Voice over Internet Protocol has transformed how UK businesses communicate, replacing expensive legacy phone systems with flexible, feature-rich platforms that cost a fraction of the price. But there is an uncomfortable truth that many VoIP providers gloss over in their sales pitches — because your phone calls now travel over the same internet connection as your data, they are exposed to the same threats. Toll fraud, eavesdropping, denial-of-service attacks, and SIP exploits are not theoretical risks; they are active, well-documented attack vectors that cost UK businesses millions of pounds every year.
The shift to cloud-based telephony accelerated dramatically during and after the pandemic, with businesses across London and the UK adopting hosted VoIP, Microsoft Teams calling, and SIP trunking at unprecedented rates. Yet security often remains an afterthought — bolted on rather than built in. Many organisations migrate from traditional phone lines to VoIP without realising that their new phone system requires the same rigorous security posture as the rest of their IT infrastructure. A compromised phone system does not just mean dropped calls; it means stolen credentials, intercepted conversations, fraudulent international calls billed to your account, and potential regulatory breaches under UK GDPR.
At Cloudswitched, we deploy and manage VoIP systems for businesses across London every day. We have seen first-hand what happens when phone system security is neglected — and we have built our deployment methodology around preventing those scenarios. This guide covers the full spectrum of VoIP security threats and the practical measures every UK business should implement to protect their communications infrastructure.
Understanding VoIP Security Threats
Before you can defend your phone system, you need to understand what you are defending against. VoIP threats fall into several distinct categories, each with different attack methods, impacts, and countermeasures. Some target your finances directly, others compromise the confidentiality of your communications, and some aim to take your phone system offline entirely.
The VoIP Threat Landscape
| Threat | How It Works | Business Impact | Severity |
|---|---|---|---|
| Toll Fraud | Attackers hijack your SIP credentials or PBX to route premium-rate and international calls through your account | Phone bills of £10,000–£50,000+ accumulated over a weekend | Critical |
| Eavesdropping | Intercepting unencrypted voice packets using packet sniffers on the network | Confidential business discussions, client data, and financial details exposed | Critical |
| DDoS Attacks | Flooding SIP servers or VoIP infrastructure with traffic to overwhelm capacity | Complete loss of phone service — no inbound or outbound calls | High |
| SIP Scanning & Brute Force | Automated tools scan for open SIP ports (5060/5061) and attempt credential stuffing | Account compromise leading to toll fraud or system takeover | High |
| Vishing (Voice Phishing) | Spoofed caller ID and social engineering to trick staff into revealing sensitive information | Credential theft, financial fraud, data breaches | High |
| Man-in-the-Middle | Attacker positions themselves between endpoints to intercept or alter SIP signalling | Call redirection, conversation manipulation, credential theft | High |
| Registration Hijacking | Attacker replaces legitimate SIP registrations with their own device | Inbound calls diverted to attacker; impersonation of staff | Medium |
| SRTP Downgrade | Forcing encrypted calls to fall back to unencrypted RTP by manipulating SIP headers | Encryption bypassed without either party being aware | Medium |
Toll Fraud: The Most Expensive VoIP Threat
Toll fraud deserves special attention because it is the most financially devastating VoIP attack and the one most likely to affect UK SMEs. The attack pattern is depressingly consistent: criminals compromise SIP credentials or exploit a misconfigured PBX, typically on a Friday evening, and route thousands of premium-rate international calls through the victim's account over the weekend. By Monday morning, the business faces a telephone bill running into tens of thousands of pounds — and their provider holds them liable.
How Toll Fraud Attacks Unfold
Over 70% of toll fraud incidents occur between Friday evening and Monday morning, when offices are unmonitored. A single compromised extension can generate £15,000–£50,000 in fraudulent calls to premium-rate numbers in countries like Cuba, Somalia, and the Maldives within 48 hours. Your provider will typically hold you liable for these charges. Implement call-spending caps, out-of-hours call restrictions, and real-time alerting on international call volumes to catch fraud before the bill becomes catastrophic.
Three measures that stop the majority of toll fraud attacks: (1) Set a daily spend cap with your SIP provider — most allow you to configure a maximum daily call charge, after which outbound calls are blocked. (2) Restrict international dialling to only the countries you actually do business with, and block all premium-rate number ranges. (3) Disable outbound calling entirely outside business hours if your organisation has no legitimate need for it. These three controls alone would have prevented over 80% of the toll fraud cases we have responded to at Cloudswitched.
