How to Protect Your Business From VoIP Toll Fraud, IRSF, and AI-Driven Telecom Attacks

If you’re still thinking of “phone hacking” as someone tapping a landline like it’s 1998… we’ve got news.
Telecom fraud has evolved into a $39.9 billion global problem—yes, billion—according to the Communications Fraud Control Association. And today’s attackers aren’t prank-calling your office. They’re using bots, automation, and even AI-generated voices to break into VoIP systems and rack up charges faster than your finance team can say “unauthorized transaction.”

This is no longer a consumer scam. This is a business-level financial threat. And your VoIP system, PBX, or SIP trunk may be more exposed than you think.

Below is your 2025 guide to understanding IRSF, toll fraud, modern attack methods, and the steps that actually protect today’s hybrid, cloud-first businesses.

What Is IRSF? (International Revenue Share Fraud)

IRSF is a type of telecom fraud where attackers break into your VoIP system and route calls to premium-rate international numbers they control. Think of it as credit card fraud—but using your phone system instead of your Visa card.

The IRSF acronym stands for International Revenue Share Fraud. Here’s the modern process:

1. The Reconnaissance

Attackers deploy automated bots to scan the internet for:

• Exposed SIP ports
• Misconfigured PBX systems
• Weak or default SIP credentials
• Open call-forwarding rules

2. The Breach

Once inside, they don’t “listen in.” They place outbound calls — thousands of them — to expensive international numbers in places with high carrier payouts (Somalia, Latvia, certain island nations, and other high-tariff regions).

3. The Payout

Each call generates revenue for the attacker via international revenue share agreements, costing you thousands (or tens of thousands) of hours.

It’s fast, automated, and silent — until the bill arrives.

Related Threat: Wangiri (One-Ring) Scam

“Wangiri” is Japanese for “one ring and cut,” and the concept is simple:

1. A bot calls one of your employees.
2. It rings once and hangs up.
3. The employee sees a missed call and dials back out of curiosity.
4. The number is a premium-rate international destination.
5. You pay for the call; the attacker profits.

These scams increasingly use:

• Local spoofing
• Legitimate-looking caller IDs
• Rotating numbers to evade carrier blocking

The New Frontier: AI Voice Cloning & Telecom Fraud

Attackers are now combining telecom access with AI-generated audio.

Here’s how it plays out:

1. Hackers scrape audio from earnings calls, podcasts, or online videos.
2. They clone an executive’s voice using consumer-grade AI tools.
3. They call an employee, vendor, or bank.
4. The “CEO” urgently requests a wire transfer or password reset.

This tactic has surged in finance and healthcare environments, where high-pressure approvals are common.

For CFOs, IT directors, and operations leaders, this is the new social engineering battleground.

How Toll Fraud Works in 2025 (Plain English Edition)

Attackers don’t hack phones. They hack access.

Modern telecom attacks target:

• SIP trunk credentials
• Admin portals
• Insecure cloud-PBX APIs
• Voicemail systems with callback features
• Call-forwarding rules
• Remote extensions left active after offboarding

You don’t need to be “targeted” to be exploited. Bots scan the internet continuously — meaning your system is tested every single day.

5 Steps to Secure Your PBX, VoIP, or Cloud Voice System

Below is what actually prevents toll fraud today. No snail-mail letters required.

1. Enable Geo-Blocking

If you don’t do business in Antarctica, Albania, or Madagascar… block calls to them.

Geo-blocking allows you to:

• Block all international destinations
• Whitelist only the countries you actually need
• Stop attackers even if they breach a SIP credential

This one setting blocks most IRSF attempts entirely.

2. Disable International Calling for Most Users

90% of employees don’t need international calling. Turning it off by default immediately:

• Shrinks the attack surface
• Stops extension-level abuse
• Eliminates accidental callbacks to Wangiri scams

Create specific roles or access groups for legit international callers.

3. Harden SIP Credentials and Ports

Attackers still bank on the fact that many VoIP systems use:

• Default SIP port 5060
• Simple admin passwords
• Reused credentials across extensions

Best practices:

• Change SIP ports
• Enforce long, complex passwords
• Rotate credentials regularly
• Require MFA on admin portals
• Disable anonymous SIP/guest access

These are the low-hanging fruit that attackers exploit first.

4. Monitor Call Traffic for Anomalies

Fraud signs include:

• Large volume spikes
• Unusual call destinations
• After-hours bursts
• Repeated failed registration attempts
• Calls from dormant extensions

Modern VoIP features include real-time dashboards — but only if someone is watching them.

This is where Kelley Create’s proactive monitoring comes in.

5. Use a Managed Cloud Voice Solution With Fraud Prevention Built In

A modern managed VoIP platform detects:

• Unusual calling patterns
• Rapid-fire call attempts
• High-cost destinations
• Suspicious login activity

And automatically:

• Blocks the source
• Alerts your IT team
• Prevents further billing

It’s fraud detection before you see a $40,000 bill.

The Kelley Create Advantage: Managed VoIP Security

Kelley Create doesn’t just install VoIP. We secure it.

Our Cloud Voice solutions include:

• Geo-blocking and country-level restrictions
• Real-time monitoring
• Automated fraud detection
• SIP hardening and configuration management
• MFA enforcement
• Secure onboarding and deactivation workflows
• Call analytics and anomaly detection

We design your VoIP environment with Zero Trust principles baked in—because your phone system is now a network asset, not a desk accessory.