V
    VoIP Help Page
    Hosted Voice & PBX

    Identify a Ghost Call

    The VoIP Help Page Team·2 min read·Last updated: March 14, 2026

    ### Scope

    This document explains how ghost calls occur, how to identify them, and how to prevent them.

    Ever received a call with no one on the line—and nothing in your call history?

    These are known as Ghost Calls.

    Ghost calls typically occur when a partner or client becomes a victim of SPIT (Spam over Internet Telephony). In the VoIP landscape, SPIT is a common nuisance. Cybercriminals attempting toll fraud use SIP dialers to scan random IP addresses, sending SIP INVITE requests to detect active devices. When they find one, they often try to access the phone's web interface and set up call forwarding to high-cost destinations.

    The rise of scanning tools like SIP Vicious has made these incidents more frequent. Some of these ghost calls even display suspicious caller IDs like " SIPVicious" or other unusual patterns. An example is given below:

    To determine whether your system is being targeted, check your PBX call logs. If the calls don’t appear there, it’s a strong indicator that SIP scanning is the cause.

    How to Prevent Ghost Calls

    Change the SIP Listening Port

    Most SIP scanners focus on port 5060—the default for SIP traffic. Changing the phone's SIP listening port (usually via override settings) can reduce the likelihood of being targeted. Note: This won’t be effective if the scanner sweeps all ports.

    • Yealink: sip.listen_port="(port)"
    • Grandstream: p40="port"

    Block SIP Traffic at the Firewall

    Configure firewall rules to block all inbound SIP packets, except those from trusted SIP server IPs -IP Addresses & Ports. This is one of the most reliable ways to protect against unsolicited traffic.

    Disable Direct IP Calls

    Some phones offer the option to disable direct IP calls, allowing only calls from the device’s registered SIP server. This greatly reduces exposure to external SIP probes. Sample override settings are provided below if needed.

    • Polycom:

    voIpProt.SIP.requestValidation.1.method="source"

    voIpProt.SIP.requestValidation.1.request="INVITE"

    • Yealink V73 Firmware and Below

    features.direct_ip_call_enable="0"

    account.1.sip_trust_ctrl="1"

    • Yealink V80 Firmware Plus

    features.direct_ip_call_enable="0"

    sip.trust_ctrl="1"

    Note: Devices that are properly provisioned will already have these settings.

    Related Articles

    Call Center on SNAPmobile Web

    Hosted Voice & PBX

    Call Recording

    Hosted Voice & PBX

    Allowing and Blocking Calls

    Hosted Voice & PBX

    Was this article helpful?