When your phone system was a box in a closet connected to copper lines, its security model was a locked door. Stealing your calls required physically touching your wire.
That box is gone. Your phone system is now software running on your network, reachable from the internet, speaking protocols that were designed in an era when nobody expected them to be attacked. It has all the vulnerabilities of a server and almost none of the attention.
Most businesses secured their VoIP migration by trusting that the provider handled it. That assumption is where the trouble starts.
Why VoIP Security Gets Skipped
Three reasons, and they compound.
It does not feel like IT. The phone is a phone. It sits on a desk. Nobody puts it on the asset inventory, nobody patches it, and nobody thinks of it as an endpoint that runs firmware and holds credentials. It is, and it does.
The provider is assumed to own it. Your VoIP provider secures their platform. Your handsets, your network configuration, your extension passwords, your call routing rules, and your fraud thresholds are yours. This is the same shared responsibility split that catches businesses on cloud platforms, and it catches them here for the same reason.
Nothing appears broken. A compromised phone system usually keeps working perfectly. Calls connect, voicemail works, nobody notices. That is the point. The attacker's goal is not to break your phones. It is to use them.
Our hosted VoIP and SD-WAN services treat the phone system as part of the network it actually lives on, because that is what it is.
Toll Fraud: The Weekend Problem
This is the threat that costs businesses the most real money, and almost nobody plans for it.
Here is the mechanism. An attacker registers premium-rate phone numbers in a jurisdiction with weak oversight, then arranges to collect a share of the per-minute revenue those numbers generate. They compromise your phone system. Then they place thousands of calls to their own numbers, running many simultaneous channels for as long as they can.
You are the one paying per minute. They are the ones collecting it.
They do this on Friday night. Not because they are lazy, but because the window matters enormously. An attack that starts at 7pm Friday and runs until Monday morning has roughly 60 hours of unattended runtime. At a few dozen concurrent channels billing international rates, that produces a bill in the tens of thousands of dollars. Holiday weekends are better still. Businesses have discovered this on the Tuesday after Thanksgiving more than once.
How they get in is usually mundane. A SIP extension with a weak or default password, exposed to the internet. Attackers scan for SIP endpoints continuously and brute force them at scale, and an extension password of 1234 is not hypothetical. It is what ships in the box and what stays configured when a system gets set up in a hurry.
Who pays is the part that surprises people. Read your carrier agreement. Fraudulent traffic that originated from your compromised system is generally your liability, not the carrier's. You authorized the calls, in the legal sense, because your credentials placed them. Some providers offer fraud protection or caps. Many do not by default, and the ones that do frequently set the threshold high enough to permit a very expensive weekend.
What prevents it: strong unique extension credentials, international dialing disabled by default and enabled only where needed, geographic restrictions on destinations you never legitimately call, concurrent call limits, spend thresholds with real-time alerting, and rate limiting on registration attempts. None of these are exotic. All of them require someone to configure them, which is the whole problem.
The Rest of the Threat Model
Eavesdropping. SIP signaling and RTP media are unencrypted by default in many deployments. An attacker with a position on your network can reconstruct calls. Encryption via SRTP and TLS exists and is well supported. It is frequently not turned on, because it was not on by default and nobody asked. If you discuss anything confidential by phone, and you do, this matters. Our encryption services cover this alongside data at rest.
Registration hijacking. An attacker who captures or guesses extension credentials can register as that extension and receive its calls. Your calls ring for someone else. Depending on what your business discusses by phone, this ranges from awkward to catastrophic.
Caller ID spoofing and vishing. Two directions here, and both hurt. Attackers spoof your business's number to defraud your customers, which damages a reputation you spent years building. They also spoof trusted numbers into your business, which is how a convincing voice pretending to be your bank or your CEO gets someone in accounting to move money. Voice-based social engineering has become substantially more effective now that synthetic voice is cheap and good. Security awareness training has to cover the phone, not just the inbox, and our coverage of mobile phishing attacks surging shows how much of this has moved off email entirely.
