Skip to content
DialPhone
Start free trial

Glossary

What is Toll Fraud?

Toll fraud is the criminal abuse of a business phone system — typically a PBX, a SIP trunk, or a misconfigured voicemail gateway — to place high-cost calls billed to the victim. The most common variant routes traffic to international premium-rate destinations where the attacker earns a share of every connected minute. By morning the victim has a five- or six-figure bill for calls they never placed.

How toll fraud works

A toll-fraud attack has three pieces:

  • Access — the attacker breaks into the phone system. Common doors: weak SIP credentials brute-forced from the public internet, default voicemail PINs, open outbound routes on a misconfigured PBX, or a stolen SIP endpoint credential reused elsewhere.
  • Outbound route — the attacker uses the access to dial international or premium-rate numbers, often during nights and weekends to avoid detection.
  • Revenue share — when those calls land at destinations the attacker controls (International Revenue Share Fraud, IRSF), the attacker collects a per-minute kickback from the destination carrier.

A single compromised SIP account can drain tens of thousands of dollars in a few hours before any human notices.

Most common toll-fraud patterns

  • IRSF (International Revenue Share Fraud): dialing premium-rate ranges in obscure country codes that pay the destination carrier (and the fraudster) a per-minute share.
  • PBX dial-through: abusing a poorly secured voicemail “outbound transfer” feature to dial any external number from inside the trusted PBX.
  • SIP brute force: scanning the internet for SIP endpoints and password-spraying common usernames and PINs until a credential works.
  • Wangiri (“one-ring”) callbacks: a single ring from a premium-rate number prompts unsuspecting employees to call back, generating the fraud charge inbound rather than outbound.
  • Insider fraud: an authorised user routes high-cost calls through corporate trunks for personal benefit.

How to prevent toll fraud

  • Disable international and premium-rate destinations by default. Whitelist only the country codes the business actually needs.
  • Enforce strong SIP credentials — long random passwords, IP allowlisting on the SIP registrar, and certificate-based auth where supported.
  • Lock the PBX and voicemail to disallow outbound transfer from inbound legs, and replace default PINs.
  • Front the phone system with a session border controller that rate-limits, geofences, and authenticates registrations.
  • Real-time monitoring: anomaly detection on call volume by destination, time of day, and per-extension cost — most providers will alert on a sudden spike to high-rate destinations.
  • Spending caps at the trunk and account level so an unauthorised burst halts automatically rather than running until morning.
  • Deploy STIR/SHAKEN signing and validation so spoofed and mismatched-attestation calls can be flagged or rejected.

What to do during an active toll-fraud incident

  • Pull the plug: temporarily block all international or premium-rate destinations at the trunk to stop the bleed while investigating.
  • Rotate credentials for every SIP endpoint that was potentially exposed.
  • Open a fraud case with the carrier within the contractual window — many disputes succeed only if reported within hours, not days.
  • Pull CDRs: confirm the destination ranges, attack window, and originating extension or trunk, then keep them as evidence.
  • Patch the entry point before re-enabling outbound routes, or the attack resumes the moment service is restored.

Toll fraud frequently asked questions

What is toll fraud in telecom?

Toll fraud is the criminal hijacking of a business phone system to place expensive calls billed to the victim. The classic pattern is breaking into a PBX or SIP trunk and routing thousands of minutes to international premium-rate destinations the attacker shares revenue with.

How does toll fraud happen?

Attackers gain access via weak SIP credentials exposed to the internet, default voicemail PINs, or misconfigured outbound routes that allow inbound legs to dial outside numbers. Once in, they place high-cost international calls — usually overnight — until the victim’s bill or carrier limits stop them.

What is IRSF?

IRSF (International Revenue Share Fraud) is the dominant flavour of toll fraud. Calls are routed to premium-rate ranges in obscure countries where the destination carrier pays a per-minute share to whoever drove the traffic. The fraudster is on the receiving end of that revenue split.

How can businesses prevent toll fraud?

Disable international and premium-rate destinations by default, enforce strong SIP credentials with IP allowlisting, front the phone system with a session border controller, set per-trunk spending caps, and monitor for anomalous call volume by destination and time of day so a burst triggers an alert in minutes rather than a bill in the morning.

See how DialPhone fits

DialPhone’s business phone ships with international-destination locking, spending caps, anomaly alerts, and STIR/SHAKEN attestation enabled by default — so a stolen credential or misconfigured extension cannot quietly route thousands of premium-rate minutes overnight before anyone notices.

Learn more about DialPhone

AI-powered business phone, SMS, meetings, fax, and contact center from $24/user/mo.

Start free trial Browse glossary
Call sales Start free trial