Encryption: TLS and SRTP
Encryption is the single most important technical control for VoIP security. Without it, your voice calls travel across the internet as readable data — anyone with access to the network path can capture and play back your conversations. VoIP encryption operates at two layers: signalling encryption (TLS) protects the call setup, routing, and metadata, while media encryption (SRTP) protects the actual voice content.
Signalling vs Media Encryption
- Encrypts SIP signalling between endpoints and servers
- Protects caller ID, dialled numbers, and authentication credentials
- Prevents man-in-the-middle attacks on call setup
- Uses port 5061 (SIPS) instead of unencrypted port 5060
- Requires valid certificates on SIP servers
- Must be enforced — not optional — in your configuration
- Encrypts the actual voice media stream end-to-end
- Prevents eavesdropping on conversation content
- Uses AES-128 encryption for audio packets
- Key exchange secured via SDES or DTLS-SRTP
- Minimal latency impact — typically under 1ms additional delay
- Both endpoints must support SRTP for encryption to function
Enabling TLS without SRTP (or vice versa) leaves a critical gap. TLS alone protects signalling but leaves voice content exposed. SRTP alone encrypts voice but leaves credentials and call metadata in the clear. Both must be enabled and enforced — not just supported. Configure your PBX and SIP trunks to reject unencrypted connections entirely. At Cloudswitched, every VoIP deployment we manage enforces TLS 1.2+ for signalling and SRTP for media as a baseline, with no fallback to unencrypted protocols.
Session Border Controllers (SBCs)
A Session Border Controller is the VoIP equivalent of a firewall — it sits at the boundary of your network and controls all SIP traffic entering and leaving your environment. For any business running on-premises VoIP equipment or SIP trunks, an SBC is an essential security component that provides access control, topology hiding, protocol normalisation, and denial-of-service protection in a single appliance.
What an SBC Protects Against
For businesses using hosted VoIP platforms (such as Microsoft Teams Phone, 3CX Cloud, or RingCentral), the provider typically manages SBC functionality within their infrastructure. However, if you are running an on-premises PBX, connecting SIP trunks directly to your network, or operating a hybrid configuration, deploying your own SBC — whether hardware or virtualised — is strongly recommended.
Firewall Configuration for VoIP
Standard firewall rules designed for web and email traffic are not sufficient for VoIP. Voice traffic uses different protocols (SIP, RTP), different port ranges, and has different quality-of-service requirements. Misconfigured firewalls are one of the most common causes of both VoIP security vulnerabilities and call quality problems.
Essential Firewall Rules for VoIP
| Rule | Protocol / Port | Direction | Purpose |
|---|---|---|---|
| Allow SIP signalling (encrypted) | TCP/TLS 5061 | Inbound & Outbound | Encrypted call setup and registration |
| Block unencrypted SIP | UDP/TCP 5060 | Both | Prevent unencrypted signalling — force TLS |
| Allow RTP media range | UDP 10000–20000 | Inbound & Outbound | Voice media streams (restrict to provider IPs) |
| Restrict SIP source IPs | Whitelist only | Inbound | Only accept SIP from your provider's IP ranges |
| Enable SIP ALG (cautiously) | Application layer | Both | NAT traversal — disable if causing issues |
| Rate-limit SIP registrations | 5061 | Inbound | Prevent brute-force registration attempts |
| QoS marking & prioritisation | DSCP EF (46) | Outbound | Prioritise voice traffic over data to maintain call quality |
SIP Application Layer Gateway (ALG) is a firewall feature designed to help SIP traffic traverse NAT. In practice, it frequently causes more problems than it solves — mangling SIP headers, breaking call audio, and interfering with VoIP provider configurations. Most VoIP providers and firewall vendors now recommend disabling SIP ALG and using the provider's own NAT traversal mechanisms instead. If you are experiencing one-way audio, dropped calls, or registration failures, a misconfigured SIP ALG is often the culprit.
VLAN Segmentation for Voice Traffic
Network segmentation is a fundamental security principle, and it applies to VoIP just as much as to any other system. Placing voice traffic on a dedicated VLAN — separate from your general data network — provides multiple security and performance benefits that every business with on-premises VoIP equipment should implement.
