March 8, 2023

How To Protect Your Business From Toll Fraud

Security & Compliance

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.

Nikesh Ashar

The best product teams go out of their way to keep their users’ accounts safe. But, what if those security mechanisms backfire, costing your company thousands of dollars? Your use of phone authentication could leave you vulnerable to toll fraud. 

However, there are ways to prevent this type of business fraud.

In today’s blog post, we’ll discuss:

  • What toll fraud and SMS pumping are
  • How toll fraud works
  • 5 best practices to protect your business from toll fraud

Let’s get started!

Two-Factor Authentication Business Fraud**

When it comes to phone verification or two-factor authentication (2FA), we often see two types of attacks:

  • Toll fraud
  • SMS pumping

Both attacks inflate your app’s traffic with the goal of making money. However, it’s worth mentioning that it doesn’t imply stealing information. 

Let’s see what it’s all about.

What Is Toll Fraud?

Toll fraud is a form of telecommunications fraud that involves the unauthorized use of a company's phone system to make long-distance calls. While it may seem innocuous at first sight, it can lead to significant financial losses. In fact, according to the Communications Fraud Control Association (CFCA), toll fraud caused $6.69 billion in losses in 2021.

In simple words, toll fraud happens when someone has access to your phone system and they artificially generate high-volume calls to premium international numbers (i.e. high-cost numbers). As a result, you get a costly telephone bill, and fraudsters take a cut of the revenue generated from these calls.

Fraudsters accomplish this by finding deployments of two-factor authