Protect your business from VoIP fraud. Learn how to recognize the most common types and harden your phone system security.
VoIP fraud is a serious and growing threat to businesses, with attackers increasingly targeting cloud phone systems to exploit vulnerabilities for financial gain. This type of fraud involves unauthorized access to a VoIP network, often for making costly international calls or redirecting traffic to premium-rate numbers.
But there are many types of VoIP fraud, and not all of them rely on premium-rate number schemes. In this post, we'll explore common VoIP fraud tactics and offer practical steps to protect your business from these threats.
Also known as voice or VoIP phishing, vishing is a tactic that involves social engineering to extract company credentials, like logins, passwords, employee IDs, and other types of business or personal data.
Scammers often use VoIP, along with voice-altering software, and other tactics to disguise their identities to pretend they're someone else, usually someone in a position of authority. Callers then persuade their targets to give up valuable data.
This type of scam can take many other forms. With AI and deep fakes, scammers can put on a much more convincing facade. A UK-based energy company's CEO was scammed out of $243,000 through a deep fake vishing attack, for instance.
Train employees on how to take precautions when picking up unexpected phone calls and spot common social engineering attacks, like scammers instilling a sense of urgency or refusing to go into the details after specific questions. Download this free social engineering cheat sheet to help your business harden security against these threats.
Wangiri loosely translates to "one ring and cut" in Japanese (where this scam originated) and it works exactly the way it's called. Your phone rings once and then just cuts.
The scam is designed to spark your curiosity and make you call back so you can be charged abnormally high international rates. It's generally accompanied by pre-recorded messages to trick you into thinking you're talking to the original caller.
These messages usually say that they can't hear you and you should call back to keep you on the line for as long as possible and urge you to call back, so you can be charged all over again.
VoIP systems and automated dialers made this scam a lot more common. They allow scammers to make hundreds of calls simultaneously for cheap.
There's also a variation of this scam specifically targeting businesses -- Wangiri 2.0. It involves bots spamming business contact request forms with premium-rate numbers to generate callbacks. If businesses do call back, they will have to pay up.
The good news, Wangiri is pretty easy to spot once you know how it works. The distinct one-ring (sometimes two) calls along with their international phone numbers are tell-tale signs, so let employees know about them.
Also, most of the top VoIP phone services offer advanced call-blocking features, which can automatically block suspicious incoming phone calls. Geo permissions are also a good idea -- they let you restrict traffic outside your area of operation.
If attackers gain unauthorized access to a business's VoIP system, they can start blasting out fraudulent calls to high-cost international or premium-rate numbers. Typically, the way this works is that the attacker has a revenue share deal orchestrated with the owner of the premium number.
I have spoken with a managed service provider who told me that one of his clients (before they were his client) discovered $18,000 in fraudulent charges to their business phone system. The poor company was on the hook for all of it, and only spotted the fraud when the bill from their vendor came.
This type of fraud usually starts with attackers identifying a vulnerable phone system and breaking in. It could be an open port, unsecured endpoint, or compromised credentials. Once the attacker is on the system, they start making calls unnoticed, often during off-hours or spread over time.
To protect against this, businesses should implement VoIP security best practices, such as setting up firewalls, regularly updating software, and using strong passwords. Monitoring call details records for unusual activity and setting call limits can also help prevent large-scale fraud.
Caller ID spoofing is not necessarily malicious, but it's often used as part of larger scams to help hide the attacker's identity and increase the likelihood of having victims pick up the call.
This practice involves manipulating the caller ID to display a different name or phone number other than the original -- the IT guy's phone number looked local to you, but the real phone number was actually from a different country. That's how caller ID spoofing works.
Besides helping them pretend they're someone else, attackers can also use caller ID spoofing to disguise robocalls with expensive international numbers -- like Wangiri, but less obvious.
Again, be cautious of unexpected phone calls, even if the caller ID seems familiar. Don't give out personal details and try to ask specific questions to throw attackers out. If the call is accompanied by pre-recorded messages, hang up -- it's probably a robocall.
This tactic involves hackers infiltrating your private branch exchange (PBX) through various methods.
