VoIP Hacking: How It Works & How to Protect Your VoIP Phone

August 14, 2020 13 min read

Julie Bai

Julie Bai


VoIP phone systems differ from traditional setups because you don’t need copper wiring that spans across your entire office. Connections are made virtually using an internet connection. But that often causes security a big concern: everything is hosted in the cloud. Hacking a phone system isn’t as far-fetched as you might think.
The Internet of Things revolution means everything is done online. The phone system makes it challenging to verify callers and can springboard into new data breaches. Thus, social engineering is common.
Should someone use VoIP to carry out an attack, they can access sensitive customer data.
In this guide, we’ll share:

What is VoIP hacking?

VoIP hacking is a type of attack that a person uses to infiltrate your business phone system. They can listen in on calls, rack up expensive bills, and steal sensitive information–both about your business and your customers.
Hacks usually happen when one of your employees accidentally gives information to a scammer. These types of social engineering scams account for 97% of all malware attacks.
Hackers target people working in customer service and in the Network Operations Center (NOC), acting as someone else. Staff can unknowingly give unauthorized access to the hacker, and they take control of your VoIP phone system.
Access to your business’ phone system can launch other attacks. For example, a VoIP hack could access the information to charge your credit card, impersonate your business, and access private customer information.
It’s important to stay current on the ways business phone systems are compromised and review the steps you and your provider can take to secure communications.

Five types of VoIP hacking

VoIP phone systems have different network security risks than other traditional phone systems due to their setup. Here are the five most common types of VoIP hacking to be aware of.

1. Unauthorized use

This type of attack is when hackers use your business’ phone system to make phone calls.
Hackers can use your phone system to use robocalling and auto-dialing software. People who answer the phone to your caller ID will hear a prerecorded message asking them to do something—such as enter their credit card number to “confirm their account.” It isn’t your business making the call, though. The hacker now has access to all of that information.
Hackers can also conduct fraudulent activity using your legitimate business phone service. Your caller ID will show when they’re making phone calls using your VoIP system. They can impersonate your company to scam customers out of their private information.
The worst part? Unauthorized use of your VoIP system can go undetected, especially if you’re taking a DIY approach to setup. Regularly check your call logs and history, and set alerts if you go over a certain limit. That way, you’ll be notified of unauthorized use sooner than later.

2. Toll fraud

Toll fraud occurs when hackers make international calls to other devices. Toll charges for these long-distance phone numbers can be expensive and will be billed from your account. A staggering $27 billion is lost due to toll fraud, according to Trend Micro.
Attackers can target users and admins with phishing scams to gain unauthorized access to your VoIP system.
For example, hackers leave your finance team a voicemail that asks them to verify their banking information. Your employee doesn’t know the difference, so they return the phone call and give the verification codes—such as your phone system password or IP address.
The hacker then has information they can use to hack your VoIP phone system and make expensive long-distance calls.

3. Caller ID spoofing

When your phone rings and the caller ID appears, do you trust the number shown?
Caller ID isn’t always a reliable way to verify the person calling you. Attackers can use fake caller IDs and leverage them in coordination with another attack, like social engineering.
Employees often place a high value on a caller’s phone number or name. So, if they get a call from someone appearing to come from their VoIP provider, they might be fooled into exposing important information.
Giving that information, often without realizing it’s not who you expected on the other end, can give hackers access to your business’ VoIP system.

4. Eavesdropping

Do you take payments over the phone, or ask customers to call you to give personal information? If so, you’ll want to prevent eavesdropping. This is when hackers listen in on your real-time business phone calls or recordings like voicemails.
Eavesdropping is only possible when the connection is unencrypted or the local network itself is breached. Insecure Wi-Fi networks—those without Transport Layer Security (TLS) and Real-time Transport Protocol (SRTP) — can invite attackers to monitor the network.
Eavesdropping allows hackers to collect information on your business and your customers. They can access every interaction your business has had.
Depending on the conversations they listen to, there’s a risk of hackers:

  • Selling your customers’ private information
  • Selling proprietary information to your competitors
  • Bribing your business or customers. For example, they might ask for a cash sum to keep the recordings private, depending on the nature of the call.

