VoIP Security for Australian Businesses: Threats, Fixes, and What to Check (2026)

The most common VoIP security failure in Australian businesses is not a sophisticated attack. It is a SIP account with a weak password that gets found by automated scanning software. Within hours of a SIP device being exposed on the internet with default or weak credentials, it will be used to route international calls at the business owner's expense. This is called toll fraud, and it is the most financially damaging VoIP security event most businesses will ever face.

After that: eavesdropping on calls, SIP ALG misconfigurations that expose internal network details, and PBX admin portals left open to the internet with default passwords. These are not theoretical threats. They are the everyday reality of running a VoIP system carelessly. The good news is that all of them are preventable with straightforward configuration changes that take an afternoon to implement.

The Main VoIP Security Threats

Toll Fraud

Toll fraud is the most costly VoIP security threat. It occurs when an attacker gains access to your SIP credentials and uses your account to make international calls, routing them through your trunk at your expense. The calls are typically to high-cost international destinations. Premium rate numbers in obscure countries. Where the attacker earns a cut of the call revenue.

The attack is automated. Scanning bots continuously probe the internet for SIP devices and attempt to authenticate using common username/password combinations. A vulnerable SIP account can be compromised within minutes of exposure. The bill arrives days later when the SIP trunk provider invoices you for thousands of dollars in international calls you did not make.

Prevention: use strong, unique passwords for all SIP credentials (16+ character random strings, not dictionary words). Enable geographic restrictions on your SIP trunk if your provider supports it. For an Australian business that only calls AU, NZ, and a handful of international destinations, blocking all other international destinations eliminates 99% of toll fraud exposure.

SIP Registration Attacks

A SIP registration attack is the mechanism behind toll fraud. Attackers use scanners (SIPVicious is one well-known tool) to identify SIP devices and PBX systems on the internet, then attempt to authenticate using lists of common credentials. If your PBX is accessible from the internet on the standard SIP port (5060/UDP), it is receiving these probes constantly.

The fix is to reduce your attack surface. A hosted PBX provider handles this for you. Their infrastructure is hardened and your SIP credentials are not directly exposed. For a self-hosted FreePBX or 3CX installation, the mitigations are: use a non-standard SIP port (e.g., 5080 or 15060), implement IP whitelisting so only trusted addresses can register, enable fail2ban to block IPs after failed authentication attempts, and use a Session Border Controller (SBC) or VPN to limit direct internet access to the PBX. See our guide to FreePBX setup for Australian businesses for configuration details specific to self-hosted deployments.

Call Eavesdropping

VoIP calls travel over the internet as RTP (Real-time Transport Protocol) packets. Without encryption, these packets can theoretically be intercepted and reassembled into audio by an attacker with access to the network path. In practice, eavesdropping requires the attacker to be on the same network segment (same LAN or the same ISP network path). It is not a realistic risk on a well-configured business network.

The mitigation is SRTP (Secure RTP), which encrypts the audio portion of calls, and TLS transport for SIP signalling. Many modern hosted PBX providers and SIP trunk providers support SRTP and TLS by default. For businesses in regulated industries (legal, healthcare, financial services) where call confidentiality is legally significant, confirm your provider supports SRTP and has it enabled on your account. For most businesses, the eavesdropping risk is theoretical and not the primary security concern. Toll fraud and weak credentials are far more likely to cause actual harm.

PBX Admin Portal Exposure

Self-hosted PBX systems (FreePBX, 3CX) have web-based admin portals. If these portals are accessible from the public internet with default or weak passwords, attackers can log in and modify your call routing. Including routing outbound calls through your trunks. This is a direct path to toll fraud without needing to crack SIP credentials.

The mitigations: never expose the PBX admin portal directly to the internet. Access it via VPN, or whitelist specific IP addresses in your firewall rules. Change default admin credentials immediately on initial setup. Enable two-factor authentication on the admin portal if your PBX version supports it. 3CX V20 supports 2FA for the management console; FreePBX (Sangoma PBX) supports 2FA via module. For most hosted PBX users, this is a non-issue. The provider manages the PBX; you access it through a secured customer portal.

