To say that Dr. Jeremy Orgel experienced “sticker shock” when he opened his February long-distance phone bill, grossly understates the matter.

Orgel, a San Francisco psychoanalyst and physiotherapist, normally spends approximately US$100 per month on long-distance calls. But here was a bill for more than US$20,000.

“The hours of collect calls that had been charged to me were astounding.”

Orgel’s service provider, AT&T Corp., said he was a victim of the “Yes-Yes” voice mail fraud. In early January, somebody cracked the doctor’s voice mail password and changed his greeting to say “yes” repeatedly. The amendment let fraudsters charge long-distance calls to his account. The February bill included 6,500 minutes of conversation out of Saudi Arabia.

Orgel isn’t alone. Other San Francisco professionals were hit by Yes-Yes. Most victims run small shops. Some saw their long-distance bills climb into the tens of thousands of dollars.

If the fraudsters were able to scam so many long-distance calls from small operations, imagine what damage these thieves might have caused an enterprise. “If a company runs its own PBX, it is a target,” said Joseph Seanor, Washington, D.C.-based security consulting manager with Avaya Inc.’s enterprise security practice.

So how can companies help protect themselves? Here are some suggestions: