VoIP security: 10 risks that you and your provider should be looking out for

In the era of old-fashioned phone systems with chunky handsets on twisty cords, securing a call meant checking there wasn’t someone listening in with their hand over the receiver.

Sure, there was wiretapping, but since it meant physically connecting to an analogue cable, it wasn’t a threat to the average family or business.

Today’s systems are generally superior. No more fuzzy calls racking up huge phone bills or waiting for lines to be free. VoIP—Voice over Internet Protocol—has changed how we make phone calls for personal and business use.

But no system is perfect—and if you’re using VoIP for business, there are VoIP security threats to consider.

Keep reading to learn more about the importance of Voice over IP security and how to protect your business.

How does VoIP work? A refresher

VoIP is a set of protocols that essentially lets you make phone calls over the Internet. These Internet phone operations work using computers, mobile devices, and traditional handset-style devices as well.

When you place a VoIP call, your voice signals are converted to digital data packets and sent to the recipient’s telephone, computer, or mobile device to be reassembled into sound waves.

Whereas traditional phone systems send analogue signals over dedicated phone wires, VoIP systems send digital data over internet wires instead, transmitting their data packets alongside general online traffic.

Using the motorways of the web is beneficial in a few ways, of course. Since almost everyone has Internet access, there’s little need to pay for access to a regular phone line, which means no more hefty minute-by-minute charges. And since internet lines today have relatively good bandwidth, there’s usually room to spare.

This approach also opens up more communication options. For example, with some VoIP solutions, you can make phone calls, send SMS messages, and have video meetings using the same application.

But how secure is VoIP, you may ask? From phishing, to spoofing, to other system exploits, VoIP is vulnerable to other common risks that come with being online.

In other words, VoIP systems can—if not properly secured—be hacked, slowed, blocked, and otherwise tampered with. So, if you want to use VoIP calling as part of your business communications, you have to know how to mitigate these risks.

The importance of VoIP security

Maybe VoIP risks don’t sound too threatening at first. You might think there’s little to gain from interfering with your business calls. Don’t prospective hackers have more interesting and lucrative targets they could go for?

In truth, those capable of defeating basic VoIP security protocols can gain quite a lot from doing so—even when targeting small businesses.

Consider what’s typically covered during business calls. Details about upcoming projects, pricing strategies, personal and payment information… Even private matters can creep in through snippets of personal conversations.

If any of that information falls into the wrong hands, it can be used for anything from blackmail to industrial espionage—like revealing details to a competitor who’ll pay to get an edge.

There are also increasingly creative hackers who use different ways to trick employees into divulging sensitive information. With machine learning systems capable of cloning voices from recordings, hacking business calls isn’t the only unscrupulous tactic being used anymore. Some hackers might imitate people’s voices to access systems, such as online banking.

And then there are the hackers that don’t need information to cause chaos—for example, by using denial of service (DoS) attacks to inundate VoIP networks with traffic and effectively shut them down. Alternatively, they can gain system access and use it to place all the calls they want for free.

Certain hackers may prefer big scores, but bigger companies tend to have more robust security, while smaller companies may simply give in when threatened rather than look for ways out or seek help from authorities.

Compounding the threat of VoIP security issues, attacks can leave lasting damage beyond blackmail payments or fraudulent transactions. Once word gets out that your phone system has been compromised, your partners and clients may lose faith in your ability to protect their data.

Would you keep working—and talking over the phone—with a business you didn’t trust?

However you look at it, maintaining a secure hosted VoIP phone system should be a top priority for any business wanting to use VoIP.Now, let’s start by looking at how to keep your data safe, protect your employees, and safeguard your reputation with a secure VoIP strategy.

VoIP encryption: The first line of defence in VoIP security

As in many online systems, encryption is one of the biggest defensive tools. Encryption is a process that scrambles data so that only someone with the decryption key (typically a series of characters, like a password) can make sense of it.

Encryption in VoIP scrambles the data packets containing the converted voice signals before they’re sent. That means that a hacker intercepting an encrypted VoIP call won’t be able to hear anything intelligible—only garbled noise.

Only when the person with the decryption key receives those data packets can they be turned back into normal vocals. This is a powerful shield against intrusion because it makes most wiretapping ineffective.

This media stream encryption primarily uses Secure Real-Time Transport Protocol (SRTP), but VoIP security best practices pair it with Transport Layer Security (TLS), which encrypts the process of establishing VoIP calls.

Essentially, TLS prevents attackers from seeing when a call is made, who’s making it, and whom they’re calling. SRTP then steps in to protect the call itself.

It’s vital to note that encryption needs to be implemented properly. For example, you should keep your encryption protocols updated and give it an inadequate foundation through basics like using strong passwords.

10 Common VoIP security risks and how to combat them

Here are 10 of the most common security risks for VoIP services, along with some tips for defusing them:

1. Malware and viruses

Like any online system, a VoIP network can be infected—or indirectly affected—by malware and viruses. If someone on your team using a trusted device clicks an unfamiliar link by accident, they can allow something malicious to run and gain access to your entire VoIP setup.

With that access, the infection can bypass or sabotage any configured encryption, leak contact details, and so on. Because of this, avoiding malware and viruses is mission-critical.

How to combat malware and viruses

There are three key actions to take here. First, implement antivirus software across all your computer systems, and make sure it’s regularly tested and updated. Secondly, firewalls should be configured to block suspicious links and stop unknown files from running. Thirdly, everyone using your VoIP systems should be trained regularly to spot threats and make the right decisions.

2. Vishing

Vishing (voice phishing) involves attackers tricking unsuspecting employees into giving them sensitive information or taking compromising actions. They can pretend to be trusted figures (such as managers, executives, or shareholders) and take advantage of new hires or employees worried about being obstacles.

How to combat vishing

However secure you make your systems in general, vishing will remain a serious threat until you ensure that all your employees are trained in social engineering. They must always verify caller identity before doing anything significant—and when in doubt, they should request confirmation or assistance from another team member, even if that means ostensibly making an important executive wait a little bit.

3. Spam over IP Telephony (SPIT)

We’re all used to dealing with email spam, but you can get unwanted calls for similar reasons, and they fall into the unpleasant-sounding SPIT category. They’re mostly just annoying, but they can occasionally get unwary or careless employees to divulge things they shouldn’t by mimicking legitimate services and using interactive voice response systems to listen for inputs.

How to combat SPIT

Check that any built-in call blocking services are enabled within your VoIP systems, as this will block most calls from suspicious sources. You can also set up custom rules to block other numbers if that is insufficient. Lastly, make sure your employees know how to recognise spam calls and messages.

4. Service theft or toll fraud

This is the equivalent of breaking into someone’s home and using their phone to place calls they ultimately have to pay for. If someone can access your VoIP logins, they can use your system to make all the calls they want, potentially including costly international calls or a high quantity of spam calls.

How to combat service theft or toll fraud

Tightly protecting your logins will help the most here, as this will make it so much harder for attackers to gain access. Work with your VoIP provider to ensure you have multi-factor authentication set up. You can also limit the types of calls that certain logins can make. Additionally, periodically check your call logs to confirm that there hasn’t been any unexpected activity.

5. Spoofing

For VoIP, spoofing involves altering caller ID details to make illegitimate calls appear trustworthy. If an employee thinks they’re talking to someone from their company (particularly a superior), they might disclose something they shouldn’t, grant the caller access to an important system, or even transfer money.

How to combat spoofing

A good VoIP system will have caller ID authentication that guards against VoIP spoofing. Implementing a process to make employees verify caller identity instead of just trusting caller ID will also prevent these attacks from working.

6. Packet sniffing

Packet sniffing involves gaining access to a network and scanning for data packets that may contain useful information. In this case, someone who collects data packets from an unsecured call can use them to listen to the call and potentially learn something sensitive.

How to combat packet sniffing

Having good encryption in place makes packet sniffing essentially useless. Even if attackers can access a call’s data packets, they can’t listen to it without knowing the decryption key. When extra security is desirable, a VPN—Virtual Private Network—can add another layer of encryption.

7. Call tampering

When attackers want to simply ruin calls instead of preventing them, they’ll gain access to the VoIP network and engage in call tampering by taking up bandwidth and planting extra data packets among the data packets that make up a call so the speakers will struggle to understand each other.

