Email a colleague    

March 2015

IRSF Protection: Software that Blocks Telecom Fraud at the Enterprise PBX

IRSF Protection: Software that Blocks Telecom Fraud at the Enterprise PBX

In archery we have something like the way of the
Higher Man.  When the archer misses the center
of the target, he turns round and seeks the cause
of failure in himself.
   Confucius, Will Durant, The Story of Civilization

International Revenue Share Fraud (IRSF) is one of those fraud prevention problems where the arrow of blame always seems to point to someone else in the call delivery and revenue protection chain.

But everybody: the PBX maker, retail operator, wholesaler, police — and customer — all share some responsibility for a problem that’s persisted for 15 years and has cost the telecom industry and its customers countless billions of dollars a year.

However, one company that’s delivering an effective and affordable fraud defense at the enterprise PBX point is The Callista Group, a tight band of PBX experts based in Auckland, New Zealand.

And joining us to talk about that innovation and provide a detailed explanation of PBX protection issues is Roger Ansin, Callista’s chairman.

Dan Baker: Roger, I’m curious how you first got involved building a product to block IRSF?

Roger Ansin: Well, Dan, we had been producing call account systems for 20 years or more.  Then around ten years ago someone in our UK office said a customer needed help creating alerts to detect large fraudulent call volumes coming through PBXs.

So that was our first knowledge of IRSF.  And we soon discovered this was a huge problem that was totally unmanaged.  That caused us to develop some software to protect enterprises from the threat.  So that’s the genesis of our Control Phreak product.

What’s the worst case you’ve seen of IRSF at the enterprise level?

Well, there was one customer doing thousands of calls a day, but they were losing 27,000 English pounds per weekend.  They just couldn‘t stop the attacks.  And they ended up taking down their voice mail system, the situation was so drastic.  But at a big company, you can’t do that.

When they installed our Control Phreak, it all ended.  We saw in the logs about 20 or 30 attempts to break in: they were all blocked, but we noted the fraudsters tried to break in again a few months later.

As is common in these cases, the damage was done over the weekend.  The carrier sends alerts after a pre-determined threshold, but if nobody at the enterprise picks up their email, nothing is done.  So when the manager came in Monday morning he found a stack of email alerts starting on Friday night.

And, of course, the PBX owner has to pay the bill because a fraudster is making a chunk of money on the other end.

Does the type of PBX you have make a difference?  Analog, digital, or SIP line?

To the phreaker, it really doesn‘t matter what kind of PBX you have.  The advantage they get with SIP lines is they can be used to pump out more premium rate calls per hour.

The phreakers are basically concerned with only two things: what type of phone system it is and how they can get the system to redirect calls.  By the sound and response they get from the PBX, they can figure out what sort of PBX it is.  And once they know the brand name of the PBX, they know the default password, maybe even the hidden factory-installed passwords in the system.

And, of course, VoIP has made it easier to hack into phone systems: the hacker targeting a U.S. business could just as easily be operating out the Philippines, for instance.

Don‘t the PBXs know when dozens of attempts are made to call into the phone system?

Surprisingly, most PBXs don‘t have that sort of control in them.  However there’s one European PBX brand I know that allows three attempts to log in with a successful password, then it locks out the caller for some time.

But hackers have found ways around that.  For instance, they would automate two phone calls to test passwords, then disconnect, then reconnect and try another two till they found the numbers.

Of course, it doesn‘t matter how many days or nights it takes to break in because it’s an automated process running on someone’s PC.  And a single PC can be running dozens of these processes at one time.

Can‘t the business take some simple security steps like changing passwords?

Dan, changing the passwords is one of the most common pieces of advice you hear, but it’s actually not effective.  Here’s why: the fraudster is not making the calls himself, he’s using a software program to break into your PBX.  So all the fraudster does is run an automated brute force attack.  If your password is 4 digits long, they just run through every possible combination till they break through.

In fact, a hacked PBX can be groomed to allow the passwords to be changed.  So for all you know, your PBX may already be compromised: you just don‘t know it.  Then, one day it will be turned on and away it goes.

Now PBX engineers will tell customers, “We can fix that.” And what do they do?  They get paid by the customer to come in and “secure” the phone system with some customizations.  But a few weeks — or a few months later — it gets compromised again.

