Business Solutions| Digital Marketing| Application | PBX “We develop Connections”

PBX Toll-Fraud & Security: Best Practices for Belgian Businesses

Table of Contents

You arrive Monday morning to a phone bill with €18,000 of calls you never made — to destinations you’ve never heard of, placed at 3 a.m. on Saturday. The calls came from your own number. And in most cases, your business pays that bill, not your carrier.

This is PBX toll fraud, and it’s one of the most expensive, least-understood threats facing Belgian SMEs. Most security guides bury it inside a generic “secure your VoIP” tip list and never explain how the attack actually works or what to do when it hits.

This guide fixes that. You’ll learn exactly how toll fraud works, what it can cost, a layered set of best practices to lock your phone system down, and a clear incident-response plan for the worst case. Let’s make your PBX a hard target.

What Is PBX Toll Fraud? (How the Attack Actually Works)

Toll fraud — also called PBX fraud or telecom fraud — is when attackers gain access to your phone system and use it to place expensive outbound calls. The most common form is IRSF (International Revenue Share Fraud), and understanding it explains everything about why this happens.

Here’s the mechanism. Fraudsters lease premium-rate or international numbers in jurisdictions with loose regulation and earn a cut of every minute called to them. They then break into business phone systems and dial those numbers in bulk. Every fraudulent minute pays the attacker directly. You’re not being robbed of data — you’re being used as an ATM.

How they get in is usually unglamorous:

  • Default or weak passwords on the PBX, SIP accounts, or voicemail — vendor default codes are published online.
  • SIP trunk hijacking — stolen SIP credentials let an attacker register their own device and dial out as you.
  • Exposed services like DISA (Direct Inward System Access) or open management ports reachable from the internet.
  • Vishing — social-engineering staff into handing over credentials over the phone.

And the timing is deliberate. Attacks cluster on Friday nights, weekends, and public holidays — precisely when no one is watching the call logs and the damage can run for 48 hours before anyone notices.

What Toll Fraud Actually Costs a Belgian SME

The numbers are not small. Because fraudulent calls run in parallel — dozens of simultaneous calls to high-cost destinations — a compromised system can burn through thousands of euros per hour. A single weekend of undetected fraud has left Belgian and European SMEs with bills in the tens of thousands.

A rough sense of scale for one compromised SIP trunk left running over a weekend:

Factor

Typical fraud scenario

Impact

Concurrent calls

10–30 simultaneous channels

Multiplies cost fast

Destination rate

€1–€5+ per minute (premium/exotic)

High per-minute

Duration undetected

A full weekend (~48 hrs)

No one watching

Resulting bill

€10,000 – €40,000+

Often payable by you

Illustrative ranges, not a quote — actual exposure depends on your trunk channel count, call limits, and destinations allowed.

The liability sting: under most carrier contracts, calls that originate from your authenticated account — even fraudulent ones — are your responsibility to pay. The traffic looks legitimate because the credentials match. That’s why prevention matters far more than disputes after the fact.

The Layered Defence Framework

Most advice is a flat list of tips. Toll fraud is better stopped with defence in depth — layers, so that if one fails, the next still catches the attack. Here’s the framework, and who owns each layer.

Layer

Key measures

Owner

1. PBX configuration

Change all default passwords; enforce strong unique credentials; disable DISA and unused features; restrict which extensions can call internationally.

You / IT

2. Calling controls

Set a daily spend limit (bellimiet); block premium-rate and high-risk international destinations by default; require a PIN or auth code for international calls.

You / Provider

3. Network

Firewall or SBC in front of the PBX; IP whitelisting so only trusted addresses register; close management ports to the public internet; VPN for remote access.

IT

4. Encryption

TLS for SIP signalling and SRTP for the audio, so credentials and calls can’t be sniffed and replayed.

IT / Provider

5. Monitoring & alerts

Real-time alerts on unusual call patterns — high volume, off-hours activity, calls to new countries; threshold warnings at 80% and 100% of the limit.

Provider

6. People

Train staff on vishing; never share credentials by phone; change passwords when staff leave; keep firmware and software patched.

