What is toll fraud and how is it prevented?

Toll fraud is the most financially damaging VoIP attack — criminals gain unauthorised access and make high-volume calls to premium-rate international numbers, often costing thousands in hours. The best defence is a provider that restricts international and premium-rate calls by default, monitors call patterns in real time, and enforces strong SIP credentials.

How do you prevent SIP scanning and brute-force attacks?

Automated bots scan for open SIP ports and attempt to authenticate using common credentials. The standard mitigations are IP allowlisting, a Session Border Controller (SBC) at the network edge, and enforced rate limiting on authentication attempts.

What is vishing and how do you defend against it?

Vishing is voice phishing — attackers spoof caller ID to impersonate trusted numbers like a bank or HMRC and manipulate staff into sharing credentials or authorising payments. There is no technical fix. Staff training is the primary defence: verify identities through a secondary channel and never authorise payments based on a phone call alone.

Does VoIP need to be GDPR and PCI DSS compliant?

Yes — if your business handles personal data or card payments over the phone, your VoIP system must meet UK GDPR and PCI DSS requirements. Non-compliant call recording, insecure storage and unencrypted transmission can result in significant fines.

What Are the Security Risks of VoIP for Businesses??

Q: What are the security risks of VoIP for businesses?

VoIP shares the attack surface of any networked system, plus risks unique to voice — toll fraud, eavesdropping and call interception, SIP scanning and brute-force attacks, denial-of-service attacks, and vishing (voice phishing). UK businesses must also meet Ofcom, GDPR and PCI DSS requirements.

About the Author

More About Kully

Because VoIP runs over the internet, it shares the same attack surface as any networked system, plus some risks unique to voice. For UK businesses, this matters: Ofcom, GDPR and PCI DSS all have direct implications for how you secure your phone system. Here's what the real threats look like, and what good protection addresses.

What Are the Main VoIP Security Threats — and How Are They Mitigated?

Toll fraud Toll fraud is the most financially damaging VoIP attack. Criminals gain unauthorised access to your system and make high-volume calls to premium-rate international numbers they control, often running up thousands of pounds in hours. The best defence is a provider that restricts international and premium-rate calls by default, monitors for unusual call patterns in real time, and enforces strong SIP credentials from the outset.

Eavesdropping and call interception Unencrypted VoIP traffic on a poorly secured network can be intercepted and recorded — particularly on shared Wi-Fi or unsegmented networks. Calls should be encrypted end-to-end using SRTP for media and TLS for signalling, and transmitted via secure network infrastructure rather than open internet paths.

SIP scanning and brute-force attacks Automated bots continuously scan for open SIP ports and attempt to authenticate using common credentials. A successful attack lets criminals register rogue extensions or use your system for fraud. IP allowlisting, a Session Border Controller (SBC) at the network edge, and enforced rate limiting are the standard mitigations.

Denial of service attacks Flooding a VoIP system with junk traffic to take phone lines offline is a recognised threat, sometimes used as a distraction during a secondary intrusion. Redundant infrastructure across multiple data centres removes the single point of failure that makes these attacks effective. For wider continuity in any outage scenario, see our guide on keeping VoIP running during a power cut.

Vishing (voice phishing) VoIP makes caller ID spoofing cheap and easy. Attackers impersonate trusted numbers — a bank, an IT provider or HMRC — to manipulate staff into sharing credentials or authorising payments. No technical fix fully addresses this one. Staff training is the primary defence: verify identities through a secondary channel before acting on any unexpected call, and never authorise payments or system access based on a phone call alone. Call recording creates an auditable trail that is invaluable if a dispute arises.

How Does VoIP Stay Compliant With GDPR and PCI DSS?

If your business handles personal data or card payments over the phone, your VoIP system must meet the relevant regulatory standards. Non-compliant call recording, insecure data storage and unencrypted transmission can all result in significant fines. Look for a provider that is UK GDPR compliant, PCI DSS certified and ICO registered, and can evidence it.

Should Security Be a Premium Add-On?

No, it should be built into the platform. At The VoIP Shop, that's how we run it: we are Cyber Essentials Certified, UK GDPR compliant (via Naq), PCI DSS certified, NHS DSP Toolkit approved, and ICO registered (reference ZA476885). Our infrastructure runs on Telehouse London Tier 1 data centres, the same standard used by major UK financial institutions.

If poor call quality is affecting you alongside security concerns, our call quality fix guide covers the network-level checks that often resolve both at once.

How Do I Know If My Current Phone System Meets These Standards?

If you're unsure, we offer a free security-focused VoIP consultation. Our UK-based team can review your current setup against Ofcom, GDPR and PCI DSS requirements and flag any gaps.

Speak to a specialist on 0116 402 2222 or get in touch via our website to book a consultation.

Get a Free Consultation

Written By | About the Author

Kully Hothi

Sales Director

More About Kully

Kully has over 15 years of experience in the VoIP and telecoms industry. Drawing on a background in telecoms sales and leadership, he provides expert, impartial advice on VoIP and cloud telephony solutions. As a lead author for The VoIP Shop, Kully helps businesses understand and adopt modern communication technologies