My Phone System Was Hacked — What Do I Do Now?

How PBX hackers make money with international call fraud, what to do when your phone system is compromised, and how to make sure it doesn’t happen again.

This Happens More Than You’d Think

As a VoIP provider, we hear this more often than we’d like: a customer calls in a panic because the phone system they set up years ago — or that some former employee set up, or some former IT company set up — has been compromised. The hackers are using it to place international calls, sometimes thousands of them, racking up charges that can hit four or five figures before anyone notices.

It’s not your fault for not being a telecom security expert. These systems were designed in an era when “connected to the internet” wasn’t the threat it is today, and most small businesses don’t have a dedicated telecom person watching the logs. The attackers know this, and they’re very good at finding the systems nobody’s watching.

So if this just happened to you — take a breath. You’re not the first, you won’t be the last, and there’s a clear path forward.

Wait — How Do PBX Hackers Actually Make Money?

This is the question everyone asks, and the answer is both simple and infuriating: International Revenue Share Fraud (IRSF).

Here’s how the scam works. In the international telephone system, when a call is placed to certain destinations, the carrier that terminates the call (delivers it to the final recipient) gets paid a per-minute fee. This is normal — it’s how international calling has always worked. The rates vary by destination, and some routes pay significantly more than others.

Fraudsters exploit this by setting up premium-rate numbers or revenue-sharing agreements with carriers in high-cost destinations — think certain country codes in Eastern Europe, West Africa, the Caribbean, Cuba, and parts of the South Pacific. They control the terminating end, so every minute of call traffic that reaches those numbers puts money in their pocket.

Now they just need call traffic. That’s where your phone system comes in.

They scan the internet for vulnerable PBX systems — and there are a lot of them. Automated tools probe thousands of systems per hour, looking for default passwords, weak SIP credentials, or known vulnerabilities. When they find one, they compromise it and start placing international calls to their premium-rate numbers. Hundreds or thousands of calls, often in the middle of the night when nobody’s watching.

Your phone system is the cash register. Their premium-rate numbers are the cash. Every minute of fraudulent call traffic that your system generates is money flowing from your provider (and ultimately you) to the fraudster’s terminating carrier.

It’s Not Just Toll Fraud — It’s Robocalls Too

IRSF isn’t the only reason attackers want your phone system. Compromised PBX systems are also used to place illegal robocalls — scam calls about fake warranties, IRS threats, tech support fraud, and every other scheme you’ve had the pleasure of receiving on your own phone.

The attackers need infrastructure to blast out thousands of calls, and they need that infrastructure to be disposable — because once carriers and regulators identify the source, it gets shut down. A hacked small business PBX is perfect for this: it’s real telecom infrastructure with legitimate caller ID, it’s not being monitored, and when it gets flagged and blocked, the attackers have already moved on to the next compromised system.

This adds a layer of risk beyond just the charges on your bill. If your system is used to originate illegal robocalls, your phone numbers and your provider’s network can end up on blocklists. Your legitimate outbound calls may stop going through. And depending on the circumstances, there could be regulatory scrutiny — the FCC takes robocall enforcement seriously, and “I didn’t know my system was compromised” is an explanation, not a defense.

The numbers can add up fast. International rates to high-cost destinations can run $1 to $3+ per minute. A compromised system making hundreds of simultaneous calls can generate thousands of dollars in charges per hour. We’ve seen cases where businesses wake up to five-figure bills from a single weekend.

Why International Calls Specifically?

Domestic calls don’t generate the same revenue-sharing payments. The economics of toll fraud only work with international routes where the terminating carrier gets paid a meaningful per-minute fee. That’s why you’ll almost always see the fraudulent traffic going to international destinations — and specifically to the high-cost ones.

This is also why blocking international calling on your PBX (if you don’t need it) is one of the single most effective things you can do. No international routes means the attackers can’t monetize your system, which means there’s no reason for them to target you in the first place.

How They Find Your System

The attackers aren’t specifically targeting your business. They’re scanning the entire internet for any vulnerable SIP endpoint. Common ways in:

  • Default credentials. The admin password that came with the system and was never changed. The SIP account with “1234” as the password. The voicemail PIN that’s the same as the extension number.
  • Exposed management interfaces. Your PBX’s web admin panel sitting on the public internet with no IP restriction.
  • Unpatched vulnerabilities. Known security holes in FreePBX, Asterisk, 3CX, or whatever platform you’re running that were patched months or years ago — but your system never got the update.
  • Brute force. Automated tools that try thousands of SIP username/password combinations until one works. If your credentials are weak, this doesn’t take long.

The attackers are efficient and automated. They’re not sitting at a keyboard targeting your business — they’re running scripts that find and exploit vulnerable systems at scale. It’s nothing personal. It’s just profitable.

What to Do Right Now

If you’re reading this because it just happened to you, here’s your immediate action plan.

Step One: Unplug It

Yes, really. If your phone system is actively being used to place fraudulent international calls, every minute it stays online is costing you money. Pull the network cable. Power it down. Stop the bleeding.

We know that’s a hard sell when your business depends on phone calls. But here’s the math: if your system is hemorrhaging international call charges, you are almost certainly losing more money keeping it running than you’re losing by going dark for a few hours.