Vishing (VoIP Phishing)

Vishing is social engineering via telephone. Attackers calling staff and impersonating banks, government agencies, or IT support to extract credentials or authorise fraudulent transactions. This is not a VoIP infrastructure vulnerability; it exploits the people using the system. Awareness training is the main mitigation: staff should understand that banks and government agencies do not call unexpectedly to request credentials or payments, and that any call requesting sensitive information or urgent action should be verified by calling back on a known number.

VoIP Security Checklist for Australian Businesses

Work through this checklist for your existing or planned VoIP deployment:

Toll Fraud Prevention in Detail

Toll fraud deserves specific attention because of its financial impact. Unlike most security incidents that require investigation, a toll fraud event shows up as a large invoice that you are contractually obligated to pay regardless of whether you authorised the calls. Australian SIP trunk providers generally do not absorb toll fraud losses. You own the bill for calls made on your account.

The most effective protections:

• Strong SIP credentials: Generate 20+ character random passwords using a password manager. The credential is entered once during configuration and never typed again, so complexity is not a usability burden.
• International call restrictions: Most Australian SIP trunk providers (Telnyx, Symbio, Maxotel) allow you to restrict outbound dialling to specific country codes. If your business only calls Australia, New Zealand, and occasionally the US and UK, blocking all other international destinations eliminates the primary toll fraud monetisation path. Configure this restriction via your SIP trunk provider's portal or by calling their support team.
• Spend alerts: Some providers support SMS or email alerts when your account spend exceeds a threshold. Enable these if available. A $50 alert threshold catches a fraud event within hours rather than days.
• IP registration restrictions: If your SIP phones and PBX are at fixed IP addresses (common with business NBN connections that have static IPs), restrict your SIP trunk to only accept registrations from those addresses. An attacker with your SIP credentials but an unrecognised IP address cannot make calls.

Network Configuration Security

SIP ALG. Disable It

SIP ALG (Application Layer Gateway) is a feature on many routers that attempts to modify SIP packets as they pass through NAT. It almost always causes problems. One-way audio, failed registrations, dropped calls. And can also expose internal network information in modified SIP headers. Disable SIP ALG on your router immediately. The setting is typically found under Advanced > NAT or under the Firewall settings. On Telstra-supplied modems, it is called SIP ALG; on some routers it is labelled SIP Passthrough. Turn it off regardless of label. See our VoIP call quality troubleshooting guide for instructions specific to common AU router models.

VLANs for VoIP Traffic

A VLAN (Virtual LAN) separates your VoIP traffic from your general office data traffic at the network layer. Benefits: VoIP packets get QoS priority without competing with file downloads; a security incident on the data network does not automatically expose SIP devices; and call quality is more predictable. Configuring VLANs requires a managed network switch and a business-grade router that supports 802.1Q VLAN tagging. For most small businesses (under 20 staff), a VLAN is not essential if QoS is properly configured. For larger deployments or businesses in regulated industries, VLAN separation is a recommended baseline. Most enterprise-grade IP phones (Yealink, Grandstream, Poly) support VLAN tagging natively.

Firewall Rules for SIP

For a self-hosted PBX, configure your firewall to allow SIP and RTP traffic only from your SIP trunk provider's IP ranges and from the IP addresses of remote workers who need to register. Block all other inbound SIP traffic. Your SIP trunk provider can supply their IP ranges. Ask their support team or check their technical documentation.

SIP uses UDP port 5060 (standard) or TCP/TLS port 5061 (encrypted). RTP audio travels on a configurable range of UDP ports (typically 10000-20000 on FreePBX). Open these port ranges for your SIP trunk provider's IPs and close them to all others. This single firewall rule eliminates the majority of SIP scanning attacks against a self-hosted PBX.

Security for Hosted PBX Users vs Self-Hosted PBX

The security responsibilities differ significantly depending on whether you use a hosted PBX or a self-hosted system:

Hosted PBX (Maxotel, 8x8, RingCentral AU, etc.): The provider manages the PBX infrastructure security. Server hardening, firewall rules, SIP threat detection, and platform monitoring. Your security responsibilities are: strong passwords on your customer account and any SIP phones, enabling 2FA on your customer portal, configuring international call restrictions, and training staff against vishing. The provider's infrastructure team handles the rest.

