Toll fraud is one of the most costly and underreported forms of cybercrime targeting businesses. The Communications Fraud Control Association estimated global losses of US$38 billion in 2015 alone — and the number has grown since. Poorly secured VoIP systems are a prime target, and the attacks can happen fast.
What is toll fraud?
Toll fraud occurs when someone gains unauthorised access to your phone system and makes calls at your expense — typically to high-cost international destinations. By the time you notice the unusual charges, thousands of dollars can already be gone.
There are three common ways fraudsters profit:
- Premium rate numbers: Hackers call expensive international destinations they control, generating revenue while your account pays for the calls.
- Phone cards: Fraudsters use your compromised system to provide discounted international calling to others — pocketing the margin while routing calls through your account.
- Scams: Criminals use your number for impersonation scams (ATO, bank, tech support), gaining anonymity and reducing their own costs.
10 ways to protect your VoIP system
1. Lock down your firewall
Your PBX should not be freely accessible from the internet. Block unnecessary inbound traffic, use non-standard ports where possible, and consider restricting management access to specific IP addresses or a VPN. Geo-IP blocking (limiting access to Australian IP addresses) is a practical additional layer.
2. Enable account lockout
Configure your system to detect and block repeated failed login attempts. This is a basic but effective defence against brute-force attacks.
3. Use strong credentials
Every extension and admin account should have a strong password — at least 16 characters, with uppercase, lowercase, numbers, and symbols. Avoid sequential extension ranges like 100–199 or 200–299, which are the first ranges attackers try because they're so common.
4. Talk to your provider
Ask Caznet (or your VoIP provider) what security controls are in place at the platform level. A good provider will have international calling disabled by default, call spend limits, unusual behaviour monitoring, and the ability to restrict calling by IP address.
5. Restrict international calling
If your business doesn't need to call internationally, turn it off entirely. If you do, limit international access to the specific extensions that actually need it. Consider requiring a route password for international calls, and configure alerts when high-cost calls are made.
6. Configure outbound routes carefully
Use precisely formatted outbound dial patterns rather than wildcards. Restrict which extensions can use which routes, and consider disabling all outbound calling outside business hours — except to emergency services.
7. Secure your voicemail
Require a PIN for voicemail access, and restrict mailbox access to the corresponding extension only. Disable any dial-through features that allow callers to break out of voicemail and dial externally.
8. Keep software updated
PBX software and handset firmware updates regularly include security patches. Keep them current. An unpatched vulnerability in your phone system is a known attack vector.
9. Disable call forwarding where not needed
Call forwarding to external numbers can be exploited to redirect calls to expensive destinations. Remove this capability from any extension that doesn't genuinely need it.
10. Monitor your system
Set up automated alerts for unusual call volumes, international calls, after-hours activity, and configuration changes. Review your phone bill regularly — the most common way businesses discover fraud is seeing unexplained charges on their statement.
High-risk destinations to watch
Some international destinations are disproportionately targeted in toll fraud attacks. Common examples include: Cuba, Latvia, Somalia, Lithuania, Guinea, Gambia, Maldives, Estonia, Zimbabwe, and Tunisia. If your business has no legitimate reason to call these countries, they should be blocked at the route level.