You / All

You don’t have to build all six alone. A good Belgian provider already runs layers 4 and 5 and can configure 2 with you. Your job is to make sure none of the layers is missing.

The Five Highest-Impact Quick Wins

If you do nothing else this week, do these. They stop the overwhelming majority of attacks:

  1. Change every default password on the PBX, SIP accounts, and voicemail — today.
  2. Set a daily call-spend limit. Cap it at, say, €50/day and even a full hijack can’t bill more than that before it’s blocked.
  3. Block international and premium destinations you never call; unblock specific countries only as needed.
  4. Whitelist trusted IPs so devices outside your network can’t register to your system.
  5. Turn on anomaly alerts with your provider so off-hours spikes reach you in real time.

The Belgian Angle: Liability, Providers, and GDPR

A few points specific to running a phone system in Belgium that the global guides miss.

You usually pay — so push controls to the carrier level

Since the fraudulent bill typically lands on you, the smartest move is a provider that enforces limits at the network level, not just in your PBX. A carrier-side daily cap or automatic block on suspicious volume stops fraud even if your on-site box is the thing that got compromised.

Choose a provider with NL/FR support and EU hosting

Belgian businesses run multilingual, and when fraud strikes you need to reach someone fast in Dutch or French to freeze the trunk. EU-hosted providers also keep your call data and recordings inside GDPR’s jurisdiction — because a breach of your phone system can expose personal data, not just rack up call charges.

The GDPR overlap

Toll fraud is usually about money, but the same weak credentials that let attackers dial out can let them listen to recorded calls or voicemail. That turns a billing problem into a personal-data breach with notification obligations. Securing the PBX protects your data and your budget at once.

You’ve Been Hit: What to Do Right Now

Speed decides how big the bill gets. If you spot a spike of strange calls or get an alert, work through this in order.

  1. Freeze outbound calling immediately. Contact your provider to suspend the trunk or hit your own kill switch. Stopping the bleed comes first.
  2. Change all credentials. PBX admin, SIP accounts, voicemail — assume everything is compromised and rotate it.
  3. Pull the call logs. Identify the destinations, the start time, and the entry point. This is your evidence and your diagnosis.
  4. Notify your provider in writing. Report the fraud, ask about their detection logs, and open a dispute — some carriers waive a portion if caught fast.
  5. Close the hole. Whatever let them in — a default password, an open port, leaked SIP details — fix it before you bring the trunk back up.
  6. Assess data exposure. If recordings or voicemail were accessible, evaluate your GDPR notification duties with your DPO.

Then write the lesson down. A short after-hours response plan — who to call, what to freeze — means the next alert is handled in minutes, not Monday morning.

Frequently Asked Questions

What is PBX toll fraud?

It’s the unauthorised use of a business phone system to place expensive calls, usually to international or premium-rate numbers the attacker profits from. Fraudsters break in via weak passwords or stolen SIP credentials and dial in bulk, often over weekends when no one is watching.

In most cases, you do. Because the calls originate from your authenticated account, carriers treat them as legitimate usage under the contract. That’s why prevention and fast detection matter far more than disputing the bill afterwards.

A daily call-spend limit. If you cap outbound spend at a low figure, even a full system compromise can’t bill more than that amount before calls are automatically blocked and you’re alerted.

Most commonly through default or weak passwords on the PBX, SIP accounts, or voicemail; stolen SIP trunk credentials; exposed features like DISA or open management ports; or social engineering (vishing) of staff into revealing credentials.

Deliberately during quiet periods — Friday nights, weekends, and public holidays — when call monitoring is least likely and the fraud can run for many hours before anyone notices.

It helps, because reputable cloud providers run encryption, monitoring, and automatic fraud blocking. But you still own configuration risks like weak passwords and over-broad international calling. Security is shared between you and the provider.

It can be. The same weak credentials that allow fraudulent calls may also expose recorded calls or voicemail — personal data. A phone-system breach can therefore trigger GDPR notification duties, not just a high bill.

Table of Contents

You arrive Monday morning to a phone bill with €18,000 of calls you never made — to destinations you’ve never heard of, placed at 3 a.m. on Saturday. The calls came from your own number. And in most cases, your business pays that bill, not your carrier.