How to combat call tampering

Consistently monitor your network to look for unusual activity and take action to get rid of any uninvited guests. You can also use Quality of Service (QoS) protocols to prioritise voice calls over other online activities, as this will limit the impact of any attempts to soak up bandwidth.

8. Man-in-the-middle attacks

As the name suggests, a man-in-the-middle attack involves an attacker getting in the middle of a phone stream and using their position to listen in or even alter the data packets to change what the participants hear.

How to combat man-in-the-middle attacks

Good encryption on a VoIP call (and on the call setup process) will make a man-in-the-middle attack impossible. You should also check that your login details are secure so no one can gain unauthorised access to your network.

9. Denial of Service (DoS)

Denial of Service attacks are common online because they mostly need brute force instead of sophisticated tactics. They involve sending so many requests into online systems that they become overwhelmed and slow to a crawl while trying to resolve them all, leading legitimate traffic to massively lag or become blocked.

How to combat DoS

The best way to prevent a DoS is to find a way to detect illegitimate requests. It isn’t easy, but a strong Intrusion Detection System (IDS) can work very well and prevent most DoS-issued requests from going through. Your VoIP provider may also have some native defences against DoS attacks, so enable them if so.

10. Voice over Misconfigured Internet Telephones (VOMIT)

Making an unpalatable pair with the SPIT risk we covered earlier, the threat of VOMIT simply involves attackers taking advantage of VoIP systems that were supposed to be secure but weren’t configured correctly. They may be weakly encrypted or use outdated encryption protocols. Regardless, they allow attackers to listen in on calls from people who believe they’re protected.

How to combat VOMIT

Very simply, preventing VOMIT requires checking that systems are configured correctly. In your setup, is VoIP secure in all the ways we cover in this guide? Are VoIP calls encrypted in line with best practices using up-to-date protocols? Audit your system semi-regularly to ensure you haven’t overlooked anything important or allowed vulnerabilities to go unaddressed.

Choosing secure VoIP providers: What to look for

A core theme among all the risks we’ve been through is that having a good VoIP provider will cover most of your security bases. Since VoIP providers vary hugely in quality, you should vet at least three or four to compare between options.

But what makes a VoIP provider great? How can you find the most secure VoIP service to protect your calls? When you’re trying to find the right service for your business, you should consider the following factors:

Accreditation and certifications

Strong security credentials are essential because they prove that a VoIP provider is committed to keeping data safe and staying up-to-date with compliance standards such as GDPR. If you take a provider’s word that it offers competitive security without seeing any evidence, you’re likely to be disappointed.

Dialpad Connect, for example, is HIPAA-compliant, offers a Data Processing Agreement (DPA) that covers GDPR-compliant call recording, and stays SOC2 Type 2 certified with an annual audit and regular penetration tests.

SLAs and uptime guarantees

A good VoIP provider will offer a Service Level Agreement (SLA) committed to a certain level of uptime. Even a small period of downtime can negatively impact the security of your communications (in addition to your brand reputation) by requiring you to use less secure methods to cover vital calls.

You should expect an uptime guarantee of 99.9%, which is the industry standard, and feel confident that your chosen provider has the capacity and professionalism to resolve issues as swiftly as possible.

In addition to guaranteeing 99.9% uptime for Enterprise plan customers, Dialpad also uses geo-located redundancy and a unique dual cloud architecture to ensure that customers never need to worry about backup solutions.

Levels of encryption and other security measures employed

As we’ve covered at length, encryption is a core concern, so you should certainly ask about the encryption protocols a VoIP provider uses—as well as any other security measures it takes that might sway your decision.

In addition to SRTP and TLS encryption, look for the services mentioned while covering risks: Intrusion Detection Systems, Quality of Service protocols, configurable firewalls, caller ID authentication, and multi-factor authentication.

As you might expect, Dialpad offers enterprise-grade security measures across the board, with industry-leading features such as PII Redaction, a service that uses machine learning to detect and redact personal data in call transcripts so prying eyes can’t view sensitive information.

