VoIP Security: How to Protect Your Business Calls from Attack

Why VoIP Security Matters for UK Businesses

As part of our business VoIP resource centre, this guide addresses the specific security threats that VoIP phone systems face and the practical controls every UK business should implement. VoIP systems are a targeted attack surface for cybercriminals because they offer something most cyberattacks do not: direct, immediate financial payoff. Unlike stealing data — which requires exfiltration, processing, and monetisation — exploiting a VoIP system to make international calls generates direct financial losses for the victim within hours. The attacker profits through premium-rate number arrangements or call-back schemes, and has typically moved on before the fraud is even discovered.

The Communications Fraud Control Association (CFCA) estimates that global telecommunications fraud costs the industry over $38 billion annually, with toll fraud (also known as International Revenue Share Fraud or IRSF) accounting for a significant proportion. UK businesses are not exempt — the UK's position as a major VoIP market, combined with the rapid migration from PSTN to IP-based telephony driven by the UK PSTN switch-off scheduled for completion by January 2027 (Openreach/BT), means the attack surface is expanding as more organisations adopt VoIP without necessarily implementing adequate security controls.

The Primary VoIP Security Threats

Understanding the specific threats your VoIP system faces is the first step toward effective protection. The most significant VoIP-specific attacks affecting UK businesses fall into four categories, each with a distinct mechanism and requiring specific countermeasures.

Toll Fraud (International Revenue Share Fraud)

Toll fraud is the highest-cost VoIP security threat. It occurs when an attacker gains access to a business's VoIP system — typically by obtaining SIP account credentials through brute-force attacks, credential stuffing, or exploiting default passwords that were never changed — and uses the compromised system to make large volumes of international calls. These calls are directed to premium-rate destinations, satellite phone numbers, or specific country codes where the attacker has a revenue-sharing arrangement with the number operator.

International calls to certain destinations can cost several pounds per minute. An undetected attack running for 48 hours over a weekend — when offices are unattended and nobody is monitoring call activity — can generate bills of tens of thousands of pounds. In severe cases, losses exceeding £50,000 from a single weekend attack have been documented. The victim is liable for the call charges unless they can demonstrate that adequate security controls were in place.

Prevention requires a layered approach: strong, unique passwords on all SIP accounts; failed authentication alerting with automatic account lockout; blocking of international calls to high-risk destinations by default; daily and weekly spending limits with automatic block triggers; and real-time monitoring that alerts on unusual call patterns rather than waiting for the monthly invoice.

SIP Scanning and Brute-Force Attacks

SIP scanning is the automated probing of internet-facing IP addresses to identify VoIP systems and test for default or weak credentials. Scanning tools such as SIPVicious are freely available and are used continuously by attackers to probe millions of IP addresses. When a VoIP system is identified — typically by its response to SIP REGISTER or INVITE requests on port 5060 — the tool attempts authentication using common default credentials and dictionary-based password lists.

If SIP credentials are obtained, the attacker can register as a legitimate extension on your VoIP system and begin making calls at your expense. Protection involves never exposing your VoIP system's SIP port directly to the public internet (use a Session Border Controller instead), using strong non-default SIP passwords of at least 16 characters, configuring fail2ban or equivalent brute-force protection to block IP addresses after a small number of failed authentication attempts, and restricting SIP registration to known IP address ranges where possible.

Call Interception and Eavesdropping

VoIP calls transmitted without encryption can be captured by anyone with access to the same network segment. This is particularly relevant for businesses using shared or public Wi-Fi networks, organisations with guest network access that is not properly segmented from the voice network, or any environment where the internal network has been compromised by malware or an insider threat. Captured call content can include sensitive commercial discussions, personal data subject to GDPR, financial information, and authentication credentials shared verbally.

Two encryption protocols protect VoIP calls in transit. SRTP (Secure Real-time Transport Protocol) encrypts the actual voice content — the audio of your conversation. TLS (Transport Layer Security) encrypts the SIP signalling — the data that establishes, manages, and terminates calls, including caller identity and dialled numbers. Both protocols should be enabled on all business VoIP systems. Reputable hosted UCaaS platforms and security-conscious providers typically enable both by default, but it is worth confirming with your provider rather than assuming.

Vishing: Voice Phishing Targeting Your Staff

Vishing (voice phishing) uses phone calls to manipulate staff into disclosing credentials, authorising fraudulent payments, or providing system access. Attackers impersonate HMRC, banks, IT support providers, courier companies, or senior management. This attack type has grown significantly in recent years — particularly targeting finance teams, receptionists, and PA roles within UK businesses. Both the National Cyber Security Centre (NCSC) and Ofcom have issued specific guidance on vishing to UK organisations.

