Toll Fraud

  IT Threats, Voice Threats   -  

As long as there have been telephones and charges for conducting calls, there has been toll fraud. In the 1970s and 1980s, hackers used a technique called “phreaking” to trick pay phones by producing a 2400 hertz signal which mimicked the signaling mechanism used to control long-distance calls. Some individuals were even able to duplicate these signal tones through whistling. Despite the move to a digital phone system, individuals are still conducting fraud, taking advantage of unsuspecting companies.

Toll fraud is the unlawful use of a phone system or services to make long distance or international calls. This is a criminal activity analogues to computer hacking. It is an industry wide crisis, tallying over one billion dollars annually lost. Toll fraud can be in many forms, for example, calling local numbers, mobile phones, paid premium numbers, and long-distance (international) numbers. Now, you know the problem. So, what is the solution?


Cisco has various mechanisms via which you can restrain troll fraud and even stop it in its tracks. However, following your IP Telephony security policy is the foremost step while implementing steps and configuring your PBX to curtail toll fraud.

Partitions and Calling Search Spaces (CSS)

Partitions and CSSs provide segmentation and access control to the number that can be called or can call someone. They are your primary lines of defense against rogue internal or external callers. By restricting calling privileges, you can be assured that no internal endpoint can call any internal or external destination unless the IP Telephony administrator assigns the appropriate calling privileges to that endpoint.

Time of Day Routing

Time of Day Routing allows certain partitions to be active during a pre-set time time span during a day and post this period these partitions become inactive automatically. Essentially, it allows or disallows a partition to be active during a certain predefined period during a day in a week.

Block Off-Net to Off-Net Transfers

There is a parameter that allows or disallows off-net to off-net transfer. This is useful when your IP Telephony security policy does not permit off-net to off-net transfers to hold back toll fraud. This parameter is a cluster wide service parameter Block OffNet to OffNet Transfer. When enabled, it can block any off-net to off-net call transfers from endpoints thereby minimizing the risk of anyone misusing the feature for transferring, local PSTN calls to international destinations.

Conference Restrictions

Toll fraud can also be committed using the conferencing capability of an endpoint. An attacker or a rogue user can conference a local call with an international number. While it can be stopped by restricting the CSS of the source endpoint, it does not prevent a user in a conference call (internal or external) user to invoke conference calls to long distance or international numbers, illegitimately. Ad hoc conference calls can optionally be dropped when the originator hangs on. This ensures that the other parties (such as external users) cannot initiate a call to another external number using your IP Telephony system.

Calling Rights for Billing and Tracking

A Forced Authentication Code (FAC) can be used to control the access to international and long distance calls. When a call is routed through a route pattern where FAC is applied, the system plays a tone that is an indication for the user to enter the authorization code to proceed with the call. If the authorization code entered is within the level of authorization, the call matures, otherwise, the user get a reorder tone.  FAX associated calls are logged to the CDRs. The CDRs can be used to track the usage for billing and tracking prohibited attempts.

Route Filters for Controlled Access

Route filters should be deployed to filter out any unwanted area codes and calls to know paid premium numbers. Route filters can help reduce the chances of people with unlimited access dialing the otherwise prohibited paid service numbers. Route filters make the system more flexible and easier to administer your outbound calling. They give you the ability to block certain area codes or country codes based on your requirement of not giving access to any user to dial these specific numbers. For example, a route pattern with 0.! will cover all Bulgarian numbering dial plan. To restrict premium numbers, you can created a route filter and assign it to the route pattern, which may not be very specific.

Note: If you are not using 0.! Route pattern and using specific route patterns, route filter may not be helpful. In this case, you can configure specific routing and blocking route patterns.

Access Restriction for Protocols from User VRF

Since Cisco IP Telephony has a clearly defined working model in which the end points (hard phones, softphones, or gateways) establish signaling with call control (that is, CUCM) unit and media with other endpoints (such as IP Phones and gateways), there is no reason for a user endpoint to send TCP to a gateway directly. Any such attempts should be blocked and logged.

Note: There are third-party softphones and agents that can initiate SIP or H.323 signaling directly with IOS gateways enabling UA (SIP) or Client Server (H.323) relationships. This enables these endpoints to establish direct signaling and media channels by passing the actual legitimate call control (CUCM) therefore opening flood gates for toll fraud.

Social Engineering

An employee from within the organization can persuade an operator or a colleague with unrestricted calling access to the PSTN to conference a call with an international or long distance number. Otherwise, someone from outside the organization can lure the operator (imitating an internal user) into connecting the call to an international number therefore resulting into toll fraud. These issues can be handled by clearly stating the Do’s and Don’ts in the IP Telephony security policy. It is all about employee education and awareness that can curb social engineering or any imitation attempts.