Features for user-level security

Maintaining user-level security is essential for preventing attackers from gaining ground-level access and undermining all other VoIP security services. Being able to control access based on user roles is a powerful addition that allows you to limit how many users are authorised to perform sensitive tasks.

Alongside these features, look for single sign-on (SSO) paired with multi-factor authentication. This combination will allow your employees to quickly access your new VoIP platform while making it extremely difficult for attackers to get in.

Dialpad has everything you need here, offering granular user access controls so you can easily manage all your users and take drastic security measures when necessary—such as forcing all users to log back in if a security breach is suspected.

VoIP security best practices: What else can you do to protect your data?

In addition to choosing a secure VoIP provider, you can take several internal actions to enhance your VoIP system's security. After all, even the best provider can’t protect you if you don’t follow basic cybersecurity practices.

Here are some broader cybersecurity best practices you can follow to safeguard your communications further:

Update software and systems regularly

An issue with having many software systems that interact is that it only takes one weak link to compromise the chain. If an attacker gains access to one system, they may be able to use it to gain access to connected systems.

Where possible, you should set up automatic updates to ensure that identified vulnerabilities are patched out as soon as possible. And when you can’t update systems automatically, you should have processes in place to ensure those responsible for the systems regularly check for updates.

If you use any non-SaaS software systems, you should also look to migrate to their newest versions when they become available. It can be a pain to deal with interface changes, but clinging to old versions isn’t tenable in the long run since they soon stop being updated.

Delete inactive user accounts

An inactive user account poses a major security risk. If an attacker can somehow acquire the login information for an inactive account, they may be able to use it for quite a while without anyone noticing.

Establish a process to ensure that user accounts are deleted promptly when their users leave your company or need new accounts due to moving roles. It’s also sensible to periodically review your lineup of user accounts to confirm that no inactive accounts have slipped through the cracks.

Set up remote device management

Given the popularity of remote working, businesses have generally relaxed their stances on device management, allowing employees to access work accounts using their laptops, tablets, and smartphones.

This is good for the employees—but bad for security. Business-provided devices can be effectively secured with apps and system settings being remotely locked, but that isn’t the case for personal devices. And if the latter are stolen, they can allow valuable account access to get into the wrong hands.

In addition to managing your user accounts, you should set up Remote Device Management (RDM) tools to monitor all devices with access to your VoIP system. If a device is lost or compromised, you can remotely wipe it. And if that means disallowing access from personal devices, that’s a small price to pay for security.

Insist on strong passwords and/or 2FA

All your security efforts will mean little if your employees use passwords similar to “password123” or “1234”. It sounds ridiculous, but it’s not unheard of for professionals to make terrible password-related decisions.

Thankfully, you can avoid that possibility by enforcing strong password policies that require users to choose complex, limited-time passwords that can’t easily be guessed or discovered through brute-force techniques.

And if you throw in multi-factor authentication that adds a second form of verification to every login attempt—perhaps a text message, an email to another account, or a prompt in a mobile app—that will increase security even further.

Consider additional security features and policies

There are countless ways to shore up cybersecurity, and how far you should take this depends on how seriously you take it, how much effort you’re ready to commit, and how many resources you’re willing to invest along the way.

We mentioned Virtual Private Networks earlier, for instance, as being useful for adding further encryption—you could pay for an enterprise-grade VPN. Another useful feature is Ai-enhanced audio fencing, as you can deploy it to prevent background conversations from being overheard in calls.

As for additional policies, you need to think about what would help your employees—and, if anything, what might hinder them. It’s a bad idea to create too many processes, for example, as it’ll lead to overload. But if you can find the time to work on an internal knowledge base covering best practices for VoIP systems, it should prove quite valuable in the long run.

Choose a communications platform with built-in VoIP security

Want to make secure business phone calls over the internet at scale? If so, you need the best enterprise VoIP platform you can find.

Dialpad Connect, for example, has everything you need to operate with confidence that your calls are kept confidential. Enterprise-grade encryption, an exceptional uptime guarantee, in-depth user controls, leading security certifications—it’s all included in the Enterprise plan.

Sign up for a free Dialpad trial today and find out how it can take your business communications to the next level.