Architecture and Hardware BLOG@CACM

Securing Data for Business Telephones

Cybersecurity consultant Alex Tray looks at potential security issues, and solutions, for business telephone systems.

Alex Tray

January 24, 2023

In the digital age, it is more important than ever that businesses take extra steps to protect their data. Digital information systems offer criminals new avenues to commit fraud. In 2022, phone scams affected ( more than 70 million Americans to the tune of almost $40 billion in damages. A recent report by the Federal Trade Commission ( indicates older adults suffered the largest median losses.

Along with targeting individuals, criminals also exploit vulnerabilities in business phone systems. They then can steal customer credentials, financial data, and sensitive company information. If your phone systems are not secured, unauthorized individuals could gain unauthorized access. Data breaches ( such as this can lead to financial loss, as well as serious damage to a company’s reputation.

Additionally, many businesses must follow industry regulations and standards regarding data security and be able to perform swift disaster recovery ( after a system failure or a cyberattack. Failure to comply with these regulations can result in fines and penalties. In this column, we will discuss the most common phone scams, how they work, and how to protect yourself from them.

Back to Top

What Is a Business Phone System?

Companies use business phone systems to manage and route telephone calls. These systems use hardware and software to make, receive, and transfer calls. Phone systems also offer features such as call forwarding, call recording, and conferencing.

The two main types of business phone systems ( are on-premise and cloud-based systems. Traditional phone systems use physical equipment that is set up and maintained on-site. Cloud-based systems are hosted by third-party providers and accessed over the internet.

Cloud-based phone systems are popular because they are flexible, cost-effective, and easy to scale. They also provide remote access that makes it possible for employees to work off-site.

Session Initiation Protocol (SIP) trunking bridges the gap between cloud-based and on-premise phone systems. While handy for VoIP business phone systems, SIP trunking creates opportunities for fraud. Criminals can exploit vulnerabilities in SIP trunking systems to access Internet-connected phone networks.

There are several ways for cyber-criminals to do so, and I will go into more detail about SIP trunking fraud later.

Back to Top

Caller ID Scams

Scammers use caller ID spoofing to disguise their phone numbers. They do this to make it appear as though they are calling from a legitimate organization. The aim of fake caller ID scams is usually to trick the victim into handing over information or money.

Tech support scams are a common type of caller ID fraud. In this scenario, a scammer will call a person and claim to be from a well-known company, such as Microsoft or Apple. The scammer will say there is a problem with the victim’s computer. They then will ask for remote device access or for payment to fix the issue.

Caller ID spoofing is a common tool criminals use to carry out credit card scams ( Fraudsters often use social engineering to get victims to provide credit card details. For example, they will say they are from a bank or credit card company, then offer to reduce the victim’s interest rate. Scammers use similar tactics to get people to hand over login credentials to online financial accounts.

Legitimate organizations will not ask for personal information or money over the phone. If you suspect you have received such a call, report it to the Federal Trade Commission. You also can monitor your credit and personal information by setting up alerts with credit bureaus such as Experian.

Criminals also use caller ID spoofing to make it appear as if they are calling from a government agency. For example, a scammer will call a person and tell them they owe money to the IRS. They may then threaten legal action if the person does not pay immediately. Fraudsters may also attempt to extract personal data such as social security numbers.

It is vital to be aware of these scams and to never give sensitive information or money over the phone. Legitimate organizations will not ask for personal information or money in this manner. If you suspect you have received such a call, report it to the Federal Trade Commission. You also can monitor your credit and personal information by setting up alerts with credit bureaus such as Experian (

Back to Top


Eavesdropping, also known as wire-tapping, is the unauthorized interception of phone conversations. Criminals may tap into a phone line, intercept a network signal, or gain system access via malware.

Many businesses today use Voice over IP (VoIP) phone systems (, so eavesdropping is a serious concern. It can give scammers unauthorized access to sensitive business and customer information. This can include confidential business strategies, financial information, personal customer data, and more. It can also lead to a loss of trust from customers, and damage to a company’s reputation.

Cybercriminals can eavesdrop through a variety of methods, such as:

  • Physical tapping: Criminals tap a line by accessing the wiring in a building or telephone pole.
  • Signal interception: Criminals intercept phone signals using specialized equipment or software. They use this access to listen in on calls.
  • Malware: Cybercriminals install malware on a business’s phone system. This allows them to access and listen in on conversations.
  • Social engineering: Criminals use tactics such as phishing to trick employees into providing access to a phone system.
  • VoIP vulnerabilities: Cybercriminals can exploit vulnerabilities in VoIP phone systems to gain access. The risk of eavesdropping is high for VoIP phone systems that are set up on unencrypted networks.
  • Cloud phone systems: Fraudsters can hack into a cloud account to gain access to cloud-based phone systems.

It is vital for businesses to be aware of these tactics and to take steps to protect their phone systems. You can do this by implementing encryption protocols, system-wide monitoring, and regular auditing. It is also important to modernize your data backup methods ( Legacy software and outdated data handling methods will leave openings for intruders to penetrate.

Back to Top

SIP Trunking Fraud

Businesses use SIP trunking to connect their phone systems to the public network. Scammers exploit SIP trunking system vulnerabilities to steal data and make unauthorized calls. SIP trunking fraud is often a component of other scams, such as caller ID spoofing and toll fraud.

SIP trunking fraud can happen in a few ways:

  • Account hijacking: Scammers gain unauthorized access to an SIP trunking account. They do this by using stolen credentials or exploiting system vulnerabilities. Once they have access, they can use the account to make unauthorized calls. Scammers also use phishing to trick businesses into providing SIP trunking login credentials.
  • Caller ID fraud: Once they gain access to an SIP trunking system, scammers use caller ID spoofing. They can then use this to commit various caller ID spoofing scams, such as those mentioned.
  • Toll fraud: Scammers use a compromised SIP trunking system to make calls to premium-rate numbers. The criminals then collect their share of the tolls, which can generate a tidy profit.

To combat SIP trunking fraud (, use strong passwords and keep all your software updated. Companies should also stay up to date with the latest scams and fraud tactics. Businesses can further protect their systems with firewalls, intrusion detection, and call blocking.

Back to Top

Final Word

Phone system security is a pressing issue for businesses navigating today’s digital landscape. A security breach can lead to the compromise of sensitive company and customer data. This results in a loss of customer trust, damage to the company’s reputation, and significant financial harm. Businesses may also be subject to harsh fines if they fail to protect customer data. Sound phone system security is critical to a company’s well-being and customer relations.


Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More