Self-hosted PBX (FreePBX, 3CX on your own server): You own all security responsibilities. This includes server OS patching, fail2ban configuration, firewall rules, PBX software updates, SIP credential management, and monitoring for anomalous call patterns. The attack surface is larger and the expertise required is higher. If your business does not have IT staff who are comfortable managing Linux security and SIP protocol details, the hosted PBX model is significantly more secure in practice. See our comparison of 3CX self-hosted vs cloud-hosted for a full breakdown of the management and security trade-offs.

Call Recording Compliance in Australia

Call recording raises a separate category of considerations: not just whether you can record calls, but whether you are legally permitted to and what obligations flow from recording them. In Australia:

State laws apply to call recording: Most Australian states require at least one party to the call to consent to recording. Some states (ACT, Tasmania, WA, SA) require all parties to consent. Recording calls without appropriate consent may breach state telecommunications interception laws.

What this means in practice: If you are recording inbound and outbound calls in a business context, you need either to inform callers that calls are being recorded (via an IVR message at the start of the call) or to ensure you only record calls where consent is established. Most businesses implement an IVR message: "This call may be recorded for quality and training purposes." Callers who do not consent can hang up; those who stay are deemed to have consented in most state jurisdictions.

Storage and access: Recorded calls are sensitive personal data. They must be stored securely, with access restricted to those with a legitimate business need. Most hosted PBX providers store recordings in their cloud infrastructure; confirm where your recordings are stored, how long they are retained, and who can access them.

Specific industries: Financial services firms regulated by ASIC, and healthcare providers covered by the Privacy Act 1988, have additional obligations around communication records. If your business is subject to sector-specific regulation, get legal advice on call recording compliance rather than relying on generic guidance.

Choosing a Secure Hosted PBX Provider

When evaluating hosted PBX providers from a security standpoint, ask these questions:

• Where is your infrastructure located? Australian data sovereignty requirements (particularly for government, healthcare, and financial services) may require call data and recordings to be stored in Australian data centres. Confirm the provider uses AU-based infrastructure, not a global platform that routes data through US or European nodes.
• Do you support SRTP for call encryption? For businesses in regulated industries, SRTP should be a requirement, not an option.
• Do you have real-time toll fraud detection? Some providers monitor call patterns and alert you (or automatically block unusual call activity) when it looks like toll fraud. This is a meaningful differentiator. A provider that catches a fraud event within minutes versus one that lets it run for 48 hours before the invoice arrives.
• What is your SLA for security incidents? How quickly do they respond to a reported account compromise? Who do you call?
• Do you support 2FA on the customer portal? This is table stakes for any business account in 2026.

For current recommended providers, see our best hosted PBX provider Australia guide.

What to Do if You Suspect a Security Breach

If you suspect toll fraud or a SIP compromise:

1. Change all SIP credentials immediately. Rotate every password associated with your VoIP account and all SIP phones.
2. Contact your SIP trunk provider immediately to report suspicious call activity. They may be able to block ongoing fraud calls and credit recent fraudulent charges (this varies by provider and circumstances).
3. Check your outbound call log for unusual destinations and call volumes. Your provider's portal should show recent calls.
4. Enable international calling restrictions if you have not already done so.
5. If you are self-hosting a PBX, check your server's auth logs and fail2ban logs for repeated failed authentication attempts. Identify whether the attack came from a specific IP range and block it in your firewall.
6. If you are a hosted PBX user, contact the provider's security or support team. They have platform-level visibility you do not.

Your Next Steps

If your business is currently running a VoIP system, work through the security checklist above today. The highest-priority items in order:

1. Rotate all SIP credentials to strong random passwords if you have not already done so.
2. Check whether SIP ALG is enabled on your router and disable it.
3. Log in to your SIP trunk provider's portal and confirm international calling restrictions are in place.
4. Confirm your hosted PBX customer portal has 2FA enabled.
5. If you are self-hosting a PBX, confirm fail2ban is installed and running.
6. Check your call logs for any unexpected international destinations in the last 30 days.

If you are setting up a new VoIP system and want to get the security configuration right from day one, a reputable Australian hosted PBX provider handles the infrastructure security for you. Your job is credentials, international restrictions, and customer portal access controls.