What Is Toll Fraud?
Toll fraud occurs when attackers exploit telecommunications systems to make unauthorized calls, typically to premium rate numbers or international destinations where they receive a share of the call revenue. VoIP and UCaaS platforms are particularly vulnerable because they often lack the physical security controls of traditional phone systems.
The Communications Fraud Control Association (CFCA) estimates global telecom fraud losses exceed $38 billion annually, with toll fraud representing the largest single category. Average losses for affected businesses range from $10,000 to over $500,000 per incident.
How Toll Fraud Works
Attackers typically follow a predictable pattern:
- Reconnaissance — Scan for vulnerable PBX systems, SIP endpoints, or weak credentials
- Compromise — Gain access through brute force, default passwords, or exploits
- Setup — Configure call forwarding to premium rate numbers they control
- Exploitation — Generate high-volume calls during off-hours (nights, weekends)
- Monetization — Collect revenue share from premium rate providers
Common Types of Toll Fraud
International Revenue Share Fraud (IRSF)
IRSF is the most prevalent and damaging form of toll fraud. Attackers route calls to high-cost international destinations where they have revenue-sharing arrangements with local carriers. Common target countries include:
- Cuba — Premium rates over $1/minute
- Somalia — Limited regulatory oversight
- Latvia — High premium rate availability
- Guinea — Expensive termination rates
- Sierra Leone — Revenue share opportunities
A single compromised system can generate $50,000+ in fraudulent charges over a weekend before detection.
Premium Rate Number Fraud
Attackers redirect calls to premium rate numbers (900 numbers in the US, or international equivalents) that charge high per-minute fees. Unlike IRSF, this can occur domestically and may be harder to detect in call logs.
PBX Hacking
Direct compromise of Private Branch Exchange (PBX) systems through:
- Default credentials — Many systems ship with admin/admin or similar
- Voicemail exploitation — Using voicemail systems to relay calls
- DISA abuse — Direct Inward System Access configured without PINs
- Maintenance ports — Unsecured remote administration interfaces
Wangiri (One Ring) Fraud
Automated systems call numbers and hang up after one ring, prompting callbacks to premium rate numbers. While this targets individuals, it can affect business systems that auto-dial missed calls.
Detect high-risk numbers before calls connect. Identify premium rate and high-cost destinations in real-time.
Get Free API KeyToll Fraud Detection Techniques
Real-Time Call Pattern Analysis
Effective fraud detection requires analyzing call patterns as they occur:
# Real-time toll fraud detection patterns
FRAUD_INDICATORS = {
# Sudden spike in international calls
'international_burst': {
'threshold': 10, # calls
'window': 300, # 5 minutes
'action': 'block_and_alert'
},
# Calls during unusual hours
'off_hours_international': {
'hours': range(0, 6), # midnight to 6am
'destination': 'international',
'action': 'require_pin'
},
# High-cost destination attempts
'high_risk_country': {
'country_codes': ['53', '252', '371', '224', '232'],
'action': 'block_and_alert'
},
# Unusually long calls
'extended_duration': {
'threshold': 3600, # 1 hour
'destination': 'international',
'action': 'alert'
}
}Baseline Behavioral Analysis
Establish normal calling patterns for your organization:
- Time-of-day patterns — When do legitimate calls typically occur?
- Geographic distribution — Which countries/regions are normal?
- Call duration averages — What's typical for your business?
- Per-extension limits — How many calls per hour is normal?
Deviations from established baselines trigger alerts for investigation.
