Toll fraud kept running while the security industry’s attention moved to ransomware. Industry groups still estimate phone-system fraud in the billions of dollars per year, and the mechanics are the same ones from twenty years ago: an attacker gains control of an extension or a route, pumps traffic to destinations where they collect a share of the termination revenue, and the damage lands on your carrier bill, where it sits until someone opens the invoice.

The good news for anyone who watches their call records: a compromised extension cannot hide. It has to make calls to be worth anything to the attacker, and each of those calls lands in your CDR data. The job is knowing what to look for.

How extensions get compromised in 2025

Four routes account for most of what we see:

Weak voicemail PINs. The oldest trick on the list still works. Many systems allow outbound dialing or call-return features from within a voicemail session. An attacker war-dials your DID range at night, hits voicemail boxes, and tries 0000, 1234, and the extension number itself. On a hit, they use the box’s through-dialing features to reach international destinations. Default PINs, and PINs unchanged since installation, make this a volume business.

SIP credential theft. Attackers extract extension credentials from phone config files on under-protected provisioning servers, sniff them from unencrypted registrations, brute-force them through exposed SIP ports, or lift them from a compromised PC running a softphone. Once the attacker registers as the extension from their own infrastructure, each call they place is, as far as your PBX is concerned, the legitimate user.

Social-engineered forwarding. No “hack” at all: the attacker convinces someone (often via the carrier, or via a self-service portal with a phished password) to set call forwarding on an extension to an international or premium number. Then they hammer the extension from cheap origination, and your system completes the expensive forwarded leg.

Vishing the help desk. This is the growth area. Consumer AI voice tools made convincing voice impersonation cheap, and by 2025 help-desk social engineering is a documented entry vector in major breaches. The telecom version: “Hi, this is Mark from sales, I’m traveling and locked out. Can you reset my voicemail PIN and enable forwarding to my cell?” The “cell” is in another country. A help desk that resets credentials for a familiar-sounding voice is a standing vulnerability.

The signatures in your CDR data

Each compromise route leaves a distinct fingerprint in the call records. The patterns worth automated eyes:

Calls while the user is away. The cleanest signal you’ll get: outbound calls from an extension whose owner is on vacation, on leave, or whose badge stayed out of the building. If extension 2214’s user is on a beach in week 32 and 2214 placed 60 calls that week, skip the whether and move straight to the what.

New international destinations. An extension that has called two countries in three years starts calling Caribbean, West African, or Eastern European number ranges. Fraudsters favor destinations with high termination rates and revenue-share arrangements; your sales team’s calling map, by contrast, holds steady year over year. The signal is an international destination outside this extension’s history, rather than international calling as such.

Premium-rate numbers. Domestic premium ranges and international premium services. A desk phone has almost no legitimate business reason to call them, which makes this one of the few patterns you can alert on with near-zero false positives.

Odd-hours regularity. Humans are irregular; scripts are punctual. A burst of calls starting at 2:55am, night after night, for 40 minutes, is automation. Real after-hours work is sporadic and ragged. Clockwork precision at 3am is a machine monetizing your trunk.

Volume bursts. An extension averaging 11 outbound calls a day places 180 on a Saturday. Fraudsters work fast because they assume someone will cut them off; many traffic-pumping operations try to extract maximum minutes in the first 48 hours.

Forwarding changes followed by external legs. If your platform logs feature activity, a call-forward-set event followed by a stream of inbound calls, each spawning an outbound international leg, is the social-engineering signature. Even without feature logs, the CDR pattern shows up: short inbound calls to one extension, each paired with a long outbound call to the same foreign number, repeating.

Build a per-extension baseline

Each of those signatures is an anomaly, meaningful against that extension’s own normal and meaningless without it. A 30-day rolling baseline per extension is enough: typical call count per day, active hours, set of destination countries, and average and total minutes per day. Then flag deviations: a destination country outside the 30-day set, a day’s volume beyond three times the average, any activity in a window where the extension has a history of silence.

If you build this yourself, it’s a few hours of scripting against your CDR archive, and it beats any static rule you could write, because “normal” for a logistics dispatcher and a part-time receptionist are different planets.

The response runbook

Speed beats elegance once a pattern fires; fraud cost is linear in hours. In order:

  1. Disable the extension’s outbound calling (or the whole extension). Class-of-service change or registration block. Do this before investigating; you can apologize to a false positive, but you can’t refund the carrier.
  2. Reset credentials: SIP password and any portal account tied to the extension. Re-provision the device rather than trusting the old config.
  3. Check forwarding state on the extension, and audit forwarding on its neighbors; an attacker who got one reset out of the help desk tried more than one name.
  4. Review the voicemail PIN and the mailbox’s through-dial permissions. If the platform allows it, disable outbound dialing from voicemail across the system; few organizations have a real use for it.
  5. Look back 30 days in CDR for the same destinations from other extensions, and total the fraudulent minutes. You need the scope for the incident report and the number for the carrier-dispute call; carriers sometimes credit fraud traffic reported within days, and they refuse most claims filed after the next invoice.
  6. Fix the entry point (the provisioning server, the exposed SIP port, the help-desk verification procedure) or you’ll re-run this runbook in a month.

CDR monitoring and the SBC cover different layers

An SBC or firewall doing rate limiting, geo-blocking, and registration policy is prevention, and you should have it. CDR-based monitoring is detection: it catches the attacker using stolen-but-valid credentials, the forwarding set through a legitimate portal, and the voicemail through-dial that bypasses SIP authentication. Prevention inspects packets and credentials; in the call records you see behavior. The compromises that survive your SBC are, by definition, the ones behavior alone gives away. Run both layers and let them cover each other’s blind spots.

Wrapping up

Catching a hijacked extension takes three things you can have this week: the call records your PBX produces today, a baseline of normal per extension, and a watcher that complains within minutes instead of at month-end. PBXDom does the watching: it collects CDR/SMDR from Cisco, Avaya, Mitel, Panasonic, 3CX, and Asterisk/FreePBX systems and fires fraud and misuse alerts (after-hours international, premium destinations, volume anomalies) to email, SMS, Slack, or Zapier within 1–2 minutes of the triggering call. Setup takes about 15 minutes; start with the onboarding guide.