SAN FRANCISCO — Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time.
“I thought: ‘This is crazy. It must be a mistake,’ ” Mr. Foreman said.
It wasn’t. Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives. It would have taken 34 years for the firm to run up those charges legitimately, based on its typical phone bill, according to a complaint it filed with the Federal Communications Commission.
The firm, in Norcross, Ga., was the victim of an age-old fraud that has found new life now that most corporate phone lines run over the Internet.
The swindle, which on the web is easier to pull off and more profitable, affects mostly small businesses and cost victims $4.73 billion globally last year. That is up nearly $1 billion from 2011, according to the Communications Fraud Control Association, an industry group financed by carriers and law-enforcement agencies to tackle communications fraud.
Major carriers have sophisticated fraud systems in place to catch hackers before they run up false six-figure charges, and they can afford to credit customers for millions of fraudulent charges every year. But small businesses often use local carriers, which lack such antifraud systems. And some of those carriers are leaving customers to foot the bill.
The law is not much help, because no regulations require carriers to reimburse customers for fraud the way credit card companies must. Lawmakers have taken the issue up from time to time, but little progress has been made.
Last year, Senator Charles E. Schumer, Democrat of New York, pushed the Federal Communications Commission to adopt new regulations after dozens of small businesses around Albany were hit with the swindle. But the agency has not taken any action, and the cause appears to have petered out. Representatives for the agency and the senator’s office did not return requests for comment.
The scheme works this way, telecommunications fraud experts say: Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut. In the United States, premium-rate numbers are easily identified by 1-900 prefixes, and callers are informed they will be charged higher rates. But elsewhere, like in Latvia and Estonia, they can be trickier to spot. The payout to the lessees can be as high as 24 cents for every minute spent on the phone.
Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes’ worth of phone calls a minute to the pay line. The hacker gets a cut of the charges, typically delivered through a Western Union, MoneyGram or wire transfer.
In part because the plan is so profitable, premium rate number resellers are multiplying rapidly. There were 17 in 2009; last year there were 85, according to Yates Fraud Consulting, which is based in Britain.
In 2012, hackers hijacked the phone lines at 26 small businesses around Albany and ran up phone bills as high as $200,000 per business over the course of a few days. Those businesses that contracted with major carriers received credit that covered much of the fraud, though some ended up paying a few thousand dollars. Those who had signed up with a local carrier, Tech Valley Communications, were not so lucky. Tech Valley sued three of its clients to pay huge bills, according to court filings.
Best Cleaners, a dry cleaning chain that operates in three states, was one victim. At that business, hackers placed more than 75,000 minutes of premium calls, totaling $147,000. At American Energy Care, a small consulting firm in Albany, the bill reached $200,353. A billboard advertising business in Cohoes, N.Y., was charged $18,000.
All settled their cases with Tech Valley. None would discuss the case because of the terms of the settlement, but Best Cleaners said the cost was enough to force it to cancel a planned expansion.
Industry groups are trying to tackle the problem but say it is hard to keep up with. Roberta Aronoff, the executive director of the Communications Fraud Control Association, said she routinely loads fake “hot numbers” into a fraud management system, sharing them with carriers so they can be blocked.
Catching the criminals is difficult because the crime can cross as many as three jurisdictions. In 2011, the Federal Bureau of Investigation and police in the Philippines arrested four men who used the scheme to make $2 million in fraudulent calls; revenue was directed to a Saudi Arabian militant group that United States officials believe financed the 2008 Mumbai terrorist bombings.
Foreman Seeley Fountain, the architecture firm, is disputing its $166,000 bill with its carrier, TW Telecom. The bill now includes $17,000 in late charges and termination fees.
In addition to asking the F.C.C., the firm has asked the local police, officials at the Georgia Public Service Commission, the F.B.I. and the Department of Justice for help. The F.C.C. and Justice Department declined to comment for this article, and the Georgia agency did not return requests for comment. The local police said there had been no progress in finding the hackers.
Mr. Foreman said his firm didn’t even realize this was a potential risk. Not many do.
“It’s relentless,” said Jim Dalton, founder of TransNexus, which sells Internet calling management software. “If you put a computer on the Internet, it immediately starts getting probed for a weak point.”
To avoid the same fate, Mr. Dalton and other telecom experts advise people to turn off call forwarding and set up strong passwords for their voice mail systems and for placing international calls. He also said businesses needed to treat their phones as Internet-connected machines, since criminals already were doing that.
“People don’t realize their phone is a six-figure liability waiting to happen,” Mr. Dalton added.