Skip to content

Toll fraud prevention

Enfonica protects every project from international toll fraud — in particular, International Revenue Share Fraud (IRSF), where attackers compromise credentials or devices to place high volumes of calls to expensive international destinations. Protection is always on. There is no setting to disable it, and no opt-in is required.

This page explains how the system works, what happens when it detects an attack, and how to configure it for your project.

How it works

Toll fraud prevention combines two layers of defense:

  1. Country risk tiers. Every country is assigned a risk tier. By default, calls to lower-risk tiers are allowed and calls to higher-risk tiers are blocked. See Risk tiers below.
  2. Anomaly detection. Enfonica continuously compares your project's recent outbound traffic to its longer-term pattern. When traffic to a monitored risk tier rises unusually fast — the kind of spike that's typical of a freshly compromised SIP credential or device — the system escalates and starts blocking calls to that tier and all higher tiers for your project.

The two layers complement each other. Static tier blocking stops the most obvious abuse immediately, while anomaly detection catches attacks that target countries which would otherwise be allowed for your project.

Risk tiers

Every country sits in one of five tiers:

Tier Default behavior Anomaly monitoring
Trusted Always allowed Not monitored
Standard Allowed Monitored
Elevated Allowed Monitored
High Risk Blocked Monitored
Blocked Always blocked Not monitored

The default block threshold for new projects is High Risk — calls to Trusted, Standard, and Elevated destinations are allowed, and calls to High Risk and Blocked destinations are not. You can adjust this threshold per project; see Configuration.

Any destination Enfonica has not explicitly classified is treated as High Risk. You can view the current tier of every country, including any project-specific overrides, in the Enfonica Console.

When an escalation triggers

When anomaly detection identifies an unusual traffic pattern for one of the monitored tiers, the project enters an escalation state:

  • Calls to the affected tier and all higher tiers are blocked for the project.
  • Lower-risk traffic continues without interruption.
  • Whitelisted numbers continue to be allowed.
  • A support ticket is opened so you are notified.
  • The escalation remains in place until a project owner resets it.

For example, if anomaly detection triggers on the Elevated tier, calls to Elevated, High Risk, and Blocked destinations are blocked, while Trusted and Standard calls continue normally.

Important

Toll fraud prevention is designed to stop most classes of toll fraud, but it is not a replacement for securing your environment. Some fraudulent calls may connect — and be charged — before anomaly detection identifies the pattern. Keeping your SIP credentials, devices, and endpoints secure remains your responsibility.

Responding to an escalation

An escalation usually means something in your environment has been compromised or misconfigured. Investigate and remediate the underlying cause before resetting the escalation.

  1. Review the blocked calls. In the Enfonica Console, open the project's Toll Fraud Prevention page and look at the recently blocked calls. Note the destinations, time of day, and call volume — they often point to the source.
  2. Identify the likely cause. Common causes include:
    • Compromised SIP credentials (for example, leaked from a misconfigured endpoint or a re-used password).
    • A compromised end-user device, such as a deskphone, softphone, or PBX, that an attacker has gained access to.
    • A misconfigured outbound dial plan that is forwarding traffic to an untrusted source.
    • Unauthorized changes to project access or credentials.
  3. Secure your environment. Depending on the cause, this may include:
    • Rotating SIP credentials and re-registering legitimate devices with the new credentials.
    • Auditing which devices and IP addresses are registered to your SIP trunk and removing anything you do not recognize.
    • Restricting your SIP trunk to known IP ranges where possible.
    • Patching or replacing end-user devices that may be compromised.
    • Reviewing recent IAM changes and revoking access for any account that should not have it.

  4. Reset the escalation. Once you are confident the underlying issue is resolved, in the Enfonica Console, open the project > Toll Fraud Prevention > Reset escalation.

    Open Enfonica Console

If the escalation re-triggers

If the escalation triggers again shortly after a reset, the underlying issue is likely still present. Continue investigating rather than repeatedly resetting — every reset gives an attacker a fresh window to place calls.

Configuration

All toll fraud prevention settings live in the Enfonica Console under the project > Toll Fraud Prevention.

Block threshold

The block threshold sets the minimum risk tier at which calls are blocked. The default, High Risk, is recommended for most projects.

  • Lower the threshold (for example, to Elevated) to be more restrictive — useful if you rarely make international calls and want to minimize exposure.
  • Raise the threshold (for example, to Blocked) to be less restrictive — useful if you regularly call destinations across many tiers and prefer to rely more heavily on anomaly detection.

There is no option to disable protection entirely.

Country overrides

You can override the risk tier of an individual country for your project. For example:

  • Move a country down a tier if you regularly call there and the default classification is too restrictive (for instance, moving Cuba from High Risk to Standard).
  • Move a country up a tier if you want to block destinations that would otherwise be allowed for your project.

Overrides apply only to your project. They do not affect any other project.

Whitelisted numbers

Whitelisted numbers are full E.164 numbers that are always allowed, regardless of the country's risk tier or any active escalation. Use the whitelist for specific numbers you regularly call in higher-risk countries — for example, a known partner or supplier — where adding the whole country as an override would be too broad.

Whitelisting is exact match only. Prefix matching is not supported.

Access requirements

Modifying any toll fraud prevention setting — block threshold, country overrides, whitelisted numbers — or resetting an active escalation requires both:

  1. The Project Owner role on the project.
  2. Two-factor authentication enabled on the user's account.

All other project members can view the current configuration, escalation state, and recently blocked calls, but cannot make changes.

Enable 2FA before you need it

We recommend enabling two-factor authentication in your User Account settings now, rather than waiting for an incident. During an escalation, every minute matters — you do not want to be configuring 2FA for the first time while fraudulent calls are being attempted against your project.

Limitations

Toll fraud prevention is one layer of defense. It is important to understand what it does not do:

  • It does not prevent every fraudulent call. Calls may connect — and be charged — before anomaly detection identifies an attack pattern.
  • It does not protect against inbound toll fraud schemes such as Wangiri callbacks.
  • It does not replace good operational hygiene: strong SIP credentials, restricted IP ranges, patched endpoints, and least-privilege project access remain essential.