The examples and perspective in this article deal primarily with the United States and do not represent a worldwide view of the subject. Please improve this article and discuss the issue on the talk page.(December 2010)
Cramming is the addition of charges to a subscriber's telephone bill for services which were neither ordered nor desired by the client, or for fees for calls or services that were not properly disclosed to the consumer. These charges are often assessed by dishonest third-party suppliers of data and communication service that phone companies are required, by law, to allow the third-party to place on the bill.
Slamming is any fraudulent, unauthorized change to the default long-distance/Local carrier or DSL internet service selection for a subscriber's line, most often made by dishonest vendors desirous to steal business from competing service providers.
False answer supervision is a misconfiguration of telco equipment, by negligence or design, which causes billing to start as soon as the distant telephone begins ringing, even if a call is busy or no answer. The cost is typically subtle but recurring as subscribers repeatedly pay some small amount for calls which were never completed.
Fraud against customers by third parties
PBX dial-through can be used fraudulently by placing a call to a business then requesting to be transferred to "9-0" or some other outside toll number. (9 is normally an outside line and 0 then connects to the utility's operator.) The call appears to originate from the business (instead of the original fraudulent caller) and appears on the company's phone bill.Trickery (such as impersonation of installer and telco personnel "testing the system") or bribery and collusion with dishonest employees inside the firm may be used to gain access.
A variant is a call forwarding scam, where a fraudster tricks a subscriber into call forwarding their number to either a long-distance number or a number at which the fraudster or an accomplice is accepting collect calls. The unsuspecting subscriber then gets a huge long-distance bill for all of these calls.
A similar scheme involves forwarding an individual PBX extension to a long-distance or overseas number; the PBX owner must pay tolls for all of these calls. Voice over IP servers are often flooded with brute-force attempts to register bogus off-premise extensions (which may then be forwarded or used to make calls) or to directly call SIP addresses which request outside numbers on a gateway; as they are computers, they are targets for Internet system crackers.
In the US, owners of customer-owned coin-operated telephones (COCOTs) are paid sixty cents for every call their users make to a toll-free telephone number, with the charges billed to the called number. A fraudulent COCOT provider potentially could auto-dial 1-800 wrong numbers and get paid for these as "calls received from a payphone" with charges reversed.
Autodiallers are also used to make many short-duration calls, mainly to mobile devices, leaving a missed call number which is either premium rate or contains advertising messages. Known as Wangiri from Japan where it originated.
809 scams take their name from the former +1-809 area code which used to cover most of the Caribbean nations (it has since been split into multiple new area codes, adding to the confusion). The numbers *look* like Canadian or US telephone numbers but turn out to be costly, overpriced international calls which bypass consumer-protection laws which govern premium numbers based in the victim's home country. Some advertise phone sex or other typically premium content. Other variants on this scheme involve leaving unsolicited messages on pagers or making bogus claims of being a relative in a family emergency to trick users into calling the foreign numbers, then attempting to keep the victim on the line as long as possible in order to incur the cost of an expensive foreign call.
A more recent version of the 809 scam involves calling cellular telephones then hanging up, in hopes of the curious (or annoyed) victim calling them back. Effectively, this is Wangiri but using former +1-809 countries such as 1-473 Grenada which look like North American domestic calls but are Caribbean island nations.
Dialer programs containing malware or malicious code have been used to cause personal computers to disconnect from an existing legitimate local provider and instead dial into a premium (usually overseas) number. The first of these used a Moldovan phone number.
Pre-pay telephone cards or "calling cards" are also very vulnerable to fraudulent use; these cards contain a number or passcode which can be dialed in order to bill worldwide toll calls to the card. Anyone who obtains the passcode can dishonestly misuse it to make or to resell toll calls.
Carrier access codes were widely misused by phone-sex scammers in the early days of competitive long distance; the phone-sex operations would misrepresent themselves as alternate long-distance carriers to evade consumer protection measures which prevent US phone subscribers from losing local or long-distance service due to calls to +1-900 or 976 premium numbers. This loophole is now closed.
In the US, area code 500 and its overlays permit a "follow-me routing" in which, if the number has been forwarded to some expensive and arbitrary destination, the caller is billed for the call to that location. Similar issues existed with area code 700 as the numbers (except 1-700-555-4141, which identifies the carrier) are long-distance carrier specific. Because of the unpredictable and potentially costly rate for such a call, these services never gained widespread use.
Caller ID spoofing can be used to fraudulently impersonate a trusted vendor (such as a bank or credit union), a law enforcement agency or another subscriber. These calls may be used for vishing, where a scammer impersonates a trusted counterparty in order to fraudulently obtain financial or personal information.
