Your office manager pulls you aside on a Monday morning. Over the weekend, someone routed 4,000 international calls through your PBX to premium-rate numbers in Eastern Europe. The bill is already north of $12,000, and your inbound lines are dead. Customers who called your main number heard silence or a foreign dial tone. Your VoIP system has been hacked.
This scenario plays out at small and mid-size businesses more often than most owners realize. The good news: if you act fast and follow a clear process, you can contain the damage, restore service, and prevent it from happening again. Here is exactly how to do that.
Speed matters. Every minute an attacker has access, they can rack up toll fraud charges, eavesdrop on calls, or pivot deeper into your network.
Disconnect compromised devices. Any phone, softphone, or gateway involved in the intrusion should be pulled off the network or powered down. If your PBX or SIP server has been breached, isolate it from external connections. Halt inbound and outbound VoIP traffic while keeping internal access available for your assessment.
Change every credential. Reset administrative logins, SIP extension passwords, and voicemail PINs. Every device and account should get a complex, unique password. If you were reusing passwords across systems, change those too.
Preserve your logs. Before you reset or reconfigure anything, back up your SIP call records, firewall event logs, and authentication logs. Your IT team or a forensic investigator will need these to determine how the attacker got in and what they accessed.
Check for data exposure. Even if the attacker only made fraudulent calls, your system settings, extension lists, and internal network maps may have been visible to them. Determine whether any customer data, call recordings, or credentials were exposed.
Once the bleeding has stopped, shift your focus to getting back online securely.
Patch everything. Update your PBX firmware, phone endpoint software, and SIP server to the latest stable versions. Outdated firmware is one of the most common entry points for VoIP attackers. Apply every pending security patch before reconnecting devices.
Lock down your firewall and SIP access. Reconfigure your firewall and session border controllers (SBCs) to allow connections only from trusted IP addresses and your service provider’s ranges. Close any open SIP ports that do not need external access. If you are not using an SBC, now is the time to deploy one. SBCs regulate VoIP traffic between your internal and external networks and block malformed SIP packets from reaching your core systems.
Encrypt your voice traffic. Enable TLS for SIP signaling and SRTP for voice streams. This prevents eavesdropping and call manipulation. Place your voice traffic on a dedicated VLAN, separate from your data network, to reduce cross-contamination risk and make monitoring easier.
Rebuild from clean backups. Restore your configuration from a backup taken before the breach, not after. Once restored, test every function: inbound calls, outbound calls, internal extensions, voicemail, call forwarding, and remote extensions. Do not declare the system operational until each one works correctly.
If your phones connect but inbound calls still fail, check your inbound routes, DNS SRV records, and SIP trunk configuration. A single incorrect digit in a route or a stale NAT entry can silently block incoming calls. If phones show registered but cannot make or receive calls while your internet works fine, the issue is likely blocked SIP or RTP ports, mismatched NAT settings, or misaligned firewall rules.
Recovering from a breach without strengthening your defenses is just waiting for it to happen again.
Add multifactor authentication. Every administrative interface for your PBX, router, or hosted VoIP dashboard should require MFA. Limit login attempts and restrict admin access to specific IP addresses to block brute-force attacks.
Segment your network. Keep voice traffic separated from your data network. Configure Quality of Service (QoS) policies so voice packets get priority without opening unnecessary ports. This limits the blast radius if any other system on your network gets compromised.
Monitor continuously. Set up real-time alerts for unusual activity: unexpected spikes in call volume, connections from unfamiliar IP addresses, calls to premium-rate or international numbers outside your normal patterns. Automated tools catch the obvious anomalies, but schedule regular human review of traffic logs to catch subtle patterns that scripts miss.
Train your team. Many VoIP breaches start with human error, such as weak passwords, unsecured Wi-Fi connections, or unvetted third-party apps. Run regular training that covers credential security, phishing recognition, and how to report unusual system behavior immediately.
VoIP security is not a project with an end date. It is an ongoing operational discipline.
Schedule quarterly vulnerability assessments. Test whether old extensions or unpatched phones are still active on your network. Review access rules, network segmentation, and monitoring thresholds every quarter to make sure they match your current operations, especially as you add remote workers, new locations, or third-party integrations.
Document and audit access. Record every configuration change. Maintain a clear list of who has administrative access. Rotate credentials on a set schedule and decommission unused accounts the same day an employee leaves.
Retain logs for analysis. Keep call detail records (CDRs) and authentication logs for at least six months. These records are invaluable for spotting slow-burn attacks and for compliance audits.
Choose a provider that takes security seriously. Your telecom provider’s security practices directly affect yours. Partner with a provider that offers built-in encryption, consistent patching, redundant infrastructure, and responsive technical support. A provider that treats security as optional will eventually become your weakest link.
Skipping these steps is expensive. Beyond the immediate toll fraud charges, a compromised VoIP system causes service downtime, lost productivity, regulatory penalties, and customer trust damage. According to Statista, the average cost of a data breach in the United States continues to climb year over year (source).
A single weak password on one SIP extension can expose your entire network. The cost of proper security, including strong passwords, patching, monitoring, and a reliable provider, is a fraction of what a single breach response costs.
How do I know if my VoIP system has been hacked? Common signs include unexpected spikes in your phone bill (especially international or premium-rate calls), calls appearing in your CDRs that no one in your office made, inbound calls failing while your internet connection works fine, unfamiliar extensions or forwarding rules in your PBX configuration, and employees reporting strange noises or dropped calls. If you notice any of these, investigate immediately.
Can hackers listen to my VoIP calls? Yes, if your voice traffic is not encrypted. Without TLS for SIP signaling and SRTP for voice streams, an attacker with network access can capture and replay your conversations. Encrypting both signaling and media streams makes eavesdropping effectively impossible for anyone without your encryption keys.
How long does it take to recover from a VoIP breach? A well-prepared business with clean backups and a documented response plan can restore service within a few hours. Without backups or a plan, recovery can take days or even weeks, especially if the attacker modified PBX configurations or corrupted call routing tables. The time you invest in preparation directly reduces your downtime.
Should I report a VoIP hack to law enforcement? Yes. Toll fraud and unauthorized system access are federal crimes. File a report with the FBI’s Internet Crime Complaint Center (IC3) and notify your telecom provider immediately. Your provider can help block fraudulent call routes and may have additional forensic data. If customer data was exposed, you may also have state-level breach notification obligations.
What is the most common way hackers break into VoIP systems? Weak or default passwords on SIP extensions and PBX admin interfaces are the number one entry point. Attackers use automated tools that scan the internet for open SIP ports and attempt thousands of password combinations per hour. The second most common vector is unpatched firmware with known vulnerabilities. Strong, unique passwords and timely patching eliminate the vast majority of VoIP attacks.
If this guide made you realize your VoIP system needs stronger security, or if you are already dealing with a breach, 1stel can help. We build and manage business phone systems with security designed in from the start, not bolted on after an incident.
Contact 1stel today to audit your current VoIP setup and build a communication system that hackers cannot crack.