SIP Trunk Fraud: How International Attacks Are Draining Your Margins — and What You Can Actually Do About It

SIP trunk fraud is not a theoretical risk. It is an active, industrialised threat that generated an estimated $38.95 billion in global losses in 2023 (Communications Fraud Control Association, CFCA Global Fraud Loss Survey). For operators and service providers, the exposure is structural: you sit between the PSTN and your customers, which means every fraudulent call that passes through your infrastructure is, by default, your financial and reputational problem.

The good news is that fraud protection is also one of the most underused sales arguments in the indirect market. Your CTO-level buyers are thinking about this daily — most of your competitors are not addressing it proactively. This article maps the attack vectors, the technical responses, and the commercial playbook for operators who want to turn security into a margin defence and a growth lever.

The infrastructure layer where all of this plays out — SIP trunking architecture, geo-redundancy, and interconnect design — is covered in detail in our guide on global SIP trunking infrastructure for service providers. This article builds on that foundation, focusing specifically on fraud mechanics and countermeasures.

The Real Cost of SIP Fraud — Beyond the Unpaid Invoice

IRSF (International Revenue Share Fraud) and related attacks cost operators not just in direct financial losses, but in customer churn, SLA breaches, and reputational damage that is far harder to quantify.

The surface-level cost is visible: a traffic spike to a premium-rate destination generates calls your customer never made, and you receive an invoice you cannot recover. But the downstream effects are equally damaging:

• Customer relationship breakdown. Your enterprise customer receives an unexplained bill spike. Even if you absorb the loss, trust in your billing integrity is damaged.
• SLA exposure. A Telephony Denial of Service (TDoS) attack that floods your SBC saturates your capacity and affects legitimate traffic — potentially triggering SLA penalties across your entire customer base.
• Regulatory liability. In several European jurisdictions, operators have reporting obligations when their infrastructure is used as a vector for fraud. Failing to detect and respond creates compliance exposure on top of the commercial loss.

The CFCA estimates that voice fraud represents approximately 1.79% of total global telecom revenues (CFCA 2023). For an operator generating €10M in annual voice revenue, that is a €179K annual baseline exposure — before accounting for a single targeted attack.

The Three Attack Vectors Targeting Your SIP Infrastructure

SIP fraud attacks fall into three primary categories, each with a distinct mechanism, target, and mitigation profile.

IRSF — International Revenue Share Fraud

IRSF is the dominant attack type by volume and value. The mechanics are straightforward:

1. A fraudster compromises a PBX, SIP account, or dial-through service with weak credentials.
2. They generate large volumes of calls to premium-rate numbers (PRNs) in high-cost destinations — typically African, Pacific Island, or Eastern European ranges where they share the revenue with the number owner.
3. Calls run at maximum duration, maximising per-minute charges, until the pattern is detected.

The attack window matters: most IRSF events run at night or over weekends when NOC coverage is thinnest. A 72-hour undetected attack on a single compromised account can generate five-figure losses.

The operator's exposure: termination charges are due regardless of whether the originating traffic was fraudulent. Your upstream carrier bills you; recovering from your end-customer — or their insurer — is slow, uncertain, and relationship-destroying.

Wangiri — One-Ring Social Engineering

Wangiri (Japanese for "one ring and cut") is simpler in mechanism but wide in reach:

• Fraudsters auto-dial thousands of numbers from premium-rate geographic prefixes, letting each ring once before disconnecting.
• Recipients, curious, call back — connecting to a premium-rate service that generates revenue for the fraudster.
• The operator's exposure: CLI spoofing can make the calls appear to originate from within your number range, generating complaints from recipients and potential reputational damage to your numbering plan.

Wangiri is lower per-incident impact than IRSF but high in volume and harder to contain because it exploits human behaviour rather than technical vulnerabilities.

TDoS — Telephony Denial of Service

TDoS attacks target your SBC directly, flooding it with SIP INVITE messages, REGISTER requests, or malformed packets. The objective is not revenue extraction but infrastructure disruption — used as a competitive weapon, a distraction during a concurrent IRSF attack, or as extortion leverage.

The impact is immediate: legitimate calls fail, IVRs become unreachable, contact centre SLAs collapse. For operators running contact centre infrastructure on top of SIP trunks, a 20-minute TDoS event during peak hours can invalidate an entire month's SLA commitment.

