Toll Fraud | Telecommunications Guide - Midshire

Toll fraud poses one of the largest threats to businesses and organisations today. To date, it is very difficult to measure the cost to businesses toll fraud poses. While many businesses are reluctant to publicly admit they have been targeted, experts worldwide estimate the costs to run into the billions annually.

Experts also say that toll fraud is an easy and profitable crime, if the person has the know-how. Since it is often undetected until large amounts of money have been lost, the perpetrators are hard to identify, minimizing their sense of risk.

Classic toll fraud, sometimes referred to as dial‐through fraud or time theft, occurs when a hacker breaks a vulnerable voice system and then sells the number or codes to third parties. For example, some businesses enable services like Direct Inward Services Access (DISA), where if you know a code, employees can call in and get dial tone to call out via the telephone system. DISA is a useful service for business travellers, who can call in and use the company’s long distance facilities, rather than using their mobile phone, hotel phone or calling card. When hackers obtain these passcodes, they can exploit them in toll fraud.

With some VoIP telephone systems, the IP PBX can be broken down into several systems that communicate over the data network. For example, you may have an IP PBX that communicates with a separate VOIP gateway, sometimes integrated with an external router. If the media gateway does not have proper access control and security, it is possible to directly connect to it via a VoIP protocol and make calls with no control from the IP PBX nor entries in the IP PBX call database.

Often, the perpetrators start the activity at the beginning of a weekend, where the abuse is less likely to be noticed, as most businesses are closed. The attack continues as long as the enterprise does not notice the abuse. Unfortunately, most service providers will not notify an enterprise of potential toll fraud.

If the enterprise only reviews reports at the end of the month or some other infrequent interval, the attack can go on for weeks, resulting in a significant expense to the business. In most cases, since the calls were actually made from the businesses telephone system, the service provider is typically unwilling to waive the charges, since providers also incur costs routing long‐distance and international calls.


Contact us

Contact us for Business Telephone solutions