Vishing attacks are often more effective than email phishing because the real-time, conversational nature of a phone call creates urgency and makes it harder for the target to pause and verify. A caller claiming to be from the IT helpdesk asking a staff member to confirm their password, or someone impersonating the CEO asking the finance team to process an urgent payment, can be highly convincing — particularly when combined with information about the target gathered from social media or previous data breaches.

Technical controls help: call authentication standards such as STIR/SHAKEN verify caller identity and flag spoofed numbers, whilst call filtering can block known scam numbers. However, staff awareness training is equally critical. Every member of staff should know that legitimate IT support, banks, and HMRC will never ask for passwords or remote access via an unsolicited call, and should understand the correct procedure for verifying unexpected callers and reporting suspicious approaches. AMVIA provides vishing awareness training as part of its security awareness programme.

The Role of Session Border Controllers in VoIP Security

A Session Border Controller (SBC) is a dedicated network device — physical or virtual — that sits at the boundary between your internal VoIP network and the public internet. It acts as a security gateway for all SIP traffic, performing several critical functions: it hides the internal topology of your VoIP system from external probing; it enforces access control policies on SIP traffic; it provides protection against SIP-based denial-of-service attacks; it handles NAT traversal for VoIP traffic passing through firewalls; and it can enforce encryption policies for both signalling and media.

For any business VoIP deployment that involves SIP trunking or Direct Routing to platforms such as Microsoft Teams, an SBC should be considered essential infrastructure rather than optional. AMVIA deploys and manages SBCs as part of its managed VoIP and cybersecurity services, ensuring that your VoIP system is never directly exposed to the public internet.

Denial-of-Service Attacks Against VoIP Infrastructure

Denial-of-service (DoS) attacks against VoIP infrastructure aim to disrupt your phone service by overwhelming your SIP infrastructure or internet connection with malicious traffic. A successful DoS attack can render your business phone system completely unavailable — preventing both inbound and outbound calls. For businesses that rely on telephone-based customer contact, sales, or support, even a short outage can have significant commercial impact.

Mitigation involves several layers: SBC-level rate limiting on SIP requests; firewall rules that restrict SIP traffic to known, trusted source IP addresses; bandwidth management to prevent VoIP traffic from being crowded out by volumetric attacks on the internet connection; and disaster recovery call routing that automatically diverts calls to mobile numbers or alternative sites if the primary VoIP service becomes unavailable.

VoIP Security Best Practices for UK SMEs

• Change all default SIP passwords immediately: Many VoIP systems ship with manufacturer default SIP account credentials. Automated scanning tools probe the internet for systems with default credentials continuously — change them before going live, and use passwords of at least 16 characters combining letters, numbers, and symbols.
• Enable SRTP and TLS on your VoIP platform: If your current VoIP system or SIP trunk does not support encrypted call transport, discuss this with your provider urgently. Unencrypted VoIP is the equivalent of sending emails in plain text — anyone on the network path can read the content.
• Deploy a Session Border Controller: Never expose your PBX or VoIP system's SIP interface directly to the public internet. An SBC provides a security boundary that conceals your internal infrastructure and enforces access policies.
• Set international call limits and spending caps: Configure your VoIP platform to alert and automatically block when call spend or volume exceeds defined thresholds. Block calls to high-risk international destinations unless your business specifically requires them.
• Implement real-time fraud monitoring: Do not wait for the monthly invoice to discover toll fraud. Configure real-time alerts on unusual call patterns — calls outside business hours, high volumes of international calls, or calls to unusual destinations.
• Segment your voice network: Place VoIP devices on a separate VLAN from general data traffic. This limits the ability of compromised data devices to intercept or interfere with voice traffic.
• Train staff on vishing awareness: Regularly brief all staff — particularly finance, reception, and PA roles — on vishing tactics, including how to verify unexpected callers, how to end suspicious calls professionally, and where to report them internally. Integrate vishing scenarios into your broader security awareness training.
• Keep VoIP firmware and software updated: PBX systems, IP phones, and SBCs all require regular firmware updates to patch security vulnerabilities. Treat VoIP infrastructure with the same patch management discipline as servers and workstations.

How AMVIA Can Help

AMVIA configures VoIP security controls as standard on all managed VoIP deployments — including SIP credential hardening, SRTP/TLS encryption, Session Border Controller deployment, international call controls, spending caps, and real-time fraud detection alerting. Security events on VoIP infrastructure are monitored via AmviaIQ as part of AMVIA's broader managed cybersecurity service. AMVIA also provides vishing awareness content as part of its security awareness training programme for staff. Whether you are deploying a new VoIP system or need a security review of an existing one, AMVIA will ensure your business calls are protected. Call 0333 733 8050 to discuss VoIP security for your business.