If your office’s phone bill shows an unusual number of calls to 900 or international numbers, don’t blame your employees. Instead, call your IT department. Possibly your accounting department, too.

According to several recent reports, it’s a form of hacking, and it’s becoming increasingly common, especially for small businesses that use local carriers for their phone services. With the rise of voice over IP (VoIP), phone connections have become increasingly vulnerable to external attacks. Here’s how they work:

1. A hacker rents a premium rate number, akin to the type used for charge-per-minute 1-900 psychic hotlines. While the American versions of such numbers are easy to spot, the international versions aren’t, so the line will often be set up in another country.

2. The hacker breaks into an office phone system during a quiet period—usually overnight or during the weekend—and starts driving hundreds, if not thousands, of phone calls to the premium number, racking up massive bills.

3. Both the provider and the hacker get a cut from the premium-rate number, which is paid to them via a wire transfer or similar means.

The situation is particularly troubling because the regulations on phone providers are outdated, at least compared to the regulations on financial companies. And this kind of fraud can be costly: According to Communications Fraud Control Association statistics provided by The New York Times, premium rate fraud cost victims $4.73 billion in 2013.

One victim’s story

It’s a situation Foreman Seeley Fountain Architecture principal Bob Foreman has been learning about the hard way.

The Georgia firm was charged $166,000 for calls to Somalia, Gambia, and the Maldives that were made in a single weekend.

“We disputed the bill and reported it to our state Public Service Commission, the FBI, and the local police,” Foreman wrote in a Multibriefs blog post last month. “Everyone agreed we were victims of a crime, but no one seemed to know what to do about it. Our insurance company refused to cover it.”

The firm is in a legal battle with its phone system provider, TW Telecom, which has washed its hands of responsibility for the bill—even though its anti-fraud system went down during the period when the architecture firm was targeted.

The firm is challenging TW Telecom’s $5.7 billion purchase by Level 3 Communications on the grounds that the company has engaged in questionable practices.

Protect Yourself

Foreman, who suddenly finds himself an expert on phone security, says there are ways to prevent such attacks.

“One protection would be to ‘block’ all international calling, as well as domestic 900 numbers,” he wrote in his Multibriefs blog. “If you need to make overseas calls, use a cellphone or Skype.”

And this week, Inc. magazine offered suggestions for how to head off risks of phone fraud, including looking closely at contracts, analyzing a phone provider’s fraud protections, and boosting security regulations.

“Fraud protection is something you want to ask about and sign up for,” Jim Dalton, founder of the anti-fraud software provider TransNexus, told the magazine. “You want to know you won’t be put out of business if it happens.”

(iStock/Thinkstock)