Call clearing delays in some United Kingdom exchanges may be abused to defraud. For obscure historical reasons, the system was designed so that a called party could hang up a call and immediately pick it up from another extension without it being disconnected. A fraudster would call a household and impersonate a bank or police; when the householder hung up and then attempted to call police or contact the impersonated party, the fraudster would still be on the line because the original call never properly ended.
Cordless phones are often even less secure than cell phones; with some models a scanner radio may intercept analogue conversations in progress or a handset of the same/similar model as the target system may be usable to make toll calls through a cordless base station which lacks authentication capability. Obsolete analogue mobile telephones have stopped working in areas where the AMPS service has been shut down, but obsolete cordless phone systems may remain in service indefinitely.
Fraud by phone companies against one another
Interconnect fraud involves the falsification of records by telephone carriers in order to deliberately miscalculate the money owed by one telephone network to another. This affects calls originating on one network but carried by another at some point between source and destination.
Refiling is a form of interconnect fraud in which one carrier tampers with CID (caller-ID) or ANI data to falsify the number from which a call originated before handing the call off to a competitor. Refiling and interconnect fraud briefly made headlines in the aftermath of the Worldcom financial troubles; the refiling scheme is based on a quirk in the system by which telcos bill each other - two calls to the same place may incur different costs because of differing displayed origin. A common calculation of payments between telcos calculates the percentage of the total distance over which each telco has carried one call to determine division of toll revenues for that call; refiling distorts data required to make these calculations.
Grey routes are voice over IP gateways which deliver international calls to countries by mis-labelling them as inbound local mobile telephone calls at destination. These "SIM box" operations are common in third world nations with exorbitant official international rates, usually due to some combination of tight control by one state-supported monopoly and/or excessive taxation of inbound overseas calls. Governments who believe themselves entitled to charge any arbitrary inflated price for inbound international calls, even far above the cost of domestic calls to the same destinations, will legislate against any privately owned, independent, competitive VoIP gateway, labelling the operations as "bypass fraud" and driving them underground or out of business. As a VoIP gateway in such a regulatory environment typically does not have access to T-carrierprimary rate interface or PBX-style trunks, its operator is forced to rely on a hardware configuration with Internet telephony on one side and a large number of mobile SIM cards and handsets on the other to place the calls as if they were from individual local mobile subscribers.
Fraud against the phone company by users
Subscription fraud: for example, signing up with a bogus name, or no intention to pay.
Person-to-person calls to non-existent people (or calling yourself person-to-person and your home refusing the call, as a means of telegraphing safe passage). A variant was to refuse a collect call at the higher operator-assisted rate, then call the person back station-to-station at a lower price from another telephone.
Intentional non-return of rental equipment (such as extension telephones) when relocating to a new address. The equipment would then be used at the new location without paying a monthly equipment rental fee. This has become rare as most telephones are now owned outright, not rented.
Frauds against the phone company by third parties
Phreaking involves obtaining knowledge of how the telephone network operates, which can be used (but isn't always) to place unauthorised calls. The history of phone phreaking shows that many 'phreaks' used their vast knowledge of the network to help telephone companies. There are, however, many phreaks that use their knowledge to exploit the network for personal gain, even today. In some cases social engineering has been used to trick telcoemployees into releasing technical information. Early examples of phreaking involved generation of various control tones, such as a 2600 hertzblue box tone to release a long-distance trunk for immediate re-use or the red box tones which simulate coins being inserted into a payphone. These exploits no longer work in many areas of the telephone network due to widespread use of digital switching systems and out-of-band signaling. There are, however, many areas of the world[which?] where these control tones are still used and this kind of fraud is still continuing to happen.
A more high-tech version of the above is switch reprogramming, where unauthorized "back door" access to the phone company's network or billing system is used to allow free telephony. This is then sometimes resold by the 'crackers' to other customers.
Caller name display (CNAM) is vulnerable to data mining, where a dishonest user obtains a line (fixed or mobile) with caller name display and then calls that number repeatedly from an autodialer which uses caller ID spoofing to send a different presentation number on each call. None of the calls are actually answered, but the telephone company has to look up every number (a CNAM database "dip") to display the corresponding subscriber name from its records. The list of displayed names and numbers (which may be landline or wireless) is then sold to telemarketers.
Payphones have also been misused to receive fraudulent collect calls; most carriers[who?] have turned off the feature of accepting incoming calls or have muted the payphones internal ringing mechanism for this very reason.
Cloning (telephony) has been used as a means of copying both the electronic serial number and the telephone number of another subscriber's phone to a second (cloned) phone. Airtime charges for outbound calls are then mis-billed to the victim's cellular phone account instead of the perpetrator's.