SEARCH
SALES
SUPPORT
< INSIGHTS

The $28 Billion Problem: Enterprise Toll Fraud and How to Stop It

Every minute, attackers are stealing from your voice infrastructure. The numbers tell the story: global toll fraud costs enterprises and carriers approximately $28 billion annually—and this number is climbing as attackers become more sophisticated.

If you manage enterprise voice, operate a telecom network, or support a distributed team relying on voice and messaging, you're a target. Toll fraud doesn't discriminate. It hits mid-market operations as hard as it hits Fortune 500 companies. The difference? How quickly you detect and stop it.

This guide reveals the most common toll fraud techniques, why your infrastructure is vulnerable, and a proven 5-step framework to protect your business before attackers strike.

The Anatomy of a $28 Billion Problem

Toll fraud takes many forms, but they all share one goal: extracting value from your voice network without authorization. The scale is staggering:

  • International Revenue Share Fraud (IRSF) accounts for the largest share of telecom fraud losses, with attackers routing high-cost international calls to premium-rate numbers in complicit countries
  • Wangiri fraud exploits missed call callbacks to trigger expensive international termination charges
  • PBX hacking opens your internal phone system to unauthorized use, often without detection until the bill arrives
  • SIP trunk compromise allows attackers to inject calls into your carrier network, bypassing authentication entirely
  • Subscription fraud uses stolen credentials to activate calling features and drain prepaid balances

The common thread: attackers exploit gaps in authentication, monitoring, and real-time detection.

Why Enterprises Are Vulnerable

Your enterprise voice infrastructure sits at an intersection of complexity and exposure:

Open SIP Infrastructure Many organizations deploy Session Initiation Protocol (SIP) trunks to reduce carrier costs. When misconfigured—open to the internet, lacking authentication, running default credentials—SIP trunks become highways for fraud. Attackers scan the internet for open SIP ports, and compromising one trunk takes minutes.

Weak Authentication Legacy PBX systems often use basic authentication or shared credentials across multiple users. An employee's credentials stolen from a phishing attack can grant attackers direct access to your calling infrastructure. From there, they route international calls, bridge external numbers, and disappear before detection.

Shared Infrastructure Multi-tenant environments—cloud PBX, hosted voice, shared carrier infrastructure—create hidden exposure. If one tenant's system is compromised, attackers may pivot to adjacent tenants. Weak isolation between tenants amplifies the risk.

Visibility Gaps Many organizations lack real-time visibility into call patterns. You may not notice a spike in international calls or abnormal routing until the bill arrives days or weeks later. By then, thousands of dollars in fraudulent calls have already gone out.

Legacy Monitoring Rule-based fraud detection systems are reactive. They flag patterns after the fact. Modern fraud happens too fast—attackers launch automated attacks that operate for hours before traditional thresholds trigger alerts.

The Five Most Common Toll Fraud Techniques

1. International Revenue Share Fraud (IRSF) Attackers route outbound calls to premium-rate numbers in countries like Somalia, Iceland, or Sierra Leone. These numbers are often operated by the same attackers or criminal affiliates. The carrier in that country shares a portion of the termination fee with the originating carrier—hence "revenue share." An automated dialer can generate hundreds of calls per minute, each costing $2–$5. The fraud can rack up tens of thousands of dollars before your team notices.

2. Wangiri Fraud "Wangiri" is Japanese for "one ring and cut." Attackers call your employees' direct lines once, then hang up. Most people reflexively call back the number they see on their missed calls. The return call routes to a premium-rate international number, often in Japan, Ivory Coast, or other high-cost destinations. A single callback costs $3–$15. With hundreds of employees and automated callback systems, losses add up fast.

3. PBX Hacking and Toll Dialing Attackers gain access to your internal PBX through weak credentials, default logins, or social engineering. Once inside, they use your PBX as a calling hub to dial out to international numbers, routing calls through your carrier. Because the calls originate from inside your network, they bypass external authentication. The attacker pays nothing; your company pays the full international rate.

4. SIP Trunk Compromise If your SIP trunks are exposed to the internet or use weak authentication, attackers can inject calls directly into your carrier's network. They spoof your Caller ID, route calls to their own infrastructure, and bill the termination charges back to your account. In some cases, attackers use your compromised trunk to originate fraudulent calls that carry your company's number, damaging your reputation.

5. Subscription and Prepaid Fraud Attackers use stolen or purchased credentials to activate calling features, purchase calling credits, or enable international dialing. They then burn through the prepaid balance in minutes, making automated international calls. By the time the account holder reviews the bill, the credits are gone.