This is PBX toll fraud, and it’s one of the most expensive, least-understood threats facing Belgian SMEs. Most security guides bury it inside a generic “secure your VoIP” tip list and never explain how the attack actually works or what to do when it hits.

This guide fixes that. You’ll learn exactly how toll fraud works, what it can cost, a layered set of best practices to lock your phone system down, and a clear incident-response plan for the worst case. Let’s make your PBX a hard target.

What Is PBX Toll Fraud? (How the Attack Actually Works)

Toll fraud — also called PBX fraud or telecom fraud — is when attackers gain access to your phone system and use it to place expensive outbound calls. The most common form is IRSF (International Revenue Share Fraud), and understanding it explains everything about why this happens.

Here’s the mechanism. Fraudsters lease premium-rate or international numbers in jurisdictions with loose regulation and earn a cut of every minute called to them. They then break into business phone systems and dial those numbers in bulk. Every fraudulent minute pays the attacker directly. You’re not being robbed of data — you’re being used as an ATM.

How they get in is usually unglamorous:

  • Default or weak passwords on the PBX, SIP accounts, or voicemail — vendor default codes are published online.
  • SIP trunk hijacking — stolen SIP credentials let an attacker register their own device and dial out as you.
  • Exposed services like DISA (Direct Inward System Access) or open management ports reachable from the internet.
  • Vishing — social-engineering staff into handing over credentials over the phone.

And the timing is deliberate. Attacks cluster on Friday nights, weekends, and public holidays — precisely when no one is watching the call logs and the damage can run for 48 hours before anyone notices.

What Toll Fraud Actually Costs a Belgian SME

The numbers are not small. Because fraudulent calls run in parallel — dozens of simultaneous calls to high-cost destinations — a compromised system can burn through thousands of euros per hour. A single weekend of undetected fraud has left Belgian and European SMEs with bills in the tens of thousands.

A rough sense of scale for one compromised SIP trunk left running over a weekend:

Factor

Typical fraud scenario

Impact

Concurrent calls

10–30 simultaneous channels

Multiplies cost fast

Destination rate

€1–€5+ per minute (premium/exotic)

High per-minute

Duration undetected

A full weekend (~48 hrs)

No one watching

Resulting bill

€10,000 – €40,000+

Often payable by you

Illustrative ranges, not a quote — actual exposure depends on your trunk channel count, call limits, and destinations allowed.

The liability sting: under most carrier contracts, calls that originate from your authenticated account — even fraudulent ones — are your responsibility to pay. The traffic looks legitimate because the credentials match. That’s why prevention matters far more than disputes after the fact.

The Layered Defence Framework

Most advice is a flat list of tips. Toll fraud is better stopped with defence in depth — layers, so that if one fails, the next still catches the attack. Here’s the framework, and who owns each layer.

Layer

Key measures

Owner

1. PBX configuration

Change all default passwords; enforce strong unique credentials; disable DISA and unused features; restrict which extensions can call internationally.

You / IT

2. Calling controls

Set a daily spend limit (bellimiet); block premium-rate and high-risk international destinations by default; require a PIN or auth code for international calls.

You / Provider

3. Network

Firewall or SBC in front of the PBX; IP whitelisting so only trusted addresses register; close management ports to the public internet; VPN for remote access.

IT

4. Encryption

TLS for SIP signalling and SRTP for the audio, so credentials and calls can’t be sniffed and replayed.

IT / Provider

5. Monitoring & alerts

Real-time alerts on unusual call patterns — high volume, off-hours activity, calls to new countries; threshold warnings at 80% and 100% of the limit.

Provider

6. People

Train staff on vishing; never share credentials by phone; change passwords when staff leave; keep firmware and software patched.

You / All

You don’t have to build all six alone. A good Belgian provider already runs layers 4 and 5 and can configure 2 with you. Your job is to make sure none of the layers is missing.

