VoIP Toll Fraud: What It Is and How to Prevent It

What Is VoIP Toll Fraud?

VoIP toll fraud is a type of cyber attack where hackers compromise your business phone system to make expensive international or premium-rate calls at your expense. It is one of the most common and costly forms of VoIP fraud, costing businesses worldwide billions of pounds each year. A compromised system can rack up thousands of pounds in fraudulent call charges in just a few hours, often over a weekend when the attack goes unnoticed.

How Toll Fraud Happens

Attackers use several methods to gain access to your phone system:

Weak SIP Passwords

The most common attack vector. If your SIP extension passwords are simple, short or use default credentials, attackers can guess them through brute-force attacks. Once they have valid SIP credentials, they can register to your system from anywhere in the world and make calls as if they were a legitimate user.

Exposed SIP Ports

If your SIP ports (typically UDP 5060) are open to the entire internet rather than restricted to your VoIP provider's IP addresses, attackers can scan for and target your system. Automated bots constantly scan the internet for open SIP ports.

Brute-Force Attacks

Attackers use automated tools to rapidly try thousands of username and password combinations against your SIP server until they find valid credentials. Without rate limiting or account lockout, these attacks can succeed within minutes.

Voicemail System Exploitation

Some older systems allow outbound calls to be initiated through the voicemail system using DISA (Direct Inward System Access). If the DISA PIN is weak or default, attackers can dial in and make outbound calls through your system.

Warning Signs of Toll Fraud

Watch for these indicators that your system may be compromised:

Unexpected international calls — Calls to countries your business has no connection to, particularly high-cost destinations in Africa, Eastern Europe, the Caribbean or the Pacific Islands.
Calls at unusual hours — A spike in outbound calls during nights, weekends or bank holidays when your office is closed.
Unusually high phone bills — A sudden and unexplained increase in your monthly VoIP charges.
Premium-rate calls — Calls to premium-rate or revenue-sharing numbers that generate income for the fraudster.
Multiple simultaneous calls — An unusually high number of concurrent outbound calls from a single extension.
Failed registration attempts — A large number of failed SIP registration attempts in your system logs, indicating a brute-force attack in progress.

How to Prevent VoIP Toll Fraud

Protecting your business from VoIP fraud requires a multi-layered approach to VoIP security:

Strong SIP Passwords

This is the single most important security measure. Ensure all SIP extension passwords are:

At least 12 characters long
Randomly generated (not based on dictionary words or extension numbers)
A mix of uppercase, lowercase, numbers and special characters
Unique for each extension — never reuse passwords

IP Whitelisting

Configure your firewall to only allow SIP traffic from trusted IP addresses:

Your VoIP provider's SIP server IP addresses
Your office IP address(es)
Any remote worker IP addresses (or use a VPN)

Block all other SIP traffic. This single measure eliminates the vast majority of toll fraud attacks.

Geo-Blocking and Call Barring

Block international calls — If your business doesn't make international calls, disable them entirely. If you do, restrict to only the specific countries you need.
Block premium-rate numbers — Bar calls to premium-rate (09xx) and revenue-sharing numbers.
Set call spend limits — Configure daily or monthly spend limits per extension. If the limit is reached, outbound calls are blocked until an administrator reviews and resets it.

Rate Limiting and Fail2Ban

Rate limiting — Limit the number of SIP registration attempts per IP address per minute. This slows down brute-force attacks dramatically.
Fail2Ban — Implement fail2ban or similar intrusion prevention software that automatically blocks IP addresses after a set number of failed registration attempts (e.g., 5 failures within 5 minutes triggers a 24-hour ban).

Monitoring and Alerts

Set up real-time alerts for unusual call patterns — international calls, calls outside business hours, high concurrent call counts.
Review call detail records (CDRs) regularly for anomalies.
Enable email or SMS alerts when spend thresholds are approached.

Disable Unused Features

Disable DISA (Direct Inward System Access) if not needed.
Disable any unused extensions or SIP accounts.
Remove default or test accounts from the system.

What to Do If You're Compromised

If you suspect your system has been compromised by toll fraud:

Act immediately — Every minute counts. Fraudulent calls can accumulate charges rapidly.
Change all SIP passwords — Reset every extension password to a strong, random value.
Block outbound international calls — Temporarily disable all international and premium-rate calling.
Contact your VoIP provider — Report the fraud immediately. They may be able to block the fraudulent traffic and help investigate.
Review firewall rules — Ensure SIP traffic is restricted to trusted IPs only.
Check system logs — Identify which extension(s) were compromised and how access was gained.
Report to Action Fraud — Report the incident to Action Fraud (the UK's national fraud reporting centre) at actionfraud.police.uk.

Want to ensure your VoIP system is secure? Get a quote for hosted VoIP — our managed service includes comprehensive phone system security measures as standard.