Number Intelligence Integration
Pre-call lookups identify high-risk destinations before connecting:
# Pre-call fraud screening
def screen_outbound_call(destination_number):
# Lookup number intelligence
intel = veriroute_lookup(destination_number, lrn=True)
risk_score = 0
risk_factors = []
# Check line type
if intel.get('line_type') == 'premium':
risk_score += 50
risk_factors.append('premium_rate_number')
# Check country risk
country = intel.get('country_code')
if country in HIGH_RISK_COUNTRIES:
risk_score += 30
risk_factors.append(f'high_risk_country_{country}')
# Check for recent porting (fraud indicator)
if intel.get('ported_recently'):
risk_score += 20
risk_factors.append('recently_ported')
# Check carrier reputation
carrier = intel.get('carrier')
if carrier in KNOWN_FRAUD_CARRIERS:
risk_score += 40
risk_factors.append('suspicious_carrier')
return {
'allow': risk_score < 50,
'risk_score': risk_score,
'factors': risk_factors,
'require_auth': risk_score >= 30
}Toll Fraud Prevention Strategies
1. Access Control Hardening
| Control | Implementation | Priority |
|---|---|---|
| Strong passwords | Minimum 12 characters, complexity requirements | Critical |
| Account lockout | 5 failed attempts = 30 minute lockout | Critical |
| SIP authentication | Require digest auth for all endpoints | Critical |
| Two-factor auth | Admin access requires 2FA | High |
| IP allowlisting | Restrict SIP registration to known IPs | High |
2. Geographic Restrictions
Implement layered geographic controls:
- Default deny — Block all international destinations by default
- Whitelist countries — Enable only countries your business actually calls
- Premium rate blocking — Block all 900/976/premium prefixes
- Per-user permissions — Only authorized users can dial internationally
# Geographic restriction configuration
DESTINATION_POLICY = {
'default': 'deny',
'allowed': {
'1': 'allow', # US/Canada - no restrictions
'44': 'auth', # UK - require PIN
'49': 'auth', # Germany - require PIN
'33': 'auth', # France - require PIN
},
'blocked': {
'53': 'block', # Cuba
'252': 'block', # Somalia
'960': 'block', # Maldives
},
'premium_prefixes': {
'1900': 'block',
'1976': 'block',
'1809': 'limit', # Caribbean - rate limit
}
}3. Rate Limiting and Thresholds
Set limits at multiple levels to contain damage:
- Per-extension limits — Max calls per hour per extension
- Daily spending caps — Maximum daily international spend
- Concurrent call limits — Maximum simultaneous international calls
- Duration limits — Maximum call duration for high-cost destinations
# Rate limiting configuration
RATE_LIMITS = {
'per_extension': {
'international_calls_per_hour': 5,
'premium_calls_per_day': 0, # blocked
'concurrent_international': 2
},
'per_account': {
'international_spend_daily': 500.00,
'international_calls_daily': 50,
'max_call_duration_intl': 3600 # 1 hour
},
'system_wide': {
'international_calls_per_minute': 20,
'alert_threshold_spend': 1000.00
}
}4. Real-Time Monitoring and Alerting
Deploy monitoring that catches fraud as it happens:
- CDR streaming — Analyze call records in real-time, not after the fact
- Anomaly detection — Alert on deviations from baseline patterns
- Threshold alerts — Immediate notification when limits approached
- 24/7 response — Automated blocking for confirmed fraud patterns
Monitor your calling patterns with number intelligence. Real-time carrier and line type data for fraud detection.
View API DocsVoIP-Specific Protections
SIP Security Hardening
VoIP systems face unique attack vectors requiring specific countermeasures:
- SIP TLS — Encrypt all SIP signaling with TLS 1.2+
- SRTP — Encrypt media streams
- Fail2ban — Block IPs after repeated failed SIP registrations
- SIP ALG disabled — Avoid NAT helper vulnerabilities
- Registration timeouts — Short expiry to detect compromised credentials faster
# Fail2ban configuration for SIP protection
[asterisk]
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/security
maxretry = 3
bantime = 86400 # 24 hours
findtime = 300 # 5 minutesVoicemail System Hardening
Voicemail is a common attack vector:
- No default PINs — Force PIN change on first access
- Minimum PIN length — 6+ digits required
- Disable outdial — Block call transfers from voicemail
- Lock after failures — 3 wrong PINs = temporary lockout
Toll Fraud Incident Response
Immediate Actions (First 15 Minutes)
- Block international dialing — Disable all outbound international immediately
- Disconnect compromised extensions — Isolate affected accounts
- Contact carrier — Report fraud, request call blocking
- Preserve logs — Capture CDRs, SIP logs, system logs
Investigation Phase (First 24 Hours)
- Identify entry point — How did attackers gain access?