Why Your SBC Configuration Is Your First Line of Defence

The Session Border Controller (SBC) is not just a signalling gateway — correctly configured, it is your primary fraud detection and containment layer.

Most IRSF and TDoS attacks succeed because SBCs are deployed with vendor defaults or minimal hardening. The following configuration baseline should be non-negotiable for any operator running wholesale or retail SIP infrastructure:

• IP allowlisting at ingress. Only accept SIP signalling from known, authenticated sources. Any INVITE from an unregistered IP should be silently dropped, not rejected (rejection generates traffic that can be used for reconnaissance).
• Call velocity limits by account. Set maximum concurrent calls and calls-per-second thresholds at the account level. A legitimate SMB customer does not need more than 10 simultaneous channels; an anomalous spike to 200 is a detection signal.
• Geographic call blocking by prefix range. Maintain a real-time blocklist of high-risk destination prefixes (updated feeds are available from operators like i3forum and CFCA). Auto-block calls to designated premium-rate ranges outside your customer's defined destinations.
• Time-of-day restrictions. Implement hard limits on international call volumes during off-hours (22:00–06:00 local time) unless the customer has explicitly authorised 24/7 international traffic.
• REGISTER flood protection. Rate-limit REGISTER attempts per source IP. More than 5 failed authentications per minute from a single source should trigger automatic IP blacklisting.
• Media anchoring and RTP validation. Ensure media streams are anchored through the SBC (not bypassed) and validate RTP source addresses against the SDP negotiated during INVITE. Unexpected RTP source shifts are a signal of session hijacking.

This checklist is a floor, not a ceiling. Operators running multi-tenant environments need per-tenant policy enforcement, not just global thresholds.

Real-Time Fraud Detection — What "Good" Looks Like

Reactive fraud management — reviewing CDRs the following morning — is not fraud protection. It is forensic accounting after the damage is done.

Effective fraud detection operates in three time horizons:

Real-time (sub-second): SBC-level rule enforcement — call blocking based on prefix, velocity, and authentication failure thresholds. This catches the most obvious attacks before any call completes.

Near-real-time (1–5 minutes): Traffic analytics layer comparing current call volume, destination distribution, and call duration patterns against a rolling baseline. Anomaly scoring triggers automated alerts and, above defined thresholds, automatic traffic suspension on the affected account.

Retrospective (hourly/daily): CDR analysis for pattern detection across longer time windows — particularly useful for identifying slow-burn IRSF attacks designed to stay below per-minute detection thresholds.

The combination of all three layers is what separates fraud management from fraud theatre.

Strategic Insight

Fraud protection quality varies significantly between SIP trunk providers — and most operators discover this only after their first serious incident. Enreach's carrier-grade SIP trunking infrastructure for service providers includes 24/7 real-time traffic monitoring, automated anomaly detection, and geo-redundant routing — so a fraud event on one route does not cascade into a service outage on another. If you are currently managing fraud detection manually or relying on end-of-day CDR review, that is a gap worth addressing before your next attack, not after.

Turning Security Into a Sales Argument

Fraud protection is not a cost centre — it is a differentiated product feature that most of your competitors are not actively selling.

Your enterprise and mid-market customers — particularly those with international calling needs — are exposed to the same fraud risks through their PBXs and UC platforms. Most of them have no visibility into whether their operator is actively monitoring their traffic. The ones who have experienced a fraud event are acutely aware of the exposure.

The commercial opportunity is direct:

• Position fraud monitoring as a premium tier. A "Business Voice Security" bundle that includes real-time monitoring, automated blocking, and monthly fraud reporting justifies a €2–5/seat premium over a bare SIP trunk line — with virtually no incremental cost at the infrastructure level once the monitoring system is in place.
• Use fraud data in the sales conversation. Showing a prospect the CFCA loss statistics and asking "what is your current protection level?" is a more compelling opener than leading with per-minute rates.
• Include fraud reporting in your QBR cadence. A monthly "zero incidents, here's why" report builds trust and makes your service tangibly harder to churn away from.

The regulatory dimension compounds this argument: in markets like France, Germany, and the Netherlands, operators face increasing scrutiny on fraud containment obligations. Demonstrating proactive fraud management is not just a commercial advantage — it is emerging compliance practice. For operators expanding into multiple European markets, the intersection of fraud exposure and regulatory obligation is examined in detail in our analysis of the hidden compliance costs driving voice service liability for operators.

The MVNO Dimension — Wider Attack Surface, Same Financial Exposure

For MVNOs, the fraud surface extends beyond SIP trunks into the provisioning layer. SIM-swap fraud, eSIM provisioning abuse, and stolen credential attacks against subscriber management platforms can all be used to hijack voice services or generate fraudulent traffic at scale.

The provisioning speed that makes eSIM attractive — covered in our guide on instant eSIM provisioning models for MVNO operations — is also the dimension that makes security controls non-negotiable at the provisioning layer. An eSIM that can be activated in seconds can also be fraudulently provisioned in seconds if identity verification is insufficiently robust.

MVNOs building on SIP infrastructure should treat the SBC fraud controls and the subscriber provisioning security layer as a single, integrated problem — not two separate teams' responsibility.

Fraud Response Playbook — What to Do When an Attack Is in Progress

When a fraud event is detected, response speed determines financial exposure. Every minute of unchecked IRSF traffic at peak international rates costs real money.

A functional response runbook for operators:

1. Immediate — SBC level (T+0 to T+2 minutes): Trigger automatic call suspension on the affected account or destination range. Do not wait for human confirmation if thresholds are clearly breached.
2. Short-term — NOC notification (T+2 to T+10 minutes): Alert the on-call engineer with full traffic data — originating account, destination range, call volume, estimated exposure.
3. Customer notification (T+10 to T+30 minutes): Contact the affected customer's technical contact. Provide factual information: traffic suspended, investigation in progress, estimated timeline for service restoration.
4. Upstream carrier coordination (T+30 to T+60 minutes): If the attack originated upstream or is affecting your interconnect, notify your carrier NOC and initiate blocking at their level.
5. Post-incident documentation (within 24 hours): Produce a full incident report including timeline, traffic data, financial exposure, root cause analysis, and preventive measures implemented. This document is essential for insurance claims, customer transparency, and regulatory reporting.

The post-incident report is also a retention tool: a customer who receives a structured, professional fraud response document is significantly less likely to churn than one who receives a verbal apology and a credit note.

FAQ

How quickly can a SIP fraud attack generate significant financial losses?

An undetected IRSF attack running at full capacity — typically 50–200 simultaneous calls to premium-rate destinations — can generate losses in the range of €5,000–€50,000 within a single overnight window (8–12 hours). The exact exposure depends on the per-minute rate of the targeted destination and the number of compromised channels. Attacks specifically designed to stay below per-account detection thresholds can run for days at lower intensity, generating equivalent total losses with less visibility.

Who is legally liable for SIP fraud losses — the operator or the end-customer?

Liability allocation depends on your contract terms and the jurisdiction. In most European markets, the contractual baseline places liability on the account holder (your customer) for calls originating from their credentials — but this is frequently disputed when customers claim they had no knowledge of the compromise. Operators who can demonstrate proactive fraud monitoring and rapid response are in a substantially stronger legal and commercial position than those who cannot. In Germany and France, emerging regulatory guidance is increasingly placing affirmative obligations on operators to detect and contain fraud, shifting some liability upstream to the carrier layer.

What is the difference between IRSF and Wangiri, and do they require different technical countermeasures?

IRSF exploits compromised credentials to generate outbound call volume to premium-rate numbers — countermeasures focus on call velocity limits, destination prefix blocking, and credential security. Wangiri uses your infrastructure (or spoofs your CLI) to generate one-ring missed calls, exploiting the recipient's curiosity to trigger a premium-rate callback — countermeasures focus on outbound call pattern analysis, CLI validation, and numbering plan monitoring. Both can occur simultaneously; a Wangiri campaign is sometimes used as a distraction while a concurrent IRSF attack runs on a different account. An effective fraud management system monitors both vectors independently.

Protect Your Infrastructure — Before the Next Attack Window Opens

SIP fraud operates at scale, runs on automation, and exploits the gap between when an attack starts and when your team notices. Closing that gap requires infrastructure-level controls, real-time monitoring, and a clear incident response process — not manual CDR reviews.

Enreach works with operators and service providers to build SIP trunking infrastructure with fraud detection built into the network layer, not bolted on after the fact.

Speak to an infrastructure specialist — assess your current fraud exposure

Related articles:

• The Hidden Cost of International Voice: Why Compliance Matters for Service Providers
• eSIM Instant Provisioning: MVNO Logistics and Security