Key Takeaways:
- VoIP and PBX fraud is on the rise as attackers automate scans for vulnerable phone systems.
- Open or poorly secured SIP ports (5060 and 5061) are common entry points.
- A single compromised trunk can rack up tens of thousands of rand in international call charges.
- Most incidents are preventable through strong authentication, encryption, and real-time monitoring.
- Businesses that rely on international calling can stay safe with whitelists, call limits, and trusted providers.
Hosted PBX and cloud voice systems have made business communication easier than ever. But as more companies move their phone systems online, fraudsters have found new ways to exploit weak spots that often go unnoticed.
VoIP and PBX fraud has evolved quietly over the past few years. What started as the occasional opportunistic attack has become a steady, automated operation that targets businesses of all sizes. The results can be costly, from inflated call bills to service disruptions that affect day-to-day productivity.
Let’s take a closer look at how these scams work, what has changed in recent years, and what every business should know to protect its phone systems.
How VoIP and PBX Fraud Happens
Fraudsters rarely need to break through sophisticated defences. Instead, they rely on poor configuration and weak passwords. Most attacks follow a predictable pattern.
Scanning for open doors
Automated bots constantly scan the internet for devices running SIP services, usually through port 5060 or port 5061. For context, port 5060 handles standard SIP traffic and is unencrypted, while port 5061 is encrypted using TLS (Transport Layer Security). When a system responds, it’s added to the attacker’s list of potential targets.Testing for weak credentials
Attackers try default usernames, easy passwords, or stolen credentials from leaked provisioning files. If authentication succeeds, they can register on the PBX as if they were a legitimate user or trunk.Placing calls for profit
Once inside, the attacker routes thousands of calls to expensive international or premium-rate destinations. Every minute of these calls costs the business real money, while the fraudster collects a share of the termination revenue through overseas carriers.Covering their tracks
The calls usually start over weekends or at night when systems aren’t monitored. By Monday morning, it’s too late – the company has already accumulated thousands of rand in unauthorised charges.
Some criminals go further, using voicemail systems, auto-attendants, or forwarding features to route calls indirectly. Others exploit outdated firmware on gateways or phones that still use default logins.
A Real Problem, Close to Home
VoIP fraud is not a distant threat. South African companies have been targeted for years.
In one documented incident, a local business woke up to a phone bill exceeding R180,000 after its PBX was compromised over a single weekend. Another case saw a small organisation lose around R25,000 when its SIP trunk was hijacked and used to make international calls.
Industry experts have also warned that international fraud syndicates are now targeting South African networks, exploiting unprotected systems and weak reseller setups. This shows that the risk is both local and ongoing.
Why It’s Increasing
A few key shifts explain the growing frequency of these VoIP and PBX attacks:
Automation at scale. Attack tools can scan millions of IP addresses in hours, looking for open SIP ports.
Hybrid environments. Businesses now mix on-premise PBXs, softphones, and cloud extensions, creating more entry points.
Unsecured provisioning. Some resellers and installers store SIP credentials in plain text or reuse passwords across customers.
Low awareness. Many businesses assume that because their PBX is hosted, the provider handles all security, which isn’t always true.
Fraudsters rely on these assumptions. They know most companies don’t monitor call traffic in real time or have strict spending limits in place.
Practical Steps to Protect Your Business
For businesses:
Review every PBX and SIP trunk configuration for weak or reused passwords.
Enable IP-based authentication wherever possible.
Restrict outbound dialling to specific destinations.
Set daily or weekly call limits and receive automatic alerts.
Keep all devices and firmware up to date.
Check your call detail records regularly for unfamiliar destinations.
For service providers and resellers:
Use encrypted provisioning and avoid shared credentials.
Harden SBCs and disable unused interfaces.
Implement real-time fraud detection tools and automatic blocking.
Offer customers visibility into their usage and spending.
Have a clear escalation plan for suspected fraud.
What about businesses that rely on international calling?
International calling is essential for many South African businesses. The goal isn’t to restrict these calls but to control and monitor them intelligently.
A secure PBX setup can still allow international traffic while protecting against abuse. Businesses that depend on global communication should:
Whitelist only the destinations they actually call. For example, if your business deals with the UK and Mauritius, there’s no reason to keep high-risk prefixes like +882 or +881 open.
Set per-extension limits. Cap the number or duration of international calls each user can make per day or week.
Use real-time monitoring. Many hosted PBX providers can alert you if call volume spikes or if unusual destinations are dialled.
Review call logs regularly. A quick look at your call detail records can reveal anomalies early – before costs escalate.
Work with your provider. A good provider can configure outbound rules and automated thresholds so that your system stays open for business but closed to fraudsters.
International communication doesn’t have to be a risk. With proper policies and technical controls in place, you can keep global lines open and your business protected.
Choosing a Secure Provider
Security should be part of your buying decision, not an afterthought. When comparing providers, ask:
Do they use TLS and SRTP by default?
Can they apply spending limits and destination controls?
Do they offer real-time monitoring and alerting?
What steps do they take if suspicious activity is detected?
A reliable provider will be transparent about their protections and happy to explain how they help detect and stop fraudulent activity.
Final Thoughts
VoIP and PBX fraud may not make headlines, but it remains one of the most costly and preventable telecom threats facing businesses today. The technology itself isn’t the problem – neglect is.
A few simple steps, such as strengthening authentication, restricting outbound calls, and monitoring traffic, can prevent thousands of rand in losses. Whether your system is hosted or on-premise, take the time to review its security posture. It’s a quick exercise that could save your business from becoming the next statistic.
You might also like:
