Released: May 29, 2003

Phone Scam Results in Astronomical Charges

Fraud victims forced to pay up to $16,000 for international scam phone calls

UPDATE, May 29, 2003 - A class action has been filed against AT&T on behalf of victims of voice mail hacking fraud. To learn more about the case, click here.

Note to editors: Consumer Action has many victims who are willing to talk to the media. If you would like to interview one or all of the victims, e-mail or call Linda Sherry at (415) 777-9648.

April 15, 2003 - Consumer Action is warning users of voice mail about a phone scam that could result in enormous fraudulent charges on their phone bills. And even more outrageous, consumers are being forced to pay thousands of dollars for these calls they didn’t make or authorize.

Three victims of the scam who have approached Consumer Action have SBC voice mail and long distance service from AT&T. Consumer Action believes that SBC and AT&T have a joint responsibility and calls upon the companies to reimburse these fraud victims.

The fraud occurs when hackers get into voice mail systems or access answering machines and change the outgoing messages in order to make unauthorized collect or third-party billed calls. Consumer Action learned that the scam has surfaced at Texas A&M University and at the municipal headquarters of East Palo Alto, California.

The hackers change the customer’s outgoing phone message to create an affirmative response to calls from the mechanized operators used by many long distance companies. The hackers record the word "Yes" at the appropriate intervals, so that when the long distance company system asks if the customer will accept the charges for a third party call, it appears as if permission has been granted. Once they have been permitted to place the call, the crooks keep the line open for many hours or even days at a time.

Three victims have sought assistance from Consumer Action because AT&T is forcing them to pay all or part of outrageously high international phone charges stemming from the fraud. These San Francisco Bay Area residents who have small business phone accounts all have SBC voice mail, through which the hackers gained access and changed their outgoing phone messages to accept the charges.

SBC gives out default passwords to residential customers to access their voice mail accounts which include a series of digits from the customers’ own phone numbers. Until about four years ago, SBC used the same defaults for new business voice mail accounts as well but now uses randomly assigned numbers as passwords.

One of the San Francisco victims – subject to $12,000 in fraudulent charges for two lengthy calls from Saudi Arabia that were billed to her phone – is being blamed by AT&T for permitting the calls because she did not change the SBC default access number.

An AT&T spokeswoman told Consumer Action that the company does not believe it is responsible for allowing the fraudulent calls and that the consumer is liable because she did not replace the default password, thereby allowing the crooks to change her outgoing message to give permission for third party billing. AT&T offered to pick up 35% of the cost of the fraudulent calls for this victim, but insists that she pay over $8,000 in charges for calls she did not make. Other victims were given such offers but when they refused, AT&T sent the accounts to collection agencies. One agency is demanding that a victim pay $16,000 in calls she didn’t make.

Consumer Action asks that AT&T stop allowing third party billing unless a human being answers the phone and gives explicit permission. "That AT&T would permit third party phone charges based only on the authority of a recorded message is beyond belief," said Linda Sherry of Consumer Action. "Third party billing should be allowed only when a real person answers the phone and is able to verify that they approve the charges."

Consumer Action called on SBC to change the default password system it uses for residential voice mail accounts and older business accounts immediately. "It is just too easy to gain access using the last four digits of a customer’s phone number," said Sherry.

SBC told Consumer Action that it gives all new voice mail customers a written warning to change the default password, but that some do not read the warning.

"SBC should know enough about consumer psychology after all these years to realize that many consumers don’t read fine print disclosures of this kind." said Sherry. "It is irresponsible to use a password that is so easily discovered."

"These consumers were robbed," said Sherry. "It is outrageous to force these victims to pay for fraudulent calls they did not make or authorize. It is shameful to witness these industry leaders pointing at each other in an effort to avoid absorbing costs that they should legitimately shoulder."

Consumer Action, founded in 1971, is a national, non-profit education and advocacy organization.