VoIP fraud is affecting more and more businesses. Attackers exploit poorly secured SIP connections to make international calls at your expense, sometimes for thousands of euros overnight. How does it work, how do you recognise it, and how do you prevent it?
VoIP fraud is a fast-growing problem that affects SMBs as well as large enterprises. The most common form is toll fraud via SIP trunks: attackers gain unauthorised access to your telephony environment and make large volumes of calls to expensive international destinations, premium numbers or fraudulent numbers. You pay the bill, and you only find out when the invoice arrives from your VoIP provider.
SIP, the Session Initiation Protocol, is the communication protocol used by most modern VoIP systems to establish calls. A SIP trunk is the connection between your phone system and the public telephone network. That connection listens on a network port and is therefore in principle reachable by anyone on the internet.
Attackers systematically scan the internet for open SIP ports. When they find one, they try to log in using common default passwords or via brute force. If they succeed, they register one or more fake extensions and start making calls.
The most common attack methods are: SIP brute force, where attackers systematically try usernames and passwords until they gain access, registration fraud where a fake device registers as a legitimate extension within your PBX, and SPIT (Spam over Internet Telephony), where your system is used to initiate large volumes of automated calls to other numbers.
IP whitelisting is the most effective measure: only allow SIP traffic from your VoIP provider's IP addresses and block all other traffic on SIP ports via the firewall. Use strong, unique passwords for all SIP accounts and extensions. Enable SRTP and TLS for call encryption and signalling security. Set call limits: a maximum number of simultaneous calls, a daily call budget and an alert for unusual patterns such as international calls outside business hours.
If you suspect your VoIP environment has been abused, contact your VoIP provider immediately to block suspicious calls and temporarily freeze your account. Then change all SIP passwords and review call logs for unauthorised activity. Also file a police report, as VoIP fraud falls under computer intrusion laws.
A thorough security configuration of your VoIP environment takes a few hours of work. A successful SIP fraud attack can cost you thousands of euros. Contact Zarioh for a no-obligation security check of your telephony environment.
