Voice over IP systems carry communications most organisations treat as mission-critical — internal calls, customer service interactions, board discussions, executive coordination. The systems handle these communications with infrastructure that frequently receives less security investment than the data systems sitting on the same network. The threats specific to VoIP — toll fraud, eavesdropping, call manipulation, denial of service against communications, signalling abuse — are real and exploited regularly. Generic network security helps; it does not substitute for the VoIP-specific controls the systems need.
The Threats That Actually Materialise
Toll fraud is consistently the highest-volume VoIP attack — attackers compromise PBX systems or SIP credentials and route premium-rate calls that the victim pays for. Five-figure and six-figure fraud losses over a single weekend are not unusual when an unprotected SIP trunk is found. Eavesdropping on unencrypted voice streams enables capture of sensitive business discussions and authentication codes shared verbally. Call manipulation enables social engineering through caller ID spoofing and call rerouting. Denial of service against the SIP infrastructure can take communications offline during incidents when the organisation needs them most. The threats are not exotic; they are systematic, and they are exploited at scale.
Signalling and Media Protection
VoIP traffic consists of signalling (SIP or H.323 — connection setup and control) and media (RTP — the actual voice or video stream). Both need protection. SIP over TLS encrypts signalling and prevents credential exposure and tampering. SRTP encrypts media and prevents eavesdropping. Many deployments use one without the other — encrypting signalling without encrypting media, or vice versa — leaving substantive exposure in the unencrypted half. Effective VoIP security treats both as required, not optional, for any sensitive communications.
The Session Border Controller as the Boundary
A session border controller is the security function at the boundary between the organisation's VoIP infrastructure and external networks — carrier SIP trunks, partner integrations, remote workers. The SBC enforces signalling policies, normalises protocol variations, performs topology hiding, manages traversal of NAT and firewalls, applies rate limiting against signalling floods, and provides logging. VoIP deployments without an SBC frequently expose internal PBX systems directly to external networks, which produces exactly the exposure that subsequent compromise exploits. The SBC is to VoIP what the next-generation firewall is to general traffic — necessary infrastructure, not optional tooling.
A pattern in VoIP security assessments: the organisation has a modern unified communications platform from a major vendor, deployed with default configuration that satisfied initial deployment requirements and was never hardened against the actual threat environment. SIP signalling is permitted from broad external ranges, authentication uses default or weak credentials on some accounts, media is unencrypted, and the audit log retention is short. The platform is capable of strong security; the deployment did not configure it. The remediation is configuration discipline, not platform replacement.
Authentication and Account Discipline
SIP account credentials are the routine target of automated attacks. Brute-force attempts against SIP registration endpoints run continuously across the public internet. Accounts with weak passwords are compromised within days of exposure. Defensive discipline includes strong password policies enforced on SIP accounts, rate limiting against authentication attempts, IP-based restrictions where the calling pattern supports them, and monitoring for anomalous authentication patterns. Multi-factor authentication is supported in modern platforms for administrative access and increasingly for endpoint registration; deploying it where supported removes the most common attack path.
Toll Fraud Mitigation Specifically
Toll fraud is preventable with controls aligned to the attack pattern. Outbound calling restrictions limit which extensions can dial premium-rate numbers, international destinations, and specific country codes that are common fraud targets. Cost thresholds trigger alerts or automatic suspensions when call patterns exceed normal volumes. After-hours restrictions limit calling during periods when legitimate activity is low but fraud activity is high. Monitoring detects anomalous call patterns in real time. Each control individually reduces fraud risk; collectively they make the attack uneconomic against the protected organisation, and attackers move to softer targets.
Components of a Defensible VoIP Security Programme
- Session border controller protecting the boundary between internal VoIP and external networks
- SIP over TLS for signalling encryption and SRTP for media encryption — both, not one
- Strong authentication on SIP accounts with rate limiting against brute-force attempts
- Outbound calling restrictions, cost thresholds, and after-hours controls calibrated against toll fraud patterns
- Network segmentation isolating VoIP infrastructure from general workstation networks
- Logging of signalling and administrative events with retention sufficient for investigation
- Monitoring for anomalous call patterns, authentication failures, and signalling abuse
- Patching discipline for PBX and SBC systems matching the discipline applied to general infrastructure
Why VoIP Security Gets Under-Invested
VoIP systems often sit in a gap between security and communications teams — the security team treats them as infrastructure communications owns, and the communications team treats security as something security should handle. Neither team produces a substantive programme. The systems get attention after a toll fraud incident produces a visible bill, and by then the cost exceeds many years of preventive investment. The organisations that produce sustained VoIP security are the ones that close the ownership gap explicitly — putting communications systems under the same security operating model as the rest of the infrastructure, with the VoIP-specific controls layered on top.