- Scope assessment — Which extensions/accounts compromised?
- Timeline reconstruction — When did fraud start?
- Damage assessment — Calculate total fraudulent charges
Recovery and Prevention
- Reset all credentials — SIP passwords, admin passwords, voicemail PINs
- Implement restrictions — Apply geographic and rate limits
- Enhanced monitoring — Deploy real-time fraud detection
- Carrier notification — Dispute fraudulent charges (success varies)
Toll Fraud Prevention Checklist
Essential Controls
- Change all default passwords and PINs
- Enable SIP authentication on all endpoints
- Block premium rate numbers (900, 976)
- Implement geographic restrictions
- Set daily spending limits
- Enable failed login detection (Fail2ban)
Enhanced Protections
- Deploy real-time CDR monitoring
- Integrate number intelligence for pre-call screening
- Enable TLS/SRTP encryption
- Implement IP allowlisting for SIP registration
- Configure after-hours call restrictions
- Establish incident response procedures
Working with Your Carrier
Your carrier should provide fraud protection tools:
- Fraud alerts — Real-time notification of suspicious activity
- Spending caps — Hard limits on international charges
- Destination blocking — Carrier-level high-risk country blocking
- CDR access — Real-time or near-real-time call records
- Fraud insurance — Coverage for unauthorized charges
Request SLAs for fraud response times and understand your liability for unauthorized calls.
Cost-Benefit of Fraud Prevention
Prevention costs far less than fraud losses:
| Investment | Monthly Cost | Protection Value |
|---|---|---|
| Real-time monitoring | $100-500 | Detect fraud in minutes vs. days |
| Number intelligence API | $50-200 | Block premium rate before connecting |
| Geographic restrictions | $0 (configuration) | Eliminate 90%+ of IRSF risk |
| Security audit | $2,000-5,000 (annual) | Identify vulnerabilities proactively |
A single IRSF incident can exceed $50,000 in charges. Annual prevention investment of $5,000-10,000 provides substantial ROI.
Frequently Asked Questions
Who is liable for toll fraud charges?
In most cases, the business whose system was compromised is liable for fraudulent charges. Carriers typically hold account holders responsible for all calls originating from their service, regardless of authorization. Some carriers offer fraud protection programs or insurance, but coverage varies. Prevention is critical because recovering funds after fraud is difficult and rarely successful.
How quickly can toll fraud damage accumulate?
Toll fraud damage can accumulate extremely quickly. Attackers often generate hundreds of simultaneous calls to premium rate numbers charging $2-5 per minute. A single weekend attack can generate $50,000-$100,000+ in fraudulent charges. Most attacks occur during off-hours (nights, weekends, holidays) when monitoring is reduced. Detection within minutes rather than hours is essential.
What's the most effective toll fraud prevention measure?
The most effective single measure is geographic restriction with default-deny policy. Block all international destinations by default, then whitelist only countries your business legitimately needs to call. This eliminates the majority of IRSF risk immediately. Combine with strong authentication, rate limiting, and real-time monitoring for comprehensive protection.
Can number intelligence APIs help prevent toll fraud?
Yes, number intelligence APIs provide valuable pre-call screening capabilities. They can identify premium rate numbers, high-risk destinations, and suspicious carriers before calls connect. By integrating lookups into your call routing logic, you can block high-risk calls automatically. The cost of lookups (fractions of a cent) is negligible compared to potential fraud losses.