One customer of ours was hacked three times on the same PBX before they actually put in our product.  In fact, 70% of our customers who run Control Phreak have been hacked before they buy it.

How do the hackers get paid for breaking into PBXs?

There’s quite an organization supporting this crime.  Groups of phreakers sell the PBX numbers they’ve hacked into on the open market.  Then the fraudsters lease a group of IRSF numbers and start pumping calls through those PBX lines.

Some of hacker web sites even offer the free download of a call generator, so they are very efficient and clever.

Of course, premium rate numbers look like any other phone number.  Consultant Colin Yates has a list of 72,000 phone numbers he’s identified as fraud numbers, but that’s a horrendous list to keep up to date.

How much of IRSF fraud is coming through the PBX do you figure?  What are the smartphone as an IRSF launch pad?

So far at least, the IRSF threat via smartphones is much lower because there are active limits and controls on making calls.  We figure the PBX is still the primary gateway to IRSF.

And the PBX is useful to the criminals because it helps cover their tracks.  A few years ago, AT&T broke up a big crime syndicate based in Spain and Italy.  The fraud cost AT&T and its customers quite a few million dollars.  The criminals were eventually found by tracking back calls through hacked PBXs.

Likewise, I’ve seen a number of investigations where a chain of five PBXs were used to make calls.  When you do that, it becomes hard to determine where the originating call are coming from.

There was a case in New Zealand where calls were coming in from a PBX in Italy through Auckland and then finally out through Algeria.  As you can imagine, the police authorities are hampered because so much of the problem is out of their jurisdiction.

So how does your PBX fraud blocker work?

Our Control Phreak sits on a PC and monitors everything that goes in inside the PBX.  So if you pick up the handset of your office phone, it knows that.  When you start to dial, it detects that.  When a call comes in, it knows that, too.  So it’s tracking in real-time everything that happening on the PBX.

Basically our system operates using three sets of rules:

  1. Incoming Call Rules allow you to block callers.  For instance, if an ex-boyfriend is harassing one of your staff, you can block the numbers.  Same goes for nuisance phone calls;
  2. Outgoing Call Rules control who calls who and at what time.  PBXs do have this ability, but in a limited way.  In our product, it’s more flexible: you can set exactly the rules you want; and,
  3. Divergent Call Rules is where we block the calls used for fraud.  Our system can distinguish calls that you legitimately want to pass through to an internal extension versus those coming in from a fraudster.

Now the trick is to control the PBX without taking away the great convenience features that people expect from a modern phone system.  Certain security solutions that the PBX manufacturers supply actually lock down phones, and that’s frustrating to customers because they can‘t make phone calls out and use the features they paid for.

But we’ve solved this issue so the PBX is both fully protected and its full complement of features is available.  A video on our website explains how it works.

Dashboard for PBX Fraud Blocking

And what does it cost for an enterprise to be protected?

Dan, generally a company has one PBX per office.  So the protection we sell is software for one PBX at a time and the cost is less than $500 U.S.  The solution is installed on a local PC that our specialists remotely load for the customer from here in New Zealand.

The PC at the company communicates with the PBX, but it doesn‘t need to be a dedicated PC, just one that’s running all the time and is reliable.

Wow, $500 for a life-time of protection sounds very reasonable.  So what’s the catch?  Why isn‘t Callista a famous software brand already?

Well, unfortunately, our solution doesn‘t work for all PBXs.  We need the cooperation of the PBX companies to actually build the interface.  Now manufacturer such as Panasonic and Alcatel-Lucent do work with us and we are fully certified with Panasonic.

But other PBX makers aren‘t as willing to publicly admit there’s an issue: they’re not eager to advertise that their PBXs can be hacked.  And that’s unfortunate because when you buy a PC, it well known that you better have virus and malware protection.

Now most of our sales are to PBX manufacturers and individual enterprises.  But sometimes we get orders from carriers who buy a solution for their customer.  To make a customer problem go away, Control Phreak is useful.

Thanks, Roger, for this fine education on protecting the PBX.  Nice to know there a class act in New Zealand to complement Hayley Westenra.

