- Toll fraud is the unauthorised use of a business VoIP system to place expensive calls, usually to premium-rate or international destinations, at the victim's cost.
- Attacks frequently happen out of hours, when no one is watching, so a compromised system can generate thousands of pounds of calls overnight.
- The most common entry points are weak SIP passwords, exposed administration interfaces and default credentials left unchanged on phones and gateways.
- As the UK moves to all-IP voice ahead of the PSTN switch-off Openreach expects to complete in 2027, more business phone systems are exposed to internet-based attack.
- Liability for fraudulent calls often rests with the account holder, so prevention through configuration and call limits is the practical defence.
Toll fraud is the theft of VoIP call capacity to run up expensive charges. It is prevented with strong passwords, restricted call destinations, spending caps, closed administration ports and active monitoring of unusual call patterns.
Last reviewed: June 2026
What toll fraud is
Toll fraud is one of the oldest and most costly forms of telecoms crime, and the move to internet-based voice has made it easier to commit at scale. The principle is simple: a criminal gains access to a business phone system and uses it to place calls that someone else pays for. Those calls are usually routed to premium-rate numbers or expensive international destinations that the fraudster controls or earns a share from, turning stolen call minutes directly into revenue. Because the calls are placed through a legitimate account, they appear on the victim's bill as normal usage until the total becomes alarming.
The mechanism that turns a stolen minute into money is worth understanding, because it explains why certain destinations are targeted. Some premium-rate and high-cost international ranges pay a share of the call charge back to whoever terminates the traffic, so a fraudster who controls or rents such a range earns revenue for every minute pushed to it. The compromised business system becomes, in effect, a machine for generating those minutes at the victim's expense. That revenue motive is why an attacker will keep a flood of calls running for as long as possible rather than place a single test call and stop.
The scale of the problem comes from automation. Once a system is compromised, an attacker can launch a flood of simultaneous calls and keep them running for hours, often choosing nights, weekends or bank holidays when staff are absent. By the time anyone notices, a system that normally generates modest bills can have run up an enormous one. Understanding how this happens is the first step to closing the gaps that allow it.
How toll fraud happens
Most toll fraud begins with the attacker finding a way into the phone system. The commonest route is a weak or default SIP credential. Automated tools scan the internet continuously for VoIP systems with administration or SIP registration ports exposed, then attempt to guess passwords. Extensions protected by short numeric PINs or by the manufacturer's default password are guessed quickly. Once an attacker registers as a valid extension, they can place calls as though they were a member of staff.
It helps to picture the attack as a continuous, indiscriminate sweep rather than a targeted strike. The scanning tools do not single out a particular business; they probe enormous ranges of internet addresses looking for any system that answers on a known VoIP port, and a newly connected system can be found within a very short time of going live. This is why a phone system that has only just been installed and never advertised can still be attacked, and why leaving an interface temporarily exposed during setup is risky even if it is only meant to be open for a few hours.
Other routes exist alongside credential guessing. A misconfigured system may allow calls to be relayed through it from outside, letting a stranger dial out using the business's account, a weakness sometimes left open by overly permissive dial plans. Voicemail systems that allow outbound calling, unrestricted call forwarding and exposed management consoles all provide footholds. The internet exposure that makes VoIP flexible is the same exposure that lets these attacks reach the system from anywhere in the world, which is why a phone system needs the same security discipline as any other internet-facing service.
The scale of losses
Toll fraud is significant precisely because the financial damage can accumulate so fast. A compromised system running many concurrent calls to high-cost destinations can generate charges far beyond a normal monthly bill within a single unattended period. The reason the figures climb so quickly is the combination of high per-minute rates on premium and certain international routes and the ability to run dozens of calls in parallel. The victim typically discovers the fraud only when an unusually large bill arrives or when a provider's fraud-monitoring system flags the spike.
Because the calls were placed through the account holder's own credentials, disputes over who pays can be difficult. Contracts commonly hold the account holder responsible for usage, including fraudulent usage, where reasonable security was not in place. This makes prevention far more valuable than recovery. Treating the phone system as a financial asset that needs protecting, rather than as a utility that simply works, reframes the security effort as a way of capping potential losses rather than an optional extra. The same reasoning argues for reading the provider's terms carefully before a problem arises, since they usually set out where the line of responsibility falls and whether any fraud cap or alert service is offered.