Why Separate Voice and Data VLANs
- Voice and data traffic share the same broadcast domain
- Any device on the network can sniff voice packets
- Malware on a workstation can reach VoIP phones directly
- No ability to apply voice-specific QoS policies
- ARP spoofing attacks can intercept voice traffic trivially
- Compliance auditors will flag this as a significant finding
- Voice traffic isolated on dedicated VLAN (e.g. VLAN 100)
- Inter-VLAN routing controlled by firewall rules
- Compromised workstations cannot access voice infrastructure
- QoS policies applied specifically to voice VLAN for call quality
- DHCP scope and DNS separate for voice devices
- Audit trail cleaner — voice traffic easily identifiable in logs
Most modern managed switches support 802.1Q VLAN tagging, and many IP phones support LLDP-MED or CDP for automatic VLAN assignment. This means phones plugged into the network can automatically join the voice VLAN without manual configuration — reducing deployment effort while maintaining security segmentation.
Authentication & Access Control
Strong authentication is the first line of defence against SIP-based attacks. Every SIP endpoint, trunk, and administrative interface must be secured with robust credentials and, where possible, multi-factor authentication. The default credentials shipped with many IP phones and PBX platforms are widely known and actively exploited by automated scanning tools.
VoIP Authentication Best Practices
The default administrator passwords for every major IP phone and PBX platform are published online and embedded in automated attack tools. Yealink, Polycom, Cisco, Grandstream, Avaya — all ship with known default credentials. If you deploy IP phones or a PBX without immediately changing every default password, you are effectively leaving the front door wide open. Automated SIP scanners run 24/7, probing every public IP address on ports 5060 and 5061. They will find you, and they will try those defaults.
Patch Management for VoIP Systems
VoIP infrastructure requires the same rigorous patch management as any other IT system, yet phone systems are frequently overlooked in patching schedules. IP phone firmware, PBX software, SBC firmware, and the underlying operating systems all require regular updates to address security vulnerabilities. Many organisations patch their desktops and servers diligently but leave their phone system running years-old firmware with known exploits.
VoIP Patching Priorities
The 2023 3CX supply chain attack demonstrated how devastating a compromised VoIP platform can be. Attackers inserted malware into the official 3CX desktop application update, affecting over 600,000 organisations worldwide. The lesson is twofold: keep your VoIP software updated to receive security patches promptly, but also verify update integrity through official channels and vendor advisories. Subscribe to your VoIP vendor's security notification list and have a process for evaluating and deploying critical patches within 48 hours of release.
Monitoring & Intrusion Detection
Security without monitoring is security without visibility. You cannot protect what you cannot see. Effective VoIP monitoring goes beyond checking whether calls are connecting — it means actively watching for anomalous patterns that indicate an attack in progress, alerting on suspicious behaviour, and maintaining logs for forensic analysis.
Key VoIP Monitoring Metrics
| Metric | Normal Baseline | Alert Threshold | Indicates |
|---|---|---|---|
| Failed SIP registrations per hour | 0–5 | >20 per hour | Brute force / credential stuffing attack |
| International call volume (daily) | Based on your business norm | 200%+ above baseline | Potential toll fraud in progress |
| Calls to premium-rate numbers | 0 | Any | Likely toll fraud — investigate immediately |
| Out-of-hours call volume | Minimal or zero | Above defined threshold | Compromised extension being used for fraud |
| SIP INVITE rate from unknown IPs | 0 | Any | SIP scanning / enumeration attempt |
| Call duration anomalies | Average 3–8 minutes | Many calls >60 minutes to same destination | Toll fraud pumping calls to premium numbers |
Modern VoIP platforms and SBCs generate detailed call detail records (CDRs) and SIP logs that can be fed into a SIEM (Security Information and Event Management) system for centralised analysis. For smaller businesses, many hosted VoIP providers offer built-in dashboards with anomaly detection and configurable alerts — ensure these are enabled and that alerts go to someone who will act on them, not to an unmonitored mailbox.
GDPR Compliance for Call Recordings
Call recording is a valuable business tool for training, quality assurance, and dispute resolution. However, under UK GDPR and the Data Protection Act 2018, recorded phone calls are personal data — and must be handled with the same care as any other personal information your business processes. Getting call recording compliance wrong exposes your organisation to ICO enforcement action, fines, and reputational damage.