Copyright 2015 Black Swan Telecom Journal

 

About the Expert

Roger Ansin

Roger Ansin

Roger Ansin is chairman of the Callista Group, the privately held call accounting software firm he co-founded in 1988.  Callista is the developer of Control Phreak active voice security system designed to protect the enterprise PBX.  The firm also develops call management and hospitality management systems out of offices in three countriesl, including a global 24-hour installation and support service.   Contact Roger via

Related Stories

  • IRSF Protection: Software that Blocks Telecom Fraud at the Enterprise PBX interview with Roger Ansin — The richest criminal path to International Revenue Share Fraud (IRSF) goes through the enterprise PBX.  Hijacking the PBX has cost businesses and telecoms countless billions of dollars in the past 15 years.  In this interview you’ll learn about this industry challenge and an affordable and proven tool that blocks IRSF at the enterprise.
  • Why Selling to Business Customers Makes You a High Risk Target for Fraud by David West — There’s a saying in the fraud business: “It’s not a question of whether you’ll be hit by fraud — only when, how bad, and from which direction.“  Citing four recent cases where operators were hit by fraud, this article explains why investing in a fraud soluiont — and keeping up-to-date — are so critical.  The article gives several examples of vulnerability points that fraudsters commonly exploit.

Related Articles

  • Bypass Fraud Evolves: New Threats from Outgoing SIM Box Bypass & Spikes in CLI-Tampering interview with Philippe Orsini — An overview of explosive fraud threats like outgoing SIM box call dumping and CLI spoofing.  What roles do human experts play and technical platforms in battling SIM box via electronic warfare?
  • A Herculean Task: Battling Fraud in an Increasingly Complex Comms World interview with Michalis Mavis — A fraud control expert walks through some interesting cases, gives us his advice on FMS software, and offers four key lessons on the path to fraud management excellence.
  • The Race to Develop Cross-Industry “Know Your Customer” Biometrics to Verify Identity Remotely interview with Shankar Palaniandy — ground-breaking cross-industry ID verification software. India’s 1 billion-people-strong national identity database could become the model for cross-industry ID verification worldwide.  An expert trialing visual biometrics at several Indian banks explains the latest in Know Your Customer technology.  
  • The Early Warning Power of IPRN Test Call Detection in Blocking IRSF Fraud interview with Colin Yates — Detecting the test calls made to International Premium Rate Numbers (IPRN) is helping telcos block IRSF fraud.  An expert explains fraudster methods and the value of IPRN databases.
  • How Regulators can Lead the Fight Against International Bypass Fraud by Dan Baker — As a regulator in a country infected by SIM box fraud, what can you do to improve the situation?  A white paper explains the steps you can and should you take — at the national government level — to better protect your country’s tax revenue, quality of communications, and national infrastructure.
  • Global Interconnect Specialist iconectiv Ramps up its Fraud & Identity Solutions in Bypass & A2P Messaging interview with Bojan Andelkovic — Today’s IRSF, SIM Box, and SMS A2P frauds call for coordinated and broadly conceived FM programs.  A leading interconnect specialist explains the benefits of its managed services approach.
  • A Real-Time Packet-Based Solution to Detect & Block any Hijacked OTT Call interview with Paul David & Andy Gent — Two veterans of the SIM Box call bypass wars describe a new solution for stopping OTT bypass.  Get vital intel on the call hijacking of VIBER and other OTTs.  Learn why the revenue threat to roaming is as serious as it is to international calls.
  • Calculating the Fraud Risks of the Digital Era by Dror Eshet — Digital and mobile technology are an integral part of our daily lives.  Not only is the technology evolving at a frantic rate, but a leading fraud expert explains how fraudsters now team with one another to commit their crimes and magnify the risks to users, companies, and global infrastructure.
  • SIM Box Bypass: The Damage to Developing Nations and the Actions Regulators Must Take interview with Lex Wilkinson — Bypass fraud via the SIM box causes great revenue loss and poses many other dangers, especially in developing nations.  An expert discusses the regulator issues and recommended actions in the fight to control bypass.
  • Protecting the Roaming Cash Cow: Using a Global Test Network for LTE Deployments & Beyond interview with Florian Leeder — International is a premium service that operators must ensure the roaming business is reliable and optimized.  This article makes the case for a global roaming test service.  It explains the problems operators face in contracting with roaming partners, maintaining quality, and rolling out LTE.