5. Social engineering

Stages of social engineering attacks

Research shows that 62% of businesses experienced a social engineering attack in 2018. It’s a common type of VoIP hack because it preys on people, not technology.
Hackers try to build relationships with their victims so they think it’s a genuine call, but it’s not. The call is a hacker impersonating someone else to trick you into handing over sensitive information.

Social engineering is used by attackers because they prey on the fact that people genuinely want to be nice. It’s uncomfortable to say no when someone asks for something—especially if you’ve got no reason to doubt who they say they are.
There’s also a lack of awareness around social engineering campaigns. Employees are rarely educated about the risks of fraudulent phone calls from attackers disguising a caller ID.
Attackers prey on people to extract information about a target that can be used for later. This can include false account requests, like verifying your account, and harassing or threatening victims based on the data they’ve acquired.
These emotionally-charged situations pressure staff into doing something right now, and that going against proper procedure is the right thing to do.

11 defensive tactics to harden VoIP

Each of the VoIP hacks listed above are costly for businesses. The average cost per record stolen is $242 for U.S. companies—making it expensive and damaging if you fall victim to a hack.
But it’s not all bad news. Most VoIP vulnerabilities can be eliminated with better awareness, regular education, and proactive steps your internal team can take to strengthen your defenses.
Here are 11 best practices to consider for preventing your business from coming under attack.

1. Choose the right VoIP provider

A secure phone system starts with the provider you’ve chosen. A weak provider makes it easier for hackers to infiltrate your phone network and gain access to private information.
That’s why you should always check their security policy before you take out a contract with any VoIP service provider. You’ll want to make sure they:

  • Share their commitments to their network’s security and the countermeasures they have in place
  • Explain how to report a vulnerability
  • Have a plan of action if a hack does happen
  • Have accreditations that prove they’re up-to-date on security
  • Share a responsible security disclose program
  • Demonstrate good security practices

Take some time to dive into this, and inquire about your providers’ certifications. They should be able to give you this information on request. If they don’t, move on to a different VoIP provider.

2. Control administrator access

Administrative access to your VoIP infrastructure means the user can control everything related to your business phone system. The user can manage billing, join conference calls, set up new lines, and lead to more costly intrusions.
You should be extremely careful with which employees get administrative access to your VoIP phone system.
Giving everyone access increases the likelihood of a social engineering attack. People make mistakes, but with proper permissions, their impact is limited. It’s simple, don’t give administrative control to people who don’t need it and be sure to conduct user access reviews on a regular basis.
The more employees there are to persuade, the more at-risk you are of falling victim to a scam and giving the hacker administrative access to your network.

3. Use a VPN for remote access

Gartner reports that 82% of company leaders plan to allow their staff to work remotely. Those remote staff communicate with their coworkers and customers via phone, which makes them vulnerable to VoIP hacking.
However, a Virtual Private Network (VPN) encrypts those phone calls. Your remote team installs a VPN on their work devices—including their smartphone or softphone.
It creates a strong connection between that device and your phone system, just as you’d have in the office. They’re launching calls from your secure network, rather than their home network that could have its own set of vulnerabilities.
That makes it almost impossible for hackers to eavesdrop on the calls your remote workforce are making.

4. Use a VPN and enable endpoint filtering

The VPN you’re using should have an option to enable endpoint filtering. This limits connectivity to malicious sites.
VPN providers such as Sophos and Cisco use endpoint filtering to block the network from accessing sites that could download malware, or handing over information hackers can use against you, such as a public IP address.
This strengthens overall network connectivity and device integrity. There’s less risk of staff unknowingly visiting a website and compromising your phone system security.
It’s also a good idea to have a Wi-Fi Security VPN to secure your connection from cyber criminals. There are a number of solutions out there which provide this added layer of protection. Aura — a Wi-Fi security VPN company — tracks about 350K malware programs every day.

