What to Do If You've Been Compromised
> **Warning:** If you suspect active fraud, contact your provider before doing anything else — disabling outbound calling stops the bleeding immediately. Every minute counts, and charges can accumulate rapidly.
Contact Your Service Provider Immediately
Call your VoIP provider's support line right away. Ask them to:
- 1Temporarily disable outbound calling on your account
- 2Block any suspicious destinations or international routes
- 3Flag your account for investigation
Tip: Keep your provider's emergency support number saved somewhere accessible — don't waste time searching for it during an active incident.
Change All Admin Passwords
Log in to the Manager Portal and change every administrator password immediately. If you have multiple admin accounts, change them all — you don't yet know which credentials were compromised.
- 1Log in to the Manager Portal
- 2Navigate to account settings
- 3Change your password to something strong and unique (16+ characters)
- 4Repeat for every admin-level account
Disable International Calling
Use Dial Permissions to disable international and premium-rate calling across all users. You can selectively re-enable it later once the situation is contained.
- 1Go to Dial Permissions in the Manager Portal
- 2Set international calling to disabled for all extensions
- 3Save changes and verify the restriction is active
Best Practice: Even after the incident is resolved, keep international calling disabled by default. Only enable it for specific users who have a documented business need.
Identify and Disable Unrecognized Extensions
Review every extension and registered device on your system. If you see anything you don't recognize — an unfamiliar extension number, a device MAC address that doesn't match your inventory, or a registration from an unexpected IP address — disable it immediately.
- 1Open the device/extension list in the Manager Portal
- 2Compare against your known inventory
- 3Disable or delete any unrecognized entries
- 4Document what you found before removing it
Pull CDRs and Assess the Scope
Your Call Detail Records are the primary evidence for understanding what happened. Export and review them carefully.
- 1Export CDRs for at least the past 7 days
- 2Filter for international and premium-rate calls
- 3Look for calls to unusual destinations (countries you don't do business with)
- 4Identify high-volume periods — especially nights, weekends, and holidays
- 5Note the extensions that placed the suspicious calls
Tip: Save these CDR exports as files — you'll need them for your provider's investigation and for any insurance claims.
Check for Unrecognized Registered Devices
Beyond extensions, check which devices are actively registered to your system. Attackers sometimes register rogue softphones or SIP clients to place calls.
- 1Review the active registrations in your portal
- 2Cross-reference IP addresses with your known office locations
- 3Look for registrations from foreign IP addresses or VPN services
- 4Deregister anything suspicious
Review Portal Login History
If your portal provides login audit logs, review them for:
- Logins from unfamiliar IP addresses or geographic locations
- Access at unusual times (late night, weekends)
- Multiple failed login attempts followed by a successful one
- Any admin-level actions you didn't perform
Warning: If you find evidence of unauthorized portal access, assume all settings may have been tampered with. Review Dial Permissions, call forwarding rules, and voicemail routing carefully.
Reset All SIP Credentials
Change the SIP username and password for every affected device — and consider resetting all devices on the system if the breach scope is unclear.
- 1Generate new, strong SIP credentials for each extension
- 2Update the credentials on each physical device or softphone
- 3Verify each device re-registers successfully with the new credentials
- 4Confirm no old registrations remain active
Enable Multi-Factor Authentication
If MFA isn't already active on your Manager Portal, enable it now for every admin account. This is one of the most effective ways to prevent future unauthorized access.
- 1Go to account settings in the Manager Portal
- 2Enable Multi-Factor Authentication
- 3Set up an authenticator app (not SMS if possible)
- 4Require MFA for all admin-level users
Tighten Dial Permissions
Now that the immediate threat is contained, review and tighten your Dial Permissions to follow the principle of least privilege — each user should only be able to call the destinations they actually need.
- 1Review each user's calling needs with their manager
- 2Disable international calling for users who don't need it
- 3Set appropriate outbound call limits per extension
- 4Block premium-rate number ranges if not needed
Document the Incident
Create a thorough written record of the incident. This is essential for your provider, your management team, and any insurance claim.
Your documentation should include:
- Timeline — when the fraud was first detected, when each response step was taken
- CDR exports — the raw call data showing fraudulent calls
- Affected extensions — which extensions were compromised
- Actions taken — every change you made to contain and remediate
- Financial impact — estimated charges from fraudulent calls
- Provider communication — notes from your calls with support
Tip: Keep all incident documentation in a secure location — not in a shared drive that could be accessed if credentials are compromised again.
Final Thoughts
Being compromised is stressful, but acting quickly and methodically limits the damage. The most important thing is to call your provider first — they can stop outbound calling in seconds and have tools to investigate that you may not have access to.
Once the immediate crisis is handled, use this incident as motivation to lock down your system. Review the Toll Fraud Prevention Checklist to make sure every preventive measure is in place so this doesn't happen again.
Related Articles
Was this article helpful?