Most companies find out about toll fraud the same way: the carrier invoice arrives, someone in accounting asks why the phone bill is four times normal, and by then the money is gone. Each fraudulent call left a record in your PBX the moment it happened. The evidence sat in your CDR or SMDR stream the whole time, unread.

This post covers how PBX toll fraud works in practice, then walks through seven call-record patterns you can use to spot it, with a sensible alert threshold for each.

How attackers get into your PBX

You don’t need to be a target to get hit. Attackers scan the whole internet for phone systems the way they scan for open RDP ports. The three entry points we see most often:

Compromised voicemail and DISA. Many systems still allow through-dialing: call into a voicemail box or a DISA port, enter a PIN, and get outside dial tone. Automated dialers guess default PINs (0000, 1234, the extension number itself) in minutes. The attacker now has a legitimate-looking outbound route through your trunks.

Stolen SIP credentials. If your IP PBX (Asterisk, FreePBX, 3CX, or an IP-enabled Cisco, Avaya, or Mitel deployment) has SIP registration reachable from the internet, scanners like SIPVicious will find it and brute-force weak extension passwords. Once registered, the attacker’s softphone places calls as if it were sitting at a desk in your office.

Call forwarding abuse. An attacker who gets brief access to an extension (at the desk, or through a compromised user portal) sets call forwarding to an international premium number. Then they dial your toll-free number, get forwarded, and you pay both legs. The forward sits there until someone notices.

In all three cases, the fraud monetizes through International Revenue Share Fraud (IRSF): the attacker pumps traffic to premium-rate numbers and splits the per-minute revenue with a shady number provider. Their incentive is to push as many minutes as possible before you notice, and that volume makes the CDR patterns loud once you know what to look for.

The 7 patterns

1. After-hours international spikes

Fraud runs at night because the office is empty and the attacker often works business hours in another timezone.

In the CDR: outbound calls with international prefixes (011 in North America, 00 elsewhere) stamped between about 23:00 and 06:00 local time, from extensions with no daytime international history.

Threshold: alert on any international call between 23:00 and 06:00 unless the extension is on an approved list (after-hours support desks, offices calling overseas branches). If the approved list gets too long to maintain, alert at more than 3 international calls per hour in that window.

2. Calls to premium-rate destinations

IRSF traffic concentrates in a stable set of destinations where premium ranges are cheap to lease. Country codes that show up again and again in fraud reports: +53 (Cuba), +252 (Somalia), +232 (Sierra Leone), +220 (Gambia), +224 (Guinea), +239 (São Tomé), +960 (Maldives), +370 (Lithuania), +371 (Latvia), +216 (Tunisia), +263 (Zimbabwe). Also watch domestic premium prefixes and satellite ranges (+881, +882).

In the CDR: the dialed-number field begins with one of these codes. A prefix match against a watchlist table catches it.

Threshold: alert on the first call to any watchlist destination, day or night. If your business has a legitimate reason to call one of these countries, remove that single code from the list rather than loosening the rule.

3. Short-duration call storms

Before pumping traffic, attackers test routes: dozens of calls lasting 5–30 seconds to confirm which prefixes complete through your trunks. Some IRSF schemes also bill on answer, so the fraud itself can be a storm of short answered calls.

In the CDR: a burst of outbound records with durations under 30 seconds, same or similar destination prefix, often from a single extension or SIP peer, spaced seconds apart.

Threshold: more than 20 outbound calls under 30 seconds to the same destination prefix within 10 minutes. That cadence comes from an autodialer; a person pauses, redials, gives up, and you can read the difference in the timestamps.

4. Outbound calls from dormant extensions

A conference-room phone, a departed employee’s extension, a voicemail-only box: anything with no originated calls in 60+ days that starts placing outbound calls is a strong compromise signal. Attackers pick the accounts that sit unwatched.

In the CDR: an originating extension appears in outbound records after a long gap. You need history to catch this, which is a good argument for keeping at least 90 days of CDR data queryable.

Threshold: any outbound trunk call from an extension with zero originations in the prior 60 days. Expect a few false positives after office moves; they’re cheap to dismiss.

5. Concurrency above your normal ceiling

Each site has a natural simultaneous-call ceiling. If your busiest Monday morning peaks at 14 concurrent trunk calls, then 22 concurrent calls at 2 a.m. on a Wednesday is an autodialer using all the channels it can grab.

In the CDR: overlapping start/end timestamps. Count records where a new call starts before earlier calls have ended.

Threshold: concurrent calls exceeding 130% of your trailing 90-day peak at any time, or exceeding 50% of the daytime peak during after-hours windows.

6. Forwarding chains that end at external numbers

Forwarding fraud is easy to miss because the originating “caller” in the record is your own inbound trunk. The tell is in the redirect fields. In Cisco CDRs, compare originalCalledPartyNumber against finalCalledPartyNumber; on Avaya, look at the condition code and the dialed digits on the outbound leg; on most Mitel and Panasonic SMDR output, the forwarded leg appears as a separate outbound record tied to the same trunk seizure.

In the CDR: an inbound call that generates a paired outbound record to an external number, above all an international one, within the same second.

Threshold: alert whenever a forward target is external and international, and audit any extension forwarding off-net at all. Most organizations can bar external forwarding in the class of service and be done with it.

7. Weekend volume anomalies

The biggest fraud losses run from Friday night to Monday morning, for the obvious reason: 60+ hours pass before anyone looks at the system. Many of the worst incidents we’ve heard about started within a couple of hours of close of business on a Friday.

In the CDR: weekend outbound volume and total minutes far above your baseline. Most offices do 2–5% of weekday volume on a Saturday.

Threshold: alert when weekend hourly outbound volume exceeds 3× your trailing four-week weekend average, or when total weekend international minutes exceed a fixed cap you set (even 60 minutes is generous for many businesses).

What a weekend of fraud costs

The CFCA’s 2021 fraud loss survey put global telecom fraud at about $40 billion a year, and IRSF ranks at or near the top of the list year after year. At the scale of a single business, a weekend incident often lands between $10,000 and $50,000. The math is mundane: 8 trunk channels held up at $0.35/minute for 48 hours is about $8,000; a SIP trunk group with 20 channels pumped to a $1/minute premium destination over a weekend is north of $55,000. Carriers may negotiate after the fact, but the standard contract puts liability for calls your equipment placed on you.

You can detect each of the seven patterns above within minutes of the first bad call, provided something reads your CDR stream in real time and prices the traffic as it happens, the way a call accounting system does.

Where PBXDom fits

PBXDom’s collector installs in about 15 minutes on any always-on machine and reads CDR/SMDR from your existing Cisco, Avaya, Mitel, Panasonic, 3CX, or Asterisk/FreePBX system (over serial, IP, or file), streaming records to the cloud over TLS. Built-in alert conditions cover the patterns above: destination watchlists, after-hours rules, volume and cost thresholds, dormant-extension activity. PBXDom sends an email, SMS, or Slack message within minutes of a rule tripping, while the damage is still a handful of calls. You can start a free 14-day trial and have fraud alerts running the same afternoon.