Toll Fraud Prevention: Protecting Your Business

Toll fraud (also known as PBX fraud, telecom fraud, or International Revenue Share Fraud — IRSF) remains one of the most financially damaging threats to businesses in 2026. Fraudsters exploit vulnerabilities in phone systems — especially VoIP, cloud PBX, and unified communications platforms — to make unauthorized, high-volume calls to premium-rate international numbers they control. The business pays the massive long-distance or international charges, while fraudsters collect revenue shares from carriers.

With the rise of remote work, cloud telephony adoption, and AI tools aiding attackers, toll fraud losses continue to climb. Global telecom fraud losses reached $41.82 billion in 2025 (up from $38.95 billion in 2023), with IRSF and related schemes among the top contributors.

This guide explains what toll fraud is, how it works, current trends, and practical, actionable steps to prevent it and protect your organization.

What Is Toll Fraud (IRSF)?

Toll fraud occurs when attackers gain access to your phone system and generate artificial traffic to expensive destinations:

Premium-rate numbers in high-cost countries or regions.
Revenue-sharing schemes where fraudsters partner with overseas operators to split call termination fees.

Common entry points: Weak/default credentials on VoIP gateways, exposed SIP ports, compromised extensions, or phishing/vishing to obtain admin access.

Attackers often use automated scripts to place thousands of short calls overnight or during off-hours, racking up bills in the tens or hundreds of thousands before detection. A single incident can bankrupt small-to-medium businesses.

Related variants include:

Wangiri (one-ring) scams — Brief missed calls from premium numbers to lure callbacks.
Traffic pumping — Inflating calls to high-rate domestic numbers.

In 2025-2026, attackers increasingly combine IRSF with AI voice cloning for social engineering or exploit misconfigured cloud PBX systems.

Why Businesses Are at Risk in 2026

Widespread VoIP/cloud adoption creates more attack surfaces.
Remote/hybrid work exposes systems to home networks and weak endpoints.
Default/weak passwords, unpatched firmware, and open SIP ports remain common.
Global fraud losses: Telecom fraud hit $41.82 billion in 2025, with IRSF as a leading vector.
Single attacks can cost $50,000–$500,000+; recovery is difficult as carriers often bill legitimately routed calls.

How Toll Fraud Typically Occurs

Reconnaissance — Scanners probe for open SIP/VoIP ports (e.g., UDP 5060) or vulnerable PBX systems.
Exploitation — Brute-force credentials, exploit known vulnerabilities, or use stolen admin access via phishing.
Compromise — Register fraudulent extensions or route calls through your system.
Fraudulent Traffic — Generate high-volume calls to premium/international numbers.
Monetization — Fraudsters receive revenue share; you get the bill weeks later.

Best Practices for Toll Fraud Prevention

Implement layered defenses across people, processes, and technology.

Secure Your PBX/VoIP System Basics

Change all default passwords immediately; enforce strong, unique credentials (minimum 12 characters, complexity).
Enable multi-factor authentication (MFA) for admin portals and softphones.
Disable unused features (e.g., international dialing if not needed, direct inward dial without restrictions).
Use TLS/SRTP for signaling and media encryption to prevent eavesdropping/man-in-the-middle.

Restrict Call Permissions and Destinations

Implement least privilege: Block international/premium-rate calls by default; whitelist allowed countries/patterns.
Set call rate limits (e.g., max calls per hour per extension).
Block high-risk country codes or known premium-rate ranges (e.g., certain +44, +1 rural NPAs).
Use class-of-service (CoS) policies to segment users/extensions.

Monitor and Alert in Real Time

Deploy real-time traffic monitoring for anomalies: Spikes in call volume, short-duration calls (<15s), off-hours activity, unusual destinations.
Set alerts for thresholds (e.g., >X calls/hour to international, sudden usage increase).
Review CDRs (Call Detail Records) daily/weekly; use analytics tools for pattern detection.

Network and Firewall Hardening

Firewall VoIP traffic: Allow only trusted IP ranges; block direct internet exposure of SIP ports.
Use VPNs for remote access; avoid exposing PBX to the public internet.
Regularly patch firmware, VoIP software, and gateways.

Employee Awareness and Policies

Train staff on phishing/vishing risks (common entry for credential theft).
Establish incident response: What to do if unusual calls/activity detected.
Require verification for any changes to telecom configs.

Leverage Provider and Third-Party Tools

Choose VoIP providers with built-in fraud detection (e.g., real-time blocking, AI anomaly detection).
Use fraud prevention services (e.g., SecureLogix, TransNexus) for advanced monitoring.
Enable STIR/SHAKEN (caller ID authentication) where applicable to reduce spoofing in/out.

Incident Response and Recovery

If fraud occurs: Immediately isolate the system, change all credentials, contact your carrier to dispute charges (provide evidence).
Document everything; report to authorities (e.g., FCC in US, local cybercrime units).
Consider cyber insurance covering telecom fraud.

Quick-Start Checklist

[ ] Audit current PBX/VoIP config today.
[ ] Block international calls if unused.
[ ] Enable MFA and strong passwords.
[ ] Set up real-time alerts for anomalies.
[ ] Schedule monthly traffic reviews.
[ ] Train team on telecom security risks.

Toll fraud is preventable with proactive controls. By treating your phone system like any critical IT asset — with monitoring, restrictions, and vigilance — you can avoid devastating bills and maintain business continuity.