Docs navigation

Toll-fraud protection

Toll fraud is the attack with a bill: someone gets hold of a SIP credential and pumps calls to premium international numbers until you notice. The defense is layered — even a stolen password should hit three more walls before it costs money.

Layer 1: allowed country codes

Admin → Advanced → Allowed Country Codes is a region/country checklist — calls to countries you haven't allowed don't go out, full stop. Most businesses can allow their home region plus a handful of countries they actually call; blocked attempts are logged and alertable. This is the highest-value five minutes in the security section.

Layer 2: dialing classes

Outbound rules carry a required dialing class (Local / Domestic / International / Premium), granted per user. A compromised reception extension that's never been granted International simply can't use the international rule — the blast radius of any single credential stays small.

Layer 3: rule design

  • Keep a blocked rule above your permissive ones for premium-rate prefixes.
  • Cap simultaneous calls per trunk (trunk options) — fraud runs many calls at once; a sane channel cap turns a flood into a trickle.
  • Restrict after-hours risk by scoping rules to extension groups where practical.

Layer 4: credential defense

Abuse control auto-bans the brute-forcing that steals credentials in the first place, and the CID blacklist (Admin → Advanced → CID Blacklist) drops known nuisance callers before they ring anyone.

Detection

Turn on the relevant alerts: blocked-country attempts, anti-hacking rejections, and unusual trunk activity. Fraud that's noticed in five minutes is an incident; fraud noticed on the invoice is a budget item. Your carrier's own spending caps are the final backstop — set them there too.