The first sign is usually the invoice. A business that spends a few hundred dollars a month on calling opens a bill for eleven thousand — hundreds of short calls to premium-rate numbers in countries nobody in the company has ever dialed, all placed between Friday night and Monday morning. That's toll fraud, and it has been quietly following phone systems from analog PBXes onto the internet for decades. VoIP security is mostly unglamorous work, but the economics are brutal: attackers rent premium-rate numbers, pump traffic to them through someone else's phone system, and collect a share of every minute. Your business is the someone else. Here's how it actually happens, and the short list of controls that stops it.
How Toll Fraud Actually Works
Toll fraud is a revenue scheme, not vandalism. The attacker's goal is to place as many billable minutes as possible through your system before anyone notices. The playbook is consistent:
- Find an entry point. An internet-exposed SIP extension with a weak password, a voicemail box still set to its default PIN, an old analog adapter nobody remembers, or an unpatched phone system with a known vulnerability.
- Verify quietly. One or two short test calls to an international number, often weeks before the real run. These almost never get noticed.
- Pump traffic off-hours. The real calling starts Friday evening or before a holiday weekend — the windows when nobody is watching a dashboard. Automated dialers can push hundreds of simultaneous calls.
- Disappear before the bill. By the time the invoice arrives, the traffic is weeks old and the premium-rate numbers have been cashed out.
The uncomfortable part: in most cases the carrier considers those calls legitimately placed from your system, which makes recovering the money somewhere between painful and impossible. Prevention is the whole game.
Where Business Phone Systems Get Cracked
Weak or reused SIP credentials
Every VoIP extension registers to the phone system with a username and password. When those credentials are short, guessable, or reused, internet scanners find them — automated tools probe SIP endpoints around the clock, the same way they probe RDP and SSH. A cracked extension is a dial tone the attacker owns.
Voicemail call-through
Older systems let a caller dial into voicemail and then place an outbound call — a feature designed for road warriors in the calling-card era. Combine it with a four-digit default PIN and an attacker never needs to touch SIP at all. If your system supports through-dialing from voicemail, turn it off unless a documented business need says otherwise.
Exposed administration interfaces
A phone system's admin portal on the open internet is an invitation. Admin access means the attacker doesn't hijack one extension — they create their own, raise trunk limits, and clean up logs. Management interfaces belong behind a VPN or an IP allow-list, full stop.
Forgotten equipment
The analog telephone adapter in a warehouse, the conference-room device from a system two migrations ago, the fax bridge nobody decommissioned — anything that can still register and dial is attack surface. Toll-fraud crews specialize in the gear you forgot you had.
The Controls That Actually Stop It
None of this requires exotic tooling. A handful of configuration decisions removes most of the risk:
- International call blocking by default. Most SMBs call a handful of countries or none. Block international dialing globally and allow specific destinations per user who needs them. This single control defeats the majority of toll-fraud schemes outright.
- Rate limits and spend caps. Cap simultaneous calls per extension and per trunk, and set daily spend or minute thresholds with automatic cutoff. A legitimate office never needs one extension placing forty concurrent international calls at 2 a.m.
- Strong registration security. Long random SIP passwords, TLS for signaling so credentials never cross the wire in the clear, and fail2ban-style lockouts after repeated failed registrations.
- Kill risky legacy features. Voicemail through-dialing off, default PINs forced to change, call forwarding to international numbers restricted.
- Time-of-day policy. If nobody legitimately dials out at 3 a.m. on Sunday, the system shouldn't allow it. Off-hours restrictions turn the attacker's favorite window into a dead end.
- Alerting on anomalies. A spike in call volume, a first-ever destination country, or a burst of failed registrations should page someone — not appear on next month's invoice.
Cloud PBX Doesn't Mean Someone Else's Problem
Moving to a hosted platform helps — reputable providers run their own fraud detection and absorb some categories of risk — but the controls that involve your tenant remain yours: extension passwords, dial plans, international permissions, admin access, and the devices registering in. Providers' fraud teams routinely catch runs mid-flight, but the terms of service usually leave tenant-level compromises on the customer. Read the fraud-liability language in your agreement before you need it; five minutes there is worth more than any amount of arguing after an incident.
Fold Phone Security Into the Rest of Your Security
The deeper fix is treating the phone system like any other production system instead of an appliance. It should be in patch management, its admin credentials should be in the password vault with MFA on the portal, its logs should flow wherever your other logs go, and its configuration should get reviewed when staff leave. If you're evaluating or migrating platforms, our guides to SIP trunking and QoS for VoIP cover the architecture side; emergency-calling compliance has its own rules, covered in our E911 guide. Toll fraud is simply the attack that shows up when phones are left out of the security program.
The Bottom Line
Toll fraud persists because it works against systems nobody is watching, using features nobody remembers enabling. Block international dialing you don't need, cap what any extension can do, lock down registration and admin access, and alert on the anomalies — and the attack economics collapse. If you'd rather have that reviewed properly, our unified communications team hardens business phone systems as part of managing them. Get in touch and we'll take a look at yours before the invoice does.
