VoIP Security Guide
VoIP Toll Fraud Prevention
9 min read · Updated April 2026
VoIP toll fraud is one of the most financially damaging attacks on SIP infrastructure — attackers exploit exposed SIP services to make thousands of dollars in calls at your expense. Here's how to detect it and stop it.
1. How VoIP toll fraud works
Toll fraud occurs when attackers gain unauthorized access to your SIP infrastructure and use it to make calls — typically to premium rate numbers they control, international destinations, or numbers they sell access to. The calls are billed to you.
The typical attack flow: attacker scans the internet for SIP servers on port 5060, attempts to register with brute-forced credentials, gains access to an extension or trunk, then immediately begins making calls to high-cost destinations. Attacks often happen overnight or on weekends when monitoring is minimal. A single compromised account can generate tens of thousands of dollars in calls within hours.
2. Common toll fraud attack types
Attack 01
SIP brute force registration
Automated tools scan for SIP servers and attempt thousands of username/password combinations. Default credentials (1001/1001, admin/admin) are tried first. Once an extension is compromised, calls begin immediately. Mitigation: strong passwords, fail2ban, rate limiting on REGISTER attempts, IP allowlisting.
Attack 02
SIP scanning and enumeration
Attackers send OPTIONS requests to discover valid extensions before attempting registration. A response to OPTIONS (even a 403) confirms an extension exists. Mitigation: configure your PBX to respond identically to valid and invalid extensions, or block OPTIONS from unauthorized IPs.
Attack 03
Compromised PBX admin interface
Attackers access the PBX web interface using default or weak credentials, add trunks or extensions, and configure outbound call routing. Always change default admin passwords, enable MFA on web interfaces, and restrict admin access by IP.
Attack 04
Dialplan manipulation
After gaining access, attackers modify dialplan to route calls through expensive trunks. Monitor dialplan changes with change management and alerting on configuration modifications.
3. Detecting toll fraud in SIP traces
In a SIP trace, fraud looks like:
- High volume of REGISTER attempts from foreign IPs in rapid succession
- Multiple 401/403 responses followed by eventual 200 OK — successful brute force
- INVITE requests to international or premium rate numbers shortly after registration
- Calls at unusual hours (overnight, weekends) from registered extensions
- High concurrent call counts from a single extension
; Grep for failed registrations from a single IP (brute force indicator)
grep "401\|403" /var/log/asterisk/full | awk '{print $NF}' | sort | uniq -c | sort -rn
; Watch for successful registrations from new IPs
grep "200 OK" sip-trace.log | grep "REGISTER" | awk '{print $1}' | sort | uniq -c
4. Prevention controls
Authentication hardening
- Use strong passwords — minimum 16 characters, random alphanumeric
- Never use extension number as username or password
- Enable IP allowlisting — only allow REGISTER from known IP ranges
- Disable unused extensions and trunks
Rate limiting with fail2ban
; /etc/fail2ban/jail.local — Asterisk SIP brute force protection
[asterisk]
enabled = true
port = 5060,5061
protocol = udp
filter = asterisk
logpath = /var/log/asterisk/full
maxretry = 5
findtime = 21600
bantime = 86400
Call routing controls
- Block international calling by default — enable per extension on request
- Block premium rate number ranges (900, 976, international premium)
- Set per-extension and per-trunk concurrent call limits
- Set daily spend limits with carrier — most SIP trunk providers offer this
- Block calls to high-fraud destinations (specific country codes)
Network controls
- Put SIP on a non-standard port (not 5060) — reduces scan exposure
- Restrict SIP access by IP at the firewall level
- Use VPN for remote phone access instead of exposing SIP directly
- Disable direct internet access to PBX admin interface
5. Real-time monitoring for toll fraud
Detect fraud before the bill arrives:
- CDR monitoring — alert on calls to unusual destinations or at unusual hours
- Concurrent call limits — alert when an extension exceeds its normal concurrent call count
- Daily spend limits — set hard limits with your SIP trunk provider
- Geographic anomaly detection — alert when calls originate from unexpected countries
- Registration alerts — notify when an extension registers from a new IP
; Asterisk AGI script to alert on international calls
; Add to dialplan before bridging
exten => _011.,1,AGI(fraud-check.agi,${CALLERID(num)},${EXTEN})
same => n,GotoIf($[${FRAUD_SCORE} > 80]?blocked)
same => n,Dial(SIP/trunk/${EXTEN})
same => n(blocked),Playback(call-rejected)
same => n,Hangup()
6. Incident response
If you suspect active toll fraud:
- Immediately disable outbound calling — block outbound routes at the firewall or PBX level
- Identify the compromised extension — check CDRs for the source of fraudulent calls
- Rotate all credentials — change passwords on all extensions, not just the compromised one
- Contact your SIP trunk provider — they can see real-time CDRs and may be able to cap the damage
- Review and block — add the attacker IPs to your firewall blacklist
- Audit dialplan and configuration — check for any changes made by the attacker
Frequently asked questions
What is VoIP toll fraud?
VoIP toll fraud is when attackers gain unauthorized access to your SIP infrastructure and use it to make calls at your expense — typically to premium rate numbers they control. Attacks usually start with SIP brute force scanning on port 5060, credential guessing, and then immediate high-volume calling to expensive destinations.
How do I prevent toll fraud on my SIP server?
Prevent VoIP toll fraud by: using strong passwords on all extensions (16+ character random strings), enabling fail2ban to block IPs after failed registration attempts, restricting SIP access by IP at the firewall level, blocking international and premium rate destinations by default, setting per-extension concurrent call limits, and using a non-standard SIP port.
How do I detect VoIP toll fraud in progress?
Signs of active toll fraud: high volume of failed REGISTER attempts from foreign IPs, calls to international or premium rate numbers at unusual hours, unusually high concurrent calls from a single extension, and sudden spikes in CDR call volume. Set up real-time CDR monitoring and daily spend limits with your SIP trunk provider to catch fraud before costs escalate.
Investigating suspicious call activity?
Paste your SIP trace into SIPSymposium. The analyzer identifies brute force registration patterns, unusual call destinations, and authentication failures that indicate toll fraud activity.