Telephony denial of service. Flooding your lines so legitimate calls cannot connect. For a medical practice, a bank branch, or anyone whose customers reach them by phone, this is a revenue and safety problem, not an inconvenience. It has been used as an extortion lever and as cover for fraud happening elsewhere.
Voicemail. Often protected by a four-digit PIN, frequently the default, frequently never changed. Voicemail systems have been used as a pivot to place outbound calls and to intercept authentication codes delivered by voice.
The handsets themselves. They run firmware. The firmware has vulnerabilities. Almost nobody patches desk phones. They sit on the network for seven years, unmonitored, with a web interface and default admin credentials.
Most of this comes back to credentials, which is why the password management discipline applies to your phone system exactly as it applies to everything else.
The Compliance Surprise: FCC 911 Rules
This one catches nearly everybody, and it is not a security issue so much as a legal one.
In August 2019, the FCC adopted rules implementing two federal laws that change what your phone system must do. If you deployed or replaced a business phone system after February 16, 2020, these apply to you.
Kari's Law requires that anyone can dial 911 directly, without pressing 9 or any other prefix first. It is named for Kari Hunt, who was killed in a Texas motel room in 2013 while her 9-year-old daughter tried to call 911 four times from the room phone. The calls never connected, because the motel's system required dialing 9 for an outside line first. The law also requires that your system send a notification to a designated on-site or remote location when a 911 call is placed, so someone at the site knows help was called and can meet the responders.
Section 506 of RAY BAUM'S Act requires that a dispatchable location accompany 911 calls. The FCC defines that as the validated street address of the caller plus additional information such as the suite, floor, or room needed to actually find them. A street address alone is not sufficient for a three-story building.
Two things worth understanding.
The rules are forward-looking. They do not apply to a system installed on or before February 16, 2020. So the business still running a 2016 phone system is exempt, and the business that modernized is covered. Upgrading to VoIP quietly brought you into scope.
Softphones are the hard part. A desk phone has a fixed location you can register once. An employee running the softphone app from home, from a hotel, or from a different floor does not. Dispatchable location for non-fixed devices requires either automated location detection or a mechanism for the user to update it, and this is where most deployments are quietly non-compliant. Your provider may support it. Whether anyone configured it and whether your remote staff have current addresses on file is a different question.
The FCC publishes the requirements directly on its multi-line telephone system 911 page. This is worth reviewing with counsel rather than assuming your provider handled it, since the rules place obligations on the party installing, managing, or operating the system, which is frequently you.
Call Recording Is a Compliance Liability
Recording calls is trivial to enable and creates obligations most businesses never consider.
PCI DSS. If your staff take card payments by phone and you record those calls, your recordings now contain cardholder data and fall into PCI scope. More pointedly, PCI DSS prohibits storing the card verification code after authorization. A recording of a customer reading their CVV aloud is storage of that code. If your recordings are searchable and retained, this is a finding. Pause-and-resume recording or equivalent controls exist for exactly this reason.
HIPAA. Voicemail and recorded calls containing patient information are electronic protected health information, subject to the same requirements as anything in your EHR. If your VoIP provider stores that data, they are handling PHI on your behalf, which means you need a business associate agreement in place. Many practices have never asked. See our HIPAA IT compliance requirements guide.
Consent. Ohio and Indiana are one-party consent states, meaning one participant's consent to recording is sufficient. That sounds simple until you take a call from California, which requires all-party consent. Businesses that take interstate calls should get an actual legal opinion here rather than a blog's summary, including ours.
Retention. Recordings pile up. They are discoverable in litigation, they are a breach target, and most businesses have no retention policy governing them, which means they are keeping everything forever by accident.
We handle the intersection of these through compliance management, and our PCI and HIPAA best practices guide covers the broader picture.
Where SD-WAN Fits
Voice is unforgiving about network conditions in a way that other traffic is not. An email does not care about 80 milliseconds of jitter. A call does, immediately and audibly.
SD-WAN matters for voice quality, but it matters for security too, and the two are related more closely than they appear.
Segmentation. Voice traffic belongs on its own segment. This is a quality decision and a security decision at once: it protects call quality from a workstation saturating the link, and it prevents a compromised desktop from having a clear path to your phone system. Our network security architecture guide covers segmentation properly.
Encrypted transport between sites, so voice does not traverse the public internet in the clear.
Path selection that moves voice to the healthiest link automatically, so quality degradation does not push users to work around the system with personal cell phones, which is its own security problem.
Centralized policy across locations, so the branch office does not have a permissive configuration nobody remembers.
Voice quality is a security control, indirectly. When the phone system is unreliable, people route around it, and shadow IT is what you get.
A Practical Hardening Checklist
- Unique, strong credentials on every extension. No defaults. No 1234.
- International dialing off by default, on by exception.
- Geographic blocking for destinations you never legitimately call.
- Concurrent call limits and spend thresholds with alerts that reach a human at 2am on a Saturday.
- SRTP and TLS enabled for signaling and media.
- Voice on its own network segment, behind a properly configured firewall.
- SIP endpoints not directly exposed to the internet where avoidable, with rate limiting on registration attempts.
- Handset firmware patched on a schedule like any other endpoint, covered by monitoring and patch management.
- Voicemail PINs enforced, defaults eliminated.
- Call detail records actually reviewed, or at minimum monitored for anomalies.
- 911 configuration verified, including dispatchable location for remote and softphone users.
- Recording policy documented, with retention limits and PCI and HIPAA implications addressed.
Common Questions
Is VoIP secure for business use?Yes, when configured properly. VoIP can be more secure than traditional telephony because it supports strong encryption, which copper never did. The risk is not the technology. It is that VoIP is a networked computing system being administered as though it were a telephone, with default settings and no monitoring.
How does VoIP toll fraud happen?An attacker compromises a phone system, usually through a weak or default SIP extension password exposed to the internet, then places large volumes of calls to premium-rate international numbers they profit from. Attacks are timed for nights, weekends, and holidays to maximize unattended runtime, and the resulting bill is typically the business's liability under the carrier agreement.
Do the FCC 911 rules apply to my business phone system?If your multi-line telephone system was installed, sold, or leased after February 16, 2020, yes. You must allow direct 911 dialing with no prefix, send a notification when 911 is dialed, and provide a dispatchable location including suite or floor detail. Systems installed on or before that date are exempt, which means upgrading to VoIP brought you into scope.
Does my VoIP provider handle security for me?Partially. They secure their platform. Your extension credentials, handset configuration, network segmentation, international dialing permissions, fraud thresholds, and 911 location data are your responsibility. This is the gap where toll fraud happens.
Can VoIP calls be intercepted?Yes, if signaling and media are unencrypted, which is a common default. SRTP and TLS address this and are widely supported. Whether they are enabled in your deployment is worth verifying rather than assuming.
Are we allowed to record calls in Ohio?Ohio and Indiana are one-party consent states, so one participant's consent is generally sufficient. Calls involving other states may trigger all-party consent requirements. Recording also creates PCI and HIPAA obligations if card or patient data is captured. This is a question for legal counsel rather than a blog post.
What is the single most important VoIP security control?Strong unique credentials on every extension, combined with international dialing disabled by default. Those two together prevent the attack that costs the most money.
Your Phone System Is Part of Your Network
Treat it that way and most of this becomes routine. Treat it as a telephone and you are running an unpatched, unmonitored, internet-exposed system with a direct line to your bank account.
Harbour Technology Consulting has designed and secured voice and network infrastructure for businesses across Dayton, Cincinnati, Columbus, and Indianapolis for more than 20 years, including healthcare, banking, and manufacturing environments where the phone system is in audit scope.
Contact us for a voice and network assessment, or call (937) 428-9234.
Related Reading
- Network Security Architecture and Infrastructure Guide
- Network Security Monitoring and Threat Detection
- Firewall Monitoring and Management: Essential Guide for Small Business
- Password Management for Business: Why Your Password Policy Is Wrong
- Complete Guide to HIPAA IT Compliance Requirements
- Cybersecurity Incident Response Planning Guide