Before you unplug, call your provider. Ask them to forward your inbound calls to a cell phone while you figure out your next move. This is a simple, standard request — any provider should be able to do this on the fly. If yours can’t… that’s worth remembering when this is over.

Step Two: Understand the Damage

Once the system is offline and your calls are forwarding to a cell, it’s time to figure out what happened and how bad it is.

Check your call detail records. Your provider can pull these for you. Look for international calls you didn’t make — especially to high-cost destinations in Eastern Europe, Africa, the Caribbean, or the South Pacific. These are the routes that toll fraud operators target because they generate the highest per-minute charges.

Check your bill. If the compromise has been going on for more than a day or two, you may already have charges accruing. Talk to your provider about disputing fraudulent charges — some providers have fraud policies that cap your liability, others don’t. Either way, the sooner you flag it, the better your position.

Figure out how they got in. Common entry points include default passwords that were never changed, SIP accounts with weak credentials, exposed management interfaces on the public internet, and unpatched vulnerabilities. You may not be able to determine this yourself, but it matters for what comes next.

Step Three: Ask the Big Question

Here’s where we’d encourage you to step back and think honestly about something:

Do you still need to run your own phone system?

A lot of the reasons businesses used to run their own PBX hardware just don’t apply anymore. The cost advantages have evaporated. The flexibility of hosted systems has caught up and surpassed what most on-premise systems can do. And — as you’ve just experienced — the security burden of maintaining an internet-connected piece of telecom infrastructure is real and ongoing.

A hosted PBX eliminates this entire category of risk. There’s no box in your closet to hack. No SIP credentials exposed to the internet. No firmware to patch. The security of the platform is your provider’s job, and a good provider has dedicated infrastructure, monitoring, and security practices that no small business PBX can match.

If cost is the concern — and it often is — it’s worth having a conversation with a provider who isn’t locked into rigid per-seat pricing. Not every provider charges the same way, and the features you need don’t actually cost them much to deliver. You might be surprised at what’s possible. The moose-sage here is simple: it’s almost always cheaper to let someone else handle this than to keep running it yourself.

And if you’re worried about the hardware you already own — don’t be. If you have fairly standard SIP phones (Poly, Yealink, Cisco, Grandstream, etc.), your new provider can almost certainly reprovision them to work on their platform. You probably won’t need new hardware at all.

If you’re already a Moose Networks customer on an on-premise system, call us. We can talk about moving you to hosted and taking this problem off your plate entirely.

Step Four: If You Need to Keep Running It Yourself

Maybe you have a genuine reason to keep your on-premise system — regulatory requirements, a specific integration, or a recent investment you need to ride out. That’s fine. But you need to do it right this time.

Follow standard security remediation principles:

  1. Capture a snapshot. Before you wipe anything, take a full backup or disk image of the compromised system. You may need this for forensic analysis, for your provider’s fraud investigation, or for insurance purposes.

  2. Don’t just “fix” the compromised system. A system that’s been breached can’t be trusted. You don’t know what else the attacker changed, installed, or left behind. Patching the one hole you found isn’t enough.

  3. Restore from a known-clean backup. If you have a backup from before the compromise, restore to that. Verify it’s actually clean — check the SIP accounts, check the dial plan, make sure there aren’t routes or credentials you don’t recognize.

  4. Or build fresh. Honestly, this is often the better option. Download the latest install from your software provider — not the version you installed three years ago — and configure it from scratch. Yes, it’s more work. But you’ll know exactly what’s on it.

  5. Patch everything. Make sure you’re running the latest firmware and software versions. Check for known vulnerabilities in your specific system. Subscribe to your vendor’s security advisories so you hear about problems before the attackers exploit them.

  6. Lock it down before you bring it back online.

    • Change every password. Every one. Admin accounts, SIP credentials, voicemail PINs — all of it.
    • Disable any SIP accounts you’re not actively using.
    • Restrict international calling to only the destinations you actually need. Better yet, block it entirely unless you have a business reason for it.
    • Don’t expose the management interface to the public internet. Use a VPN or IP whitelist.
    • Enable logging and actually look at it periodically.

  7. Keep up with updates. The single biggest reason these systems get compromised is that they’re deployed and then forgotten. If you’re going to run it yourself, you need to maintain it — or pay someone to maintain it for you.

This may require skills you don’t have in-house, and that’s OK. Bring in someone who specializes in VoIP security. The cost of a professional remediation is a lot less than the cost of getting hacked again.

How to Not Be Here Again

Whether you move to hosted or keep your on-premise system, here’s what matters going forward:

  • Don’t set it and forget it. Phone systems need maintenance just like any other piece of IT infrastructure.
  • Use strong, unique passwords. Not “1234.” Not “password.” Not the default that came with the system.
  • Restrict what the system can do. If you don’t make international calls, block international dialing. If you only call five countries, only allow those five.
  • Monitor your call records. A sudden spike in international calls at 2 AM is a pretty clear signal. Some providers offer alerts for this — ask yours.
  • Have a relationship with your provider. When something goes wrong, you want to be able to pick up the phone and talk to someone who knows your account, not navigate a phone tree for 30 minutes.

Dealing with a compromised phone system right now? Call us — we can help you get calls forwarding to a cell phone immediately, assess the situation, and figure out the best path forward. Whether that’s moving to hosted or helping you secure what you have, we’ll give you an honest recommendation.