International spend has a talent for hiding. It shows up as $14 here and $40 there, spread across thirty extensions and mixed in with calls your business needs to make. The supplier in Germany is legitimate. The customer in Singapore is legitimate. The 22-minute call placed each night to a mobile number in a country where you have no suppliers, customers, or staff rides along in the same column of the invoice, and the invoice totals it without comment.

An international call audit separates the two. Run from CDRs it takes an afternoon, and the first one pays for the afternoon more often than not.

Step 1: Pull 90 days of international CDRs

Pull a full quarter. One month is noisy; ninety days show patterns, and patterns are what you are hunting. From your CDR data, filter outbound calls where the dialed number starts with your international access code (011 in North America, 00 in most of Europe, or a leading + from SIP endpoints). Keep these fields per call: date and time, calling extension, dialed number, destination, duration, and trunk. If you run call accounting software, this export is one filtered report; raw CDR files from the PBX work too, with more cleanup.

One trap at this step: include calls of any duration. Short calls matter. A burst of 30-second international calls is a classic fraud probe pattern, and zero-duration attempts show someone, or something, trying.

Step 2: Group by country, then by extension

Build two summaries.

By destination country: total calls, total minutes, estimated cost. Expect a short head and a long tail: three or four countries you recognize on sight, then a tail of destinations with a handful of calls each. The tail is where audits get interesting.

By extension: same totals. In most companies five extensions account for 80 percent of international minutes, and you can name their owners without looking. The entries you cannot explain in one sentence go on the review list, with shared devices at the top: lobby phones, fax lines, conference rooms. Unaccountable calling lives on shared phones because no one person answers for them.

Step 3: Price the calls

Minutes mislead; price the traffic against your carrier’s actual rates. Two hundred minutes to Canada can cost less than twelve minutes to a satellite or premium-route destination. Pricing reorders your priority list: the country in position 9 by minutes can move to position 2 by cost, and that is the row a minutes-only audit would have skimmed past.

Step 4: Split business from anomaly

Go through the country list with someone from sales or operations who knows where the company does business; IT alone cannot label the rows. For each destination ask: do we have customers, suppliers, partners, or employees there? Mark each country business, personal, or unexplained. Then read timing. Business calls happen during the destination’s business hours or yours; calls at 2 a.m. local from an office that closed at 6 p.m. go on the review list. Repetition tells its own story: same number, same time, most nights is automation; same number, each lunch hour, is a person.

Step 5: Audit international dialing rights

Now compare reality against policy, and expect to find there is no written policy. Cisco, Avaya, Mitel, Panasonic, 3CX, and FreePBX all control international dialing through class of service or class of restriction assigned per extension. Dump those assignments and check two lists: extensions placing international calls without a job-related reason, and extensions that hold international permission and place no such calls. The second list is your standing risk surface. An extension with international rights and no usage history is the one a fraudster who compromises it will enjoy most.

The findings these audits turn up

Three findings recur often enough that you should look for them by name.

The retrying fax machine. A fax line dials a number in, say, the +44 range at 1 a.m. each night, fails, and retries. Someone programmed a partner’s fax number years ago; the partner changed numbers; the machine kept dialing. The carrier bills sixty to ninety failed and short calls a month at the minimum increment, and the pattern runs for years. The CDR signature is unmistakable: same number, same hour, durations under a minute.

The shared phone with a regular. A warehouse or break-room extension calls the same overseas mobile each shift. The phone has no owner, so the calls have none either. Treat this finding as a policy gap: with no account codes and an open class of service, the company has published a free international phone booth.

Forwarding abroad. An extension forwarded to a personal mobile in another country turns each inbound call into an outbound international leg that you pay for. The CDR signature is outbound international calls to one number that start seconds after inbound calls arrive. An employee sets this up in good faith before a long trip home; a fraudster sets up the same forward on purpose. Both belong in the audit.

Locking it down

Three controls, in order of effort:

  1. Default-deny class of service. International dialing off for each extension unless granted, granted only with a named owner and reason. This single change eliminates the shared-phone and forwarding findings at the source.
  2. Account codes for international calls. The caller enters a short code before the call completes. Calls become attributable on shared phones, and the small friction alone shaves a noticeable slice of casual personal calling.
  3. Alert on first-call-to-new-country. Policy drifts, so watch the stream: the first time your PBX calls a country it has not called in the audit window, someone should get a notification the same day. A line item next month arrives a billing cycle too late.

Where PBXDom fits

PBXDom runs steps 1 through 3 around the clock instead of once a quarter: it collects CDRs from the PBX you already own, prices each call against your carrier rates as it lands, and breaks spend out by country, extension, and trunk, with alerts for new destination countries and after-hours international traffic. Expect the first audit on a fresh install to be the interesting one. The collector takes about 15 minutes to set up, and the 14-day trial is enough time to pull your own 90-day picture together.