Ok it’s not BT’s fault that the PBX was hacked but I’m surprised they allowed the unusual call spend to continue and run up a large phone bill.

Edited by davebe

Share this post


Link to post
Share on other sites

Good question, in cases such as these, you would have thought that BT would be able to complain to the network provider / range holder of the premium rate number and stop any payouts to the end user / company and cancel their service.

 

I also agree that BT should not be allowed to profit from fraud and if they do insist on you paying then it MUST be at the cost price to them so that their cost is covered and not for profit.

 

I struggle to find any premium rate number costing £50 per call. Can you share the number with us so we can advise what the cost price is or very close / near to it at least?

 

 

 

I've written back to BT and said asked the following question;

 

i) As the fraud was identified straight away and BT agree it was fraud,

BT wouldn't pay the company in the Solomon Islands immediately

- it must go through some form of invoice process which would take some days to process.

 

 

As I asked BT to not make the payment to the company in the Solomon Island when I first found out about the fraud,

my logic is that, if BT don't pay the invoice to the Solomon Islands,

then there is no need to pursue me for the costs.

 

ii) Can BT then confirm they have notified the company in the Solomon Islands of the fraud?

When did they notify the company?

 

I have also asserted, if BT do go ahead and make the payment to the Solomon Islands,

for a payment which they know to the fraudulent, and then the recover the cost from me,

they will be benefiting from the proceeds of crime, which is definitely immoral and probably illegal.

Share this post


Link to post
Share on other sites

I struggle to find any premium rate number costing £50 per call. Can you share the number with us so we can advise what the cost price is or very close / near to it at least?

 

The number was 006xxx35898. Please don't call it... it will cost £50 / call.

 

Each call actually lasted a few minutes. The total cost was capped at £50, so each call cost the same.

 

I've mentioned it was a connection cost, but I guess in practise it was a certain cost per minute. All I can see on the bill is that each call was exactly £50.

Share this post


Link to post
Share on other sites

This kind of thing is a huge problem for many innocent people.

As far as I know, it is a more common occurrence with mobile phones which are lost or stolen and then the SIM cards are plugged into a computer which makes hundreds of calls to a premium rate number very quickly and the result is that the owner of the phone ends up being charged large bills and threatened by the phone company if they will not pay.

 

I can see that logic of examining weakness in the security around the phone system. However I have always thought that this is not the correct approach.

 

I think that it is more relevant to ask oneself who is really the victim here.

For me, the answer is that it is BT which has fallen victim to a fraudster. BT has been deceived into facilitating a series of calls which have incurred losses for them - and now they want to pass the losses onto the weakest person in the chain - their innocent customer.

 

In fact BT realised that there was fraudulent activity at the outset and they could easily stop the payments to the international companies.

Of course they will not want to do this because it is more in their interests to honour what they see as their commitments under international industry agreements rather than to honour their basic contractual obligations to their customer.

 

Here are a couple of posts where I have commented on this before

 

http://www.consumeractiongroup.co.uk/forum/showthread.php?352355-Stolen-phone-charges-is-goodwill-the-only-way-to-reduce-my-bill-**RESOLVED**&highlight=victim

 

http://www.consumeractiongroup.co.uk/forum/showthread.php?352355-Stolen-phone-charges-is-goodwill-the-only-way-to-reduce-my-bill-**RESOLVED**&p=3854641&viewfull=1#post3854641

 

If BT take this to court then I would say that the principle argument should be that BT are the victims of fraud and that the courts should decline to enforce the contract in this respect as this aspect of the contract is tainted with immorality and its enforcement would effectively assist fraudulent activity.

 

It s the phone companies which are the better loss bearer but also it is the phone companies which would be incentivised to adopt appropriate systems if they were forced to face up to their proper responsibilities as victims of fraud.


Share this post


Link to post
Share on other sites

A further argument is that any term of a contract which effectively indemnifies them when they fall victim to fraud, is unfair under UTCCR and therefore unenforceable.

You should note that once a term is unenforceable under UTCCR then it is void. This means that it is not even partially enforceable. The courts have no power to amend the term or to order an apportionment or to find any other solution which might be considered more "fair" to the party attempting to rely upon the unenforceable term.


Share this post


Link to post
Share on other sites

  • Recently Browsing   0 Caggers

    No registered users viewing this page.


  • Have we helped you ...?


×
×
  • Create New...