Call Recording Compliance Requirements
If your staff take card payments over the phone, you must never record the full card number, CVV, or security code. This violates PCI DSS requirements and creates enormous liability. Implement pause-and-resume recording (where the agent pauses the recording before the customer reads out card details) or use DTMF masking technology that replaces key tones with flat tones in the recording. Failure to do so can result in your merchant account being terminated by your payment processor, in addition to GDPR penalties for processing sensitive financial data without adequate safeguards.
Define a clear retention period for call recordings and enforce it automatically. The ICO expects you to retain personal data only for as long as necessary for the stated purpose. For quality assurance, 90 days is typically sufficient. For regulatory compliance in financial services, you may need to retain recordings for 5–7 years. Whatever period you define, ensure recordings are automatically deleted when it expires — do not rely on manual processes. Document your retention rationale in your data processing records.
VoIP Incident Response
When a VoIP security incident occurs, the response must be fast and structured. A compromised phone system can haemorrhage money through toll fraud, expose confidential conversations, and disrupt business operations simultaneously. Having a VoIP-specific incident response plan ensures your team knows exactly what to do when the alarms trigger.
VoIP Incident Response Checklist
- Detect & confirm: Verify the alert is genuine. Check CDRs, SIP logs, and call volume dashboards. Confirm whether unusual activity represents a real incident or a false positive.
- Contain immediately: For toll fraud, disable the compromised extension or trunk immediately. For DDoS, engage your SBC's rate-limiting and contact your provider. For eavesdropping, isolate the affected network segment.
- Preserve evidence: Export SIP logs, CDRs, firewall logs, and any packet captures. Do not restart systems until logs are secured — volatile evidence is lost on reboot.
- Notify your provider: Contact your SIP trunk or hosted VoIP provider immediately. They can block fraudulent destinations, apply emergency call barring, and assist with investigation from their side.
- Assess data exposure: If calls were intercepted, determine what information was discussed. If personal data was compromised, assess your UK GDPR notification obligations within the 72-hour window.
- Remediate root cause: Change all compromised credentials. Patch exploited vulnerabilities. Reconfigure firewall rules. Implement additional controls to prevent recurrence.
- Review & improve: Conduct a post-incident review within 5 business days. Update your incident response plan, monitoring thresholds, and security controls based on lessons learned.
VoIP Security Implementation Roadmap
Implementing comprehensive VoIP security does not happen overnight. The following roadmap provides a practical, phased approach that prioritises the highest-impact controls first and builds towards a fully hardened telephony environment over three to six months.
Choosing a Secure VoIP Provider
Not all VoIP providers take security equally seriously. When evaluating providers for your business, security capabilities should be weighted alongside features and price. The cheapest SIP trunk is no bargain if it lacks encryption support and leaves your business exposed to toll fraud.
Security Features to Demand from Your Provider
- SIP over UDP only (port 5060, unencrypted)
- No fraud detection or call-spend alerts
- No TLS or SRTP support
- No IP whitelisting for SIP registration
- Limited or no CDR access for monitoring
- No SBC or DDoS protection included
- Mandatory TLS 1.2+ for signalling, SRTP for media
- Real-time fraud detection with automatic call barring
- Configurable daily spend caps and country restrictions
- IP-based access control for SIP registrations
- Full CDR and SIP log access via portal and API
- Built-in SBC with DDoS mitigation at network edge
Protect Your Business Communications
VoIP security is not optional — it is a fundamental requirement for any UK business that relies on internet-based telephony. The threats are real, active, and financially devastating when they succeed. But with the right combination of encryption, access control, network segmentation, monitoring, and incident response planning, your phone system can be as secure as the rest of your IT infrastructure.
At Cloudswitched, we build security into every VoIP deployment from day one. Our London-based team understands the specific challenges facing UK businesses — from GDPR compliance for call recordings to defending against the toll fraud patterns we see targeting SMEs every week. Whether you are deploying a new VoIP system, migrating from legacy ISDN, or need a security audit of your existing telephony infrastructure, we ensure your business communications are protected at every layer.
Get a Free VoIP Security Assessment
Not sure how secure your current phone system is? We offer a complimentary VoIP security health check covering encryption, access controls, fraud prevention, and GDPR compliance. No obligation, no jargon — just clear, actionable findings from our London-based telephony and security team.
Book Your Free Assessment
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.