How to Secure 3CX Phone System - Toll Fraud

Hackers often target phone systems for various reasons, one of which is the potential to make unauthorized international calls. By gaining access to a phone system, they can exploit vulnerabilities to bypass standard charges, leading to significant financial gains. International calls can be expensive, and hackers can use compromised systems to make these calls at no cost to themselves, effectively turning a profit. The Communications Fraud Control Association (CFCA) estimated it to be the top fraud type costing $5.04 Billion in their 2019 Fraud Loss Survey. 

This is not new and this type of call fraud is called an International Revenue Share Fraud (IRSF) scheme, and it’s something that has been out there for at least 30 years now.

There are a few ways we can prevent this.

First, you should not have “loose” outbound rules. A good practice is to have separate rules for international numbers and national/local numbers, with the international one being the one to restrict the most.

An international number, as per ITU standards, starts with an exit code such as + or 00 for most countries. Others like the USA have a different one, which is 011. So you can have a rule for those with criteria of prefixes separated by commas: “00,+” and define strictly who can place calls through this rule. Or, you can block calls too.

Secondly, the list of permitted country codes on the "Security" page should be specific and tailored to each customer's requirements. Avoid enabling all countries for convenience or assuming you'll modify them later. By default, access is limited to the country where the 3CX System is installed to help minimize call fraud.

When making an international call, the system will verify whether there is a corresponding outbound rule and if the country code is permitted before proceeding.