A 5-Step Framework for Real-Time Fraud Prevention

Modern toll fraud prevention depends on orchestration, real-time analysis, and automation. Here's how to build a system that catches fraud as it happens:

Step 1: Real-Time Call Analysis Deploy systems that analyze every call in real-time, not hours later. Look for anomalous patterns:

  • Sudden spikes in call volume to new destinations
  • Calls to known premium-rate number ranges
  • Traffic patterns that deviate from your baseline (e.g., international calls at 2 a.m. when your business is US-based)
  • Calls from internal extensions at unusual times or originating from unexpected locations

Real-time analysis means you can block calls before they complete, not after they've been billed.

Step 2: Geo-Fencing and Location Intelligence Map your known call endpoints and expected user locations. Flag calls that originate from impossible geographies—for example, an employee appearing to call from two continents within seconds. Use geographic intelligence to block calls to high-fraud countries unless explicitly whitelisted.

Step 3: Threshold Alerts and Automated Blocking Set dynamic thresholds for:

  • Cost per call (block calls exceeding typical rates)
  • Calls per minute per user or trunk
  • New destinations (first-time calls to premium-rate numbers)
  • International calling ratios (sudden shifts from primarily domestic to mostly international)

When thresholds are exceeded, the system should trigger alerts and automatically block further calls until manual review.

Step 4: STIR/SHAKEN Implementation Deploy STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) to authenticate Caller ID across your network and with external carriers. STIR/SHAKEN cryptographically verifies that the party originating a call is who they claim to be. This makes spoofing exponentially harder and helps prevent attackers from using your company's number to originate fraudulent calls.

Step 5: Carrier-Grade Orchestration Integrate your fraud detection, calling, and monitoring through a single orchestration layer. This ensures that:

  • Fraud signals flow instantly to blocking systems
  • Call routing can be dynamically adjusted based on fraud risk
  • Billing integration flags suspicious calls immediately
  • Compliance logs capture all detection and blocking activity for audits

How Peeredge Detects and Blocks Fraud in Real-Time

46 Labs' Peeredge platform is built on carrier-grade orchestration designed specifically to prevent fraud at scale. Here's how:

Native Real-Time Call Analysis: Peeredge analyzes every call as it transits the platform. Machine learning models identify fraudulent patterns in milliseconds, before calls can be completed or billed.

Dynamic Threat Intelligence: The platform ingests threat intelligence feeds about known fraud destinations, premium-rate numbers, and attack signatures. This intelligence is updated continuously and applied to all customer traffic.

STIR/SHAKEN Native: Peeredge processes STIR/SHAKEN tokens natively, verifying Caller ID authenticity and preventing spoofing-based fraud.

Flexible Orchestration: Fraud rules and thresholds can be customized per customer, per trunk, or per user. When fraud is detected, the orchestration layer can instantly adjust routing, block calls, or escalate to a security team.

Compliance and Auditability: Every fraud detection, every block, every decision is logged and auditable. This matters for FCC compliance, customer transparency, and incident response.

What Happens If You Don't Act

The cost of inaction is steep. A single successful IRSF or Wangiri campaign can cost an enterprise $10,000–$100,000 in a single day. Recovery takes time: investigating the breach, addressing the carrier's fraud claim, negotiating billing adjustments, and remediating the underlying vulnerability.

Worse, a compromised voice infrastructure can lead to:

  • Reputational damage (your company's number used for spam or phishing)
  • Compliance violations (if customer data is accessed during PBX hacking)
  • Cascading breaches (voice infrastructure often connects to data networks)

Next Steps: Protect Your Infrastructure Today

Toll fraud is not inevitable. A modern, orchestration-based approach to call analysis, authentication, and real-time blocking can reduce your fraud risk by 95% or more.

Start with these immediate actions:

  1. Audit your SIP trunks for open ports and weak authentication
  2. Review the past 90 days of your calling logs for anomalies
  3. Implement STIR/SHAKEN on all outbound calls
  4. Deploy real-time call analysis on all voice infrastructure
  5. Establish a fraud response playbook

If you manage enterprise voice infrastructure or operate a carrier network, schedule a 15-minute security assessment to see where your biggest fraud risks are. 46 Labs' security experts can review your architecture and recommend a hardening roadmap tailored to your business.

The $28 billion problem affects us all. But it doesn't have to affect you.