VoIP toll fraud prevention measures
Defending a VoIP system against toll fraud is a matter of layered controls, each closing a different avenue of attack. The table below sets out the main measures, what each addresses and the risk it reduces. No single control is sufficient on its own, but together they make a system a much harder and less profitable target.
| Measure | What it does | Risk it reduces |
|---|---|---|
| Strong, unique SIP passwords | Replaces default and weak credentials | Automated password guessing |
| International call barring | Blocks calls to unneeded destinations | High-cost premium and overseas routes |
| Spending and concurrency caps | Limits spend and simultaneous calls | Runaway overnight losses |
| Closed or firewalled admin ports | Hides management from the open internet | Direct attack on the control interface |
| IP allow-listing | Accepts traffic only from known sources | Registration from unknown locations |
| Call-pattern monitoring and alerts | Flags unusual volume or destinations | Undetected ongoing fraud |
What to configure to stay protected
Practical protection starts with the basics that attackers exploit most. Every extension, gateway and administrative account should use a strong, unique password, and any default credential shipped with a phone or gateway must be changed before the device goes live. Where the system or provider supports it, restricting which destinations can be dialled is among the most effective single controls: a business that never calls certain regions can bar them entirely, removing the most lucrative targets for a fraudster. Spending caps and limits on simultaneous calls put a ceiling on damage even if other defences fail.
It is worth being deliberate about call barring rather than treating it as a blunt switch. Many fraudulent calls target specific high-cost international ranges and premium-rate destinations that a typical UK business never dials, so barring those by default and opening only the destinations actually needed turns the dial plan into an allow-list rather than a block-list. The same logic applies to concurrency: a small office that would never legitimately place more than a handful of simultaneous calls can cap the system well below an attacker's preferred volume, so that even a successful intrusion cannot run the dozens of parallel calls that make the fraud profitable. These limits cost nothing to set and directly cap the worst-case bill.
Beyond credentials and call rules, the system's exposure should be reduced. Administration interfaces should not be reachable from the open internet, and where remote management is needed it should sit behind a firewall, a VPN or an allow-list of trusted addresses. Disabling features that are not used, such as outbound calling from voicemail or unrestricted call forwarding, removes whole categories of attack. Finally, monitoring matters because no configuration is perfect: alerts on unusual call volumes, calls to unexpected destinations or activity outside business hours allow a developing fraud to be stopped before the bill grows. Keeping firmware and software up to date closes known vulnerabilities that attackers reuse.
What to do if fraud is detected
Speed limits the loss once fraud is under way, so the first priority is to stop the calls. That usually means contacting the provider immediately to suspend outbound calling or the affected account, then changing the compromised credentials and closing whatever route was used to get in, whether an exposed administration port, a guessable extension password or an over-permissive dial plan. Because an attacker who found one weakness will often have probed for others, a business should treat a confirmed intrusion as a reason to review the whole configuration rather than to patch only the single hole that was exploited.
After the immediate bleeding is stopped, the focus shifts to evidence and recurrence. The business should preserve the call records showing the fraudulent traffic, report the matter to its provider and, where appropriate, through the national reporting route for fraud and cyber crime that GOV.UK signposts, and keep a dated note of what was found and changed. Reviewing how the fraud went undetected for as long as it did is the most useful step for preventing a repeat, since it usually points to a missing alert or an unmonitored out-of-hours window. Tightening monitoring and call limits in light of that review turns a costly incident into a permanent improvement in the system's defences.
Frequently Asked Questions
What is VoIP toll fraud?
VoIP toll fraud is the unauthorised use of a business phone system to place expensive calls at the account holder's expense. Criminals route the calls to premium-rate or costly international numbers they profit from, often because those ranges pay a share of the charge back to whoever terminates the traffic. Because the calls go through a legitimate account, they appear as normal usage until the total becomes obvious.
How do criminals commit VoIP toll fraud?
They typically gain access by guessing weak or default SIP passwords on systems exposed to the internet, then register as a valid extension and dial out. Other routes include misconfigured dial plans that relay calls from outside, voicemail systems that allow outbound calling, and exposed management consoles. Automated tools scan the internet continuously, so even a newly connected system can be found and attacked within a short time.
How much money do businesses lose to VoIP fraud?
Losses vary widely, but the danger is how fast charges accumulate. A compromised system running many concurrent calls to high-cost destinations can generate charges far beyond a normal monthly bill within a single unattended night or weekend. The combination of high per-minute rates and parallel calls is what drives the totals, which is why spending and concurrency caps are such valuable controls.
How do I protect my VoIP system from toll fraud?
Use strong unique passwords on every extension and admin account, change all default credentials, and bar calls to destinations the business does not need. Apply spending and concurrency caps, keep administration interfaces off the open internet, and monitor for unusual call patterns. Layering these controls makes the system a far harder target, and limiting destinations and concurrency caps the worst-case bill even if an attacker gets in.
What should I check in my VoIP configuration for security?
Check that no default passwords remain, that SIP and admin ports are not openly exposed, and that the dial plan does not allow outside callers to relay through the system. Review call barring, spending limits, voicemail outbound-calling settings and call-forwarding rules. Confirm that monitoring and alerts are active, including for out-of-hours activity, and that firmware is current so known vulnerabilities are closed.
