Your phone system between 6 p.m. and 8 a.m. is like an office with the lights off: almost everything that happens in it is either nothing or something you want to know about. Odds are you have detailed reports on business-hours traffic and a blind spot covering the other two-thirds of the week.

Four good reasons to close that gap:

Fraud runs at night. Most toll fraud starts after close of business or over a weekend, when an attacker can pump traffic for 12–60 hours uninterrupted. The first international call at 1 a.m. from a warehouse extension is the cheapest possible moment to catch it.

Misuse hides there too. Personal international calls, premium numbers, an employee running a side business from a desk phone: this traffic favors the empty office, and you can read it straight out of the timestamped call records.

On-call coverage needs verifying. If you promise customers an after-hours line, the CDR shows you who answered those calls and how fast, or that they rang out to voicemail at 2 a.m. while the rotation schedule said otherwise.

Phones correlate with physical security. A 3 a.m. call from a lobby or loading-dock phone is sometimes the first recorded trace of a break-in or an unauthorized person in the building.

Define after-hours windows per site

“After hours” is not one setting. A three-site company might need: HQ weekdays 08:00–18:00 local, the distribution center 06:00–22:00 because of shift work, and the support office 24/5 with only weekends flagged. Two details bite people:

  • Timezones. Evaluate each site’s window in its local time rather than the PBX’s. A CDR stamped in server time can make a legitimate 4 p.m. call in one office look like a 1 a.m. call in another.
  • Holidays. A statutory holiday is a weekend for monitoring purposes. Keep a simple holiday calendar per site, or your quietest fraud window of the year goes unwatched.

Know what normal looks like first

Before setting alerts, pull two or three weeks of after-hours records and learn the baseline. Typical legitimate residue: the on-call engineer’s handful of calls, alarm panels doing scheduled test dials, a cleaning supervisor’s check-in call each night, an overnight shift calling suppliers, and international offices calling each other across timezones. For most businesses the honest answer is almost nothing: a typical office does 2–5% of its weekday volume on a Saturday. Whitelist the known-legitimate extensions, write down the normal numbers, and everything else becomes signal.

Set two kinds of alerts

Volume alerts. Pick a number well past normal for the window, say more than 10 outbound calls in any after-hours hour or more than 30 total in a weekend, and alert when the count crosses it. Tune after the first two weeks; the goal is an alert you trust enough to act on at 7 a.m.

Destination alerts. These can be much stricter at night than during the day. Any international call outside business hours from a non-whitelisted extension is worth a notification. Any call to known premium-rate country codes is worth a notification at any hour. Long-duration after-hours calls (over 60 minutes) deserve a look too; they’re either a forgotten conference bridge or a held-open fraud channel.

Make the alerts arrive somewhere people look at night: SMS or Slack beats an inbox that opens at 9 a.m. Decide in advance what the response is: who can bar international dialing or pull a trunk out of service at midnight, and from where. On most PBXs that bar lives in the class of service, so you can cut international routes without touching live domestic calls. An alert with no playbook moves the discovery from Monday’s invoice to Monday’s inbox; the savings come from shutting a pattern down while it’s still a dozen calls instead of a thousand.

The Monday-morning report habit

Alerts catch fires; a standing report catches smolder. Each Monday, spend five minutes on a weekend summary: total after-hours calls per site, top 10 destinations, any new extension that appeared after hours for the first time, and total estimated cost of the weekend’s outbound traffic. The “first time after hours” line is the quiet hero: it surfaces slow-burn misuse and fresh compromises that stay under any volume threshold.

One we caught

A distribution company running a Panasonic system spotted, in a weekend report like this one, a recurring cluster of calls to +371 (Latvia) between 1 and 3 a.m. on Tuesdays and Thursdays. The timing matched the cleaning crew’s hours, so the first theory was an employee borrowing a phone. The CDR said otherwise: the calls originated from a voicemail port rather than a station. A voicemail box on a long-vacant extension still had its default PIN, and someone was through-dialing it twice a week, in small batches sized to stay under the radar. Total exposure at discovery: about $400. The same pattern left running until the carrier invoice arrived would have cost a few thousand, and nothing stopped the caller from scaling up to a weekend pump worth far more.

Wrapping up

None of this requires new hardware or changes to the PBX config; it all comes from the call records your system already produces. PBXDom reads that CDR/SMDR stream in real time, applies per-site business-hours windows, and sends after-hours volume and destination alerts by email, SMS, or Slack within minutes, alongside a scheduled weekend summary on its call analytics dashboards. Setup takes about 15 minutes. See /onboarding/ to get the collector running before next weekend.