The first thing to remember about security is that it is only as strong as the weakest link in the chain. For example, calling random employees posing as someone in the company’s Telecom/IT department and asking people for their security code is the oldest trick in the book and yet still very effective.

Some of the ways CallXpress helps to protect from toll fraud are:

• Security code expiration – Forces users to change their security code on a periodic basis
• Security code history – Forces users to create a certain number of unique security codes before allowing them to repeat one
• Advanced security policy – Forces users to create security codes that do NOT contain simple combinations of digits like 0000, 1234, 2468, etc. that are easy to guess
• Login attempts – Restricts a user to just 2 attempts per call to enter their correct security code. After the 2nd attempt, the call is automatically disconnected.
• Mailbox lockout – Locks the mailbox after so many login attempts such that an administrator has to unlock the mailbox before it can be used again
• Dial plan – Restricts what numbers a user’s mailbox is allowed to call for things like callout services (aka through-calling), message notification, live reply, etc.
• Trunk to Trunk reply – Allows/restricts live reply to external numbers

In addition to configuring the CallXpress security features, it’s also recommended that you program the PBX to restrict services on the CallXpress ports to only those being offered to your user population. For example, many PBXs can restrict trunk to trunk connections involving voicemail ports.

Lastly, there’s not much protection against somebody giving a hacker their security code, so you should periodically remind users to never give their security code to anyone (including Telecom/IT staff) and that they should report any instance where someone asks for their password in person, over the phone, via email, etc.