The Five Highest-Impact Quick Wins

If you do nothing else this week, do these. They stop the overwhelming majority of attacks:

  1. Change every default password on the PBX, SIP accounts, and voicemail — today.
  2. Set a daily call-spend limit. Cap it at, say, €50/day and even a full hijack can’t bill more than that before it’s blocked.
  3. Block international and premium destinations you never call; unblock specific countries only as needed.
  4. Whitelist trusted IPs so devices outside your network can’t register to your system.
  5. Turn on anomaly alerts with your provider so off-hours spikes reach you in real time.

The Belgian Angle: Liability, Providers, and GDPR

A few points specific to running a phone system in Belgium that the global guides miss.

You usually pay — so push controls to the carrier level

Since the fraudulent bill typically lands on you, the smartest move is a provider that enforces limits at the network level, not just in your PBX. A carrier-side daily cap or automatic block on suspicious volume stops fraud even if your on-site box is the thing that got compromised.

Choose a provider with NL/FR support and EU hosting

Belgian businesses run multilingual, and when fraud strikes you need to reach someone fast in Dutch or French to freeze the trunk. EU-hosted providers also keep your call data and recordings inside GDPR’s jurisdiction — because a breach of your phone system can expose personal data, not just rack up call charges.

The GDPR overlap

Toll fraud is usually about money, but the same weak credentials that let attackers dial out can let them listen to recorded calls or voicemail. That turns a billing problem into a personal-data breach with notification obligations. Securing the PBX protects your data and your budget at once.

You’ve Been Hit: What to Do Right Now

Speed decides how big the bill gets. If you spot a spike of strange calls or get an alert, work through this in order.

  1. Freeze outbound calling immediately. Contact your provider to suspend the trunk or hit your own kill switch. Stopping the bleed comes first.
  2. Change all credentials. PBX admin, SIP accounts, voicemail — assume everything is compromised and rotate it.
  3. Pull the call logs. Identify the destinations, the start time, and the entry point. This is your evidence and your diagnosis.
  4. Notify your provider in writing. Report the fraud, ask about their detection logs, and open a dispute — some carriers waive a portion if caught fast.
  5. Close the hole. Whatever let them in — a default password, an open port, leaked SIP details — fix it before you bring the trunk back up.
  6. Assess data exposure. If recordings or voicemail were accessible, evaluate your GDPR notification duties with your DPO.

Then write the lesson down. A short after-hours response plan — who to call, what to freeze — means the next alert is handled in minutes, not Monday morning.

Conclusion

Toll fraud isn’t random bad luck — it’s an automated, profit-driven attack that targets weak passwords, open trunks, and unwatched call logs, usually on a quiet weekend. The good news: it’s very preventable.

Change defaults, cap your daily spend, block destinations you never call, encrypt and monitor, and keep a freeze-it-fast plan ready. Layer those defences and an attacker moves on to an easier target. Want a security review of your phone system, with Belgian carrier-level controls configured for you? Get in touch.

Frequently Asked Questions

What is PBX toll fraud?

It’s the unauthorised use of a business phone system to place expensive calls, usually to international or premium-rate numbers the attacker profits from. Fraudsters break in via weak passwords or stolen SIP credentials and dial in bulk, often over weekends when no one is watching.

In most cases, you do. Because the calls originate from your authenticated account, carriers treat them as legitimate usage under the contract. That’s why prevention and fast detection matter far more than disputing the bill afterwards.

A daily call-spend limit. If you cap outbound spend at a low figure, even a full system compromise can’t bill more than that amount before calls are automatically blocked and you’re alerted.

Most commonly through default or weak passwords on the PBX, SIP accounts, or voicemail; stolen SIP trunk credentials; exposed features like DISA or open management ports; or social engineering (vishing) of staff into revealing credentials.

Deliberately during quiet periods — Friday nights, weekends, and public holidays — when call monitoring is least likely and the fraud can run for many hours before anyone notices.

It helps, because reputable cloud providers run encryption, monitoring, and automatic fraud blocking. But you still own configuration risks like weak passwords and over-broad international calling. Security is shared between you and the provider.

It can be. The same weak credentials that allow fraudulent calls may also expose recorded calls or voicemail — personal data. A phone-system breach can therefore trigger GDPR notification duties, not just a high bill.