5. Test your network

It’s not unusual for small businesses to setup their VoIP system once and never look at it again. However, doing this leaves you at risk for a VoIP hack. The setup you’re using might no longer be as secure as it once was.
Regularly checking your network allows you to spot any holes in your VoIP security. Administrators should regularly evaluate access and best practices to avoid compromise.
For example, you might see that:

  • Staff who left the company two years ago still have accounts
  • Your admin passwords haven’t been changed in two years
  • The connection gateway doesn’t have Transport Layer Security (TLS) or Real-time Transport Protocol (SRTP), which means VoIP calls aren’t encrypted

Your IT department should also conduct an annual security check. This “penetration test” simulates a hacker and determines whether the network is secure. Any potential weaknesses should be reviewed and fixed as soon as possible.

6. Monitor your call and access logs

A call log is the history of incoming and outgoing calls your business has made. It’s not just useful for sales purposes, though. Access to these call logs mean you’re able to see:

  • The date and time of each call
  • How many calls you’re making to a specific number
  • The location of your calls, both the business’ side and your customer locations.

You can easily see whether your VoIP phone system has been hacked with these logs. Regularly monitoring your call logs means you’ll get to know what “normal” looks like. Any anomalies that might signal a hack can be spotted—even before your call limits stop them.
Similarly, an access log shows who has signed into your VoIP phone system. If you spot an unusual IP address, or see that your administrator signed in at 11pm (when they were asleep), you’ll spot an intruder.

7. Build awareness around strong passwords

When you’re setting up your VoIP solution, your provider will give a default password to help you get started. But it’s crucial to change your password from the default setting as soon as possible.
But that’s not always enough to secure your VoIP phone system. You need to build awareness around strong passwords with your workforce. Avoid the most common passwords, and avoid repeating the same combinations.
Repeat password usage, known as credential stuffing, means that a hacker can access other platforms if they crack this one, and vice versa. If they can figure out a customer service agent’s Facebook password, they’ll try the same combination on your VoIP phone system. The passwords for each VoIP account should be completely unique.
In addition, aim for longer passcodes rather than those containing special elements to meet the minimum character limit.
Complex passwords with exclamation points, capital letters, and special characters are hard to remember. Staff might write them down on sticky notes or save them in their email—both of which are relatively easy for hackers to find.
However, security experts at Black Hills recommend creating passwords that are lengthy. It’s harder and longer to crack a 20-character password than it is one with eight characters. And it’s easier to remember.
That way, you’re making it harder for a hacker to gain access to your VoIP system. The default, unsecure password isn’t there waiting to be hacked.

8. Use two-factor authentication

These days, a strong password isn’t enough of a deterrent for a hacker. It’s not impossible for smart, experienced hackers to crack a password—hence why you should have two-factor authentication for your VoIP phone system.
Two-factor authentication adds another layer of security on top of your password. Users need to authenticate their sign-in by:

  • Recording themselves saying a secret code
  • Scanning a QR code with an authenticator app
  • Using their fingerprint ID

With one of these additional authentication features, hackers won’t be able to gain access to your VoIP solution—even if they have your password. Only the people with the correct second-step credentials can get in.

9. Train your team on cybersecurity

Just one security hole in your phone system can leave you exposed to a VoIP hack. The same concept applies to your staff, too: one uneducated staff might make a mistake that causes an expensive data breach in your business phone system.
Whenever you’re onboarding your staff, give a mini-education on cybersecurity. Explain the importance of a strong password, install a VPN on their device, and educate them on the different types of VoIP hacks.
But remember: security isn’t a one-and-done job. Make it a priority to schedule cybersecurity training for your team members so they don’t get slack.

10. Have a mobile device management policy

Did you know that 59% of business professionals use at least three devices while at work? Your staff might bring their personal devices, or another laptop, to the office. Each of those devices need to be up-to-par security-wise.
Make sure your staff’s personal devices aren’t exposing a hole in your phone system—especially if they’re using those devices to make business VoIP calls. You can do that with a mobile device management policy with details like:

  • All personal devices must be connected to the Wi-Fi network for encrypted voice conversations
  • The software on the mobile device must be up-to-date if it’s being used for business purposes
  • All smartphones must have fingerprint ID to unlock the device
  • Staff must report any stolen or misplaced devices immediately

11. Have a response plan ready in case of a breach

Hackers are getting smarter, and they’ve got access to a growing number of tools to gain access to your business phone system. Sometimes, your in-house security tactics aren’t strong enough to deter them.
You should always have a data breach response plan, regardless of how strong your security measures are. This document outlines what you’ll do in the event of an attack. You won’t be running around like a headless chicken wondering what to do—which adds to the stress of the entire hack.
A disaster preparedness plan will come in handy, too. Research shows that 40% of small businesses fail to reopen after a major disaster. But taking steps to outline what you’ll do helps minimize the chances of yours going under after a data breach.