SEE: Learn fast facts you need to know about PBX.
For instance, hackers will remotely get into a business's voicemail box by figuring out the voicemail PIN. The problem is, some businesses don't change the default PIN -- usually the last four digits of the phone number, which is easy work for hackers.
From there, hackers access the business's call forwarding settings and change the number to their pay-per-minute line. The next time someone makes a call, the voicemail will redirect to that pay-per-minute line, which of course, comes at huge rates.
For cloud PBX systems, hackers can find a PBX's IP address and then brute force the login credentials to get access to it. Once they're in, hackers can make calls from your PBX to their pay-per-minute lines. These calls are usually made after hours so they're less noticeable.
It goes without saying, never use any default PINs or passwords, and make sure you change login credentials regularly.
Disable any unused voicemail boxes and voicemail functionalities like call forwarding. Set up firewalls to block traffic from suspicious sources and periodically check for any unusual after-hours outbound calls.
Also, implement rate limits. These allow you to limit the amount of outbound calls you can make within specific timeframes or times of day, which helps mitigate the effects of a system breach.
VoIP communication is done through small data packets that travel across the internet via RTP (Real-time Transport Protocol) streams.
Packet sniffing involves tapping into RTP streams to intercept these data packets. If these data packets are not encrypted, hackers can easily eavesdrop on conversations and extract sensitive data, like credit cards or other personal details.
All they need to do is identify your network's IP address and use a packet analyzer, like Wireshark, to drop in on your conversations. It's almost as simple as having someone listen in on your walkie-talkie conversations by tuning into your frequencies.
You can prevent this issue by following encryption best practices, like enabling SRTP (Secure Real-time Transport Protocol) streams and Transport Layer Security (TLS) protocols. Most popular VoIP providers already have these security systems in check.
Packet sniffing sounds scary enough, but it's sometimes part of a larger operation, like Man-in-the-Middle attacks. MitM attacks are not really new, but it's still used to exploit VoIP phone systems.
In short, this tactic puts hackers right in the middle of the data exchange between you and the recipient -- the data will first reach the hackers, before passing it down to the recipient or back to you.
This is done through Address Resolution Protocol (ARP) poisoning. Network devices have two address types. First, there's the MAC address (physical address), which designates the physical location of a device within a local network.
Then there's the IP address, which links to the device's internet connection. ARP protocols connect these two addresses so data that travels the internet reaches the right physical devices within a network.
ARP poisonings target MAC addresses -- they swap the MAC addresses of the target devices with the attacker's address with tools like Ettercap. As such, any internet data traffic between two IP addresses will now redirect to the attacker's equipment first, giving them full control over that data.
Attackers can either delete the data, so it never reaches you or the recipient, alter the data before it reaches the destination for malicious purposes, or simply let it be. There are also other similar attacks, like Session Initiation Protocol (SIP) server impersonation, which involves setting up fake SIP server proxies.
You can prevent this issue from ever happening through Dynamic ARP Inspection (DAI) and setting up network security according to current best practices. DAI monitors IP-to-MAC addresses, so if it detects a mismatch (probably caused by ARP poisoning), it will stop updating the ARP cache and prevent data from passing through the poisoned connection.
SEE: Check out the biggest mistakes to avoid when configuring network security.
These attacks aim to overload VoIP phone systems and render them completely unusable, which can lead to serious recovery costs and hurt the company's reputation
One common form of VoIP DDoS attacks is through RTP injections. Hackers will overflow your system with fake calls (usually from high-cost phone numbers) by infiltrating your RPT stream and injecting fake packets.
This type of attack's objective is to push your system to route more fake calls than the real ones, which can amount to huge international fees and eventually cause the system to crash. Again, you can prevent these attacks by enabling SRTP protocols.
Although the tactics we talked about sound scary and can have a significant negative impact on your business, they're completely preventable. As long as you don't treat your system's security as an afterthought, you should be fine.
Plus, the best business phone services are loaded with tools and security features to keep you safe. In terms of security, you are really only on the hook for the "human layer", aka: your employees. Train them on common types of fraud and enforce strong passwords that are completely unique.