  • Nine Simple Strategies for Protecting an Operator or MVNO from Telecom Fraud interview with Jim Bolzenius — An expert in telecom fraud management explains essential strategies for aiming a carrier’s or MVNO’s fraud prevention program in the right direction.
  • A Sweeping 239-Page Research Report on Fraud Management Solutions & Strategies by Dan Baker — TRI has released a comprehensive  analyst report on fraud management solutions.  The study is based on interviews with three dozen leading FM consultants and solution experts.  Download the free Executive Summary.
  • SMS Bypass Blocking: A Service that Protects & Maximizes A2P Revenue for Mobile Operators interview with Claire Cassar — A2P messaging is a multi-billion dollar revenue stream that mobile operators need to protect.  In this interview, you’ll learn how a managed service solution blocks bulk marketing messages and other bypass fraud in enterprise-to-operator SMS traffic.
  • Device Intelligence and Big Data Linkage: Guarding Consumer Access Points from the Fraudsters interview with Matt Ehrlich — Preventing subscription fraud today means supplementing traditional identity checks with a host of new processes, technology, and big data analytics.  A credit and fraud risk expert explains the roles of predictive scores, device risk assessment, and linkage analysis.
  • Mapping the Interconnect Resale Routes of Fraudsters: How a Global Robot Network Detects Voice and SMS Bypass interview with Xavier Lesage — SIM box voice bypass is a persistent problem, but now, bypass is spreading to SMS, OTT apps on the smartphone, and ghost trunks.  This interview explains the fast evolving bypass scene, highlights the strategy of fraudsters, and provides case studies.
  • Law Enforcement & Security in a World Where Industry and National Boundaries are Blurred interview with Mark Johnson — Are we destined to be forever reactive over security, fraud, and risk issues?  Or will we put wise standards, regulations, and frameworks in place that allow us to deliver technology that’s relatively secure and fraud-resistant? 
  • Thinking Outside the Comms Box: A New, Cross Industry Fraud Check Service that Telecoms can Leverage interview with Jim Rice — For decades, telecoms have done fraud and identity checks using comms industry data.  This interview explains the power of using cross-industry data to pinpoint known fraudsters and suspicious individuals in finance, retail, and other industry data sets.
  • Integrated Test Call & CDR Analysis: A New Tool in the Fight Against SIM Box & OTT Bypass Fraud interview with Kenneth Mouton — Why not combine the virtues of FMS CDR analysis and test call generators to create a single integrated tool for bypass fraud control?  The benefits of that idea, a tutorial on test call systems in SIM box detection, and OTT bypass via mobile services like VIBER are all discussed in this interview.
  • White Paper: How to Defend Your Network Against the New SIM Server Threat by Dan Baker — SIM box bypass is a very stubborn fraud problem: fraudsters are succeeding despite carriers‘ best efforts to defeat the fraud.  This white paper explains the impact of SIM Servers as a powerful stealth weapon of the fraudsters.  In turn, the paper discusses new technologies and strategies that can defeat the more sophisticated types of SIM box fraud emerging.
  • Intelligent Routing: The Case for Blocking IRSF Fraud at the SIP Session Border Controller interview with Jim Dalton — A bad fraud event can be a huge loss, especially to OTT players who provide a VoIP service.  In this interview, you’ll learn about an anti-fraud solution that works in concert with  intelligent routing.
  • A Privacy-Enabled Data Exchange that Expands Analytics Uses in Fraud, Credit Risk and Beyond interview with Michelle Wheeler — Analytics data today is managed in a privacy-negligent way.  This interview discusses an ingenious privacy and analytics exchange that allows telecoms, banks, and money lenders to trade fraud, credit risk and other data with each other in complete confidence and control.
  • From Rules Design to Adaptive Learning Systems in Telecom Fraud Control interview with Shankar Palaniandy — Adaptive and behaviorial learning systems are at the forefront of R&D in telecom fraud management systems.  Here an expert developer explains their usefulness in use cases such as IRSF detection, subscription fraud, application fraud, and voice biometrics.
  • Protecting 900+ MVNOs around the Globe from IRSF Fraud Pirates interview with Colin Yates — Telecom fraudsters are seeking a new, more vulnerable path to riches.  Their target: 900+ MVNOs around the globe who generally own no mobile networks, but sell mobile service virtually.  This interview with a fraud control expert explains what steps MVNOs must take to protect themselves from IRSF fraud.
  • Insider Fraud: How to Create an Anti-Fraud Culture in Your Telecom Organization interview with Mark Yelland — Thirteen years after the WorldCom scandal, experts generally agree that insider fraud remains a massive problem in telecom.  In this article you’ll learn the outlines of building a program to instill an anti-fund culture at your telecoms organization.
  • IRSF Protection: Software that Blocks Telecom Fraud at the Enterprise PBX interview with Roger Ansin — The richest criminal path to International Revenue Share Fraud (IRSF) goes through the enterprise PBX.  Hijacking the PBX has cost businesses and telecoms countless billions of dollars in the past 15 years.  In this interview you’ll learn about this industry challenge and an affordable and proven tool that blocks IRSF at the enterprise.
  • Combating SIM Box Fraud: Network Protocol Analysis to the Revenue Rescue interview with Lex Wilkinson — International call bypass is fraud perpetrated through SIM boxes equipped with dozens to hundreds of SIM cards that disguise international calls as local domestic phone calls.  This article give a backgrounder on SIM box detection techniques and talks about a new, rapid-detection technology based on network protocol analysis.
  • Making the Retail Operator Case for Anti-Fraud Protection via Wholesalers interview with Jan Dingenouts — Small retail operators are highly vulnerable to fraud, so enlisting the anti-fraud assistance of wholesalers is a great idea.  This interview explains useful negoiating tactics for retail operators and shows how wholesalers can lend support and grow their business at the same time.
  • A Wholesaler’s Fraud Prevention Creed: If You Lose the Trust, You Lose the Traffic interview with Robert Benlolo — Large wholesalers play a major role in keeping a lid on international telecom fraud.  In this interview, a wholesale voice and fraud management expert explains the role of its vendor systems and multi-threaded internal processes in protecting customers from fraud losses and shady wholesale suppliers.
  • Telecom Fraud & Credit Protection: A Desperate Need in Unbanked Regions of the World interview with Luke Taylor — Mobile money plus related fraud and credit protection are crucial to the prosperity of developing nations where most “unbanked” people live.  This article discusses the special issues of the unbanked market as well as broader revenue protection challenges and opportunities.
  • The Grey Market in Prepaid: Tactics to Combat International Bypass via the SIM Box interview with Ahmad Nadeem Syed — SIM box fraud is one of the toughest revenue threats that telecoms face.  It is the redirection of international calls via the internet to drop illegal VoIP traffic onto mobile networks.  This interview with an expert RA and fraud manager provides a detailed overview of the threat scenario, current SIM box tactics, and some creative ideas for bringing this problem under control.
  • Why Deep Packet Inspection Analysis is Essential for Detecting IP Fraud by Dror Eshet — The IP and mobile broadband revolution is in full swing: time for fraud managers to totally rethink their existing controls and areas of exposure.  In this article, a fraud expert discusses the power of DPI technology and the key impact its analysis is having in an FM world where knowing what’s inside the packets is as important as figuring out where those IP packages are going.
  • Flexibility & Fraud Management Systems: 8 Questions for Luke Taylor of Neural Technologies interview with Luke Taylor — Meeting today’s fraud threats is not just about technology, but also the speed of threat detection, the scanning of data outliers, and being enormously flexible.  A leading fraud management vendor takes a bead on current FM issues and points to where software is headed.
  • Recruiting Smartphone Users as Partners in Telecom Fraud & Security Control by Tal Eisner — Premium Rate Service (PRS) fraud and spyware on a mobile phone can ruin an operator’s relationship with a  subscriber.  The attacker uses malware to automatically generate phone calls, SMSs and data sessions to high cost (premium) phone numbers.  This article discusses a new crowd sourcing mobile app that addresses the problem and helps operators better manage the threat.
  • Roaming — if Managed Correctly --  Can Be a Spark to Revenues by Brian Silvestri — Major analyst firms are predicting that roaming revenues will almost double in five years.  What’s more, roaming remains at the pivot point of Wireless Carrier strategy.  Drawing lessons from the incredible rise of AT&T’s Digital One Rate Plan, this article points to future challengtes and raises key  questions about how mobile operators will ultimately come to terms with smartphone market profitability, service quality, and data roaming.
  • What Makes Good Fraud Management Software?  9 Questions for Tal Eisner of cVidya interview with Tal Eisner — How do you know if the fraud management software you own or are considering is a good one?  That’s the starting point of a conversation Black Swan had with a product strategist of a leading FMS vendor.  The article discusses everything from maturity and customer collaboration... to PBX hacking and enabling the FMS to actually enhance the relationship a telco has with its enterprise customers.
  • International Revenue Share Fraud: Are We Winning the Battle Against Telecom Pirates? interview with Colin Yates — International Revenue Share Fraud (IRSF) is one of the telecom industry’s most enduring problems.  Yet many of us have only a foggy notion of how IRSF works and how operators around the globe are coping with the issue. This interview covers the bases: the origins of IRSF, typical fraud scenarios, efforts to get international cooperation on the issue, and the future outlook of IRSF.
  • Fraud Management at Kyivstar in Ukraine interview with Anton Pivala — Kyivstar from Ukraine is a leading mobile operator in both  voice service quality and consumer value.  This case study gives details on Kyivstar’s fraud control program, reveals some of the unique operator challenges faced in Eastern Europe, and explains how Kyivstar is successfully winning the battle against  IRSF and SIMbox fraud.
  • Converging Criminal and Technical Intelligence: Secret to Combating the Explosion in Telecom Fraud and Security Threats interview with Mark Johnson — A fraud and security expert gives a big picture talk on why industry convergence is driving the need for a broader “revenue risk intelligence.”  His prescription?  Yes, telecoms surely need to excel in technical  infrastructure such as traffic usage data, IP intrusion appliances, and physical barriers.  But just as important is the need to pair that knowledge with the real-life lessons of fighting criminals in general.
  • Gratifying Ghana: Why Listening to Operators Trumps Vendor Technology and Size interview with Ludvig Lindqvist — The value of technically excellent software is negated if the solution is not implemented right.  This article makes a strong case that vendors need to focus on first things first — get in full synch with a service provider’s business, capabilities and unique needs before you recommend or implement any software.  Topics discussed include: the benefits of retaining in-house expertise, implementation challenges in Africa, and the meaning of “thorough engagement” with the client.
  • Roaming Fraud: The Importance of Real-Time Data Exchange and Analysis interview with James Stewart — The Near Real Time Roaming Data Exchange (NRTRDE) is a GSM standard allowing operators to gain fast access to the roaming records of service providers half way around the world.  The article explains how 65 carriers are using this data to combat fraud through a service bureau.  Learn about the dangers of international roaming fraud and the value a roaming service bureau brings to the table.
  • Is the M2M Device in Your Refrigerator a Telecom Fraud Threat? interview with Simon Collins — Machine to machine (M2M) technology is being applied in hundreds of monitoring apps, such as smart metering and health diagnosis.  It’s even being used to monitor driving patterns tied to auto insurance rates.  But this article shows the serious M2M fraud and security threat that stem from the theft of the SIM/USIM device used in every M2M device.  The article discusses the RA and fraud strategies operators need to employ to manage the risks that will come from wider M2M deployments.
  • “Fraud Is a Wind that Always Blows” and Other Wisdom From a 28-Year Old Software Firm interview with Gary Beck — Here’s the amazing story of how Beck Computers was pulled out of a Tier 1 account only to be brought back in a few months later.  The article explores software vendor service and support challenges, real-time computing requirements, advanced fraud management functions, and ways to educate management on the value an FMS investment.
  • Insider Fraud: Detecting Criminal Activity in the Telecom Sales Process interview with Tal Eisner — One of the biggest problems telecoms now face is fraud done inside their offices, dealer stores and firewalls.  This type of fraud is especially dangerous because it’s performed by people fully authorized to transact for the company.  The story dicusses the major causes of insider fraud, presents a case study, and explains basic techniques that software uses to detect insider fraud.
  • Fraud & Credit Risk Software: Setting the Client Free to Innovate interview with Luke Taylor — Not every operator wants the freedom to configure its own fraud management solution, but certain providers wouldn‘t live without such a “framework” approach .  This article discusses: the reasons why operator choose this strategy as it covers many other fraud and credit software implementation issues.
  • Why Selling to Business Customers Makes You a High Risk Target for Fraud by David West — There’s a saying in the fraud business: “It’s not a question of whether you’ll be hit by fraud — only when, how bad, and from which direction.“  Citing four recent cases where operators were hit by fraud, this article explains why investing in a fraud soluiont — and keeping up-to-date — are so critical.  The article gives several examples of vulnerability points that fraudsters commonly exploit.