Is Your VoIP Provider Doing Their Part?

As you can see, there are several actions you can take to make your VoIP phone system more secure. But sometimes, data breaches happen as a result of your provider’s mistakes.
Here are seven ways to confirm whether your provider is doing their part.

1. Check for accreditations (like HIPAA compliance)

The easiest way to make a shortlist of VoIP providers is to check whether they have accreditations. These are certificates that prove your chosen provider meets industry-standard security standards.
If your business operates in specific industries, you’ll need your VoIP provider to have relevant accreditations, too. Take healthcare for example, it’s the industry with the most cyber-attacks because hackers will gain access to tons of sensitive, personal data.

2019 Cost of a Data Breach by Industry - IBM
Source: IBM

The Health Insurance Portability and Accountability Act (HIPAA) aims to help businesses secure health-related data. It acts as a basic level of security that all businesses must have if they’re storing patient records. Your VoIP provider must be HIPAA compliant if you’re in this sector.

2. Look for intrusion prevention systems

An intrusion prevention system does what it says on the tin: prevents hackers from hacking your VoIP phone system. Check whether your provider offers this.
It usually comes in two parts:

  • VoIP traffic tracking: Your VoIP phone provider should be able to track traffic on your phone network. Too many incoming calls could be a DDoS attack. Monitoring this traffic can block the calls before your network gets overwhelmed and shuts down.
  • Alerts for suspicious activity: The warning signs of a VoIP hack can include an influx of calls, more international calls, or logins from other devices. Look for a VoIP provider that alerts you when these things happen so you can remove the risk.

3. Look for call encryption

Hackers can gain access to your VoIP system through insecure internet connections. Once they’ve got into your Wi-Fi network, they can eavesdrop on all network traffic, including calls coming in and out of your office.
Transport Layer Security (TLS) hides the data being transferred from the data center to your VoIP devices. It also authenticates that the person behind the call is who you expect them to be, making it more obvious when a caller ID is being spoofed.
Encrypted voice conversations add an extra layer of security to your internet connection. With TLS from your VoIP provider, it’s almost impossible for a hacker to pick-up on call data you’re passing through your phone network.

4. Update the firmware on VoIP devices

Almost every piece of business software releases regular updates. These refreshes to the actual firmware can release new features, repair bugs—and more importantly, fix security holes.
It’s crucial to make sure the firmware your VoIP provider supplies is always up to date. You can check whether the provider will install these updates for you. But if not, you should be able to sign into your online account and do it manually.
Remember to do this on all of your VoIP devices, too. One device running with weak, old firmware might be the hole hackers need to control your phone system.

5. Check VoIP call limit options

Earlier, we mentioned that one of the most common VoIP hacks is caller ID spoofing. It happens when a hacker gains access to your VoIP network and uses your account to make expensive long distance calls.
However, your VoIP provider can help protect against attacks. Check for features that limit calls by:

  • Time of day
  • Device
  • User

That way, a large influx of calls gets flagged immediately. The hackers using your information to make long-distance calls are spotted (and blocked) before they rack-up any huge bills.

VoIP hacks are preventable

VoIP is a secure phone system that’s more reliable and modern than a traditional phone system. But with everything stored in the cloud, you need extra security features to make sure your setup is secure.
There’s no better time than now to check whether your VoIP phone system is airtight. Just the smallest security hole can expose your data to hackers, who can use that information against you and your customers.
But remember, the provider you’re choosing is just as important as the precautions you take.
Here at Nextiva, our cloud PBX system has the security features we’ve mentioned, and more. Plus, our network is backed by eight military-grade data centers. To say we’re committed to security is an understatement.

Julie Bai


Julie Bai

Julie Bai was a product manager at Nextiva, UCaaS evangelist, no-bull communicator, and translator for people, dog lover, and mother to an adorably active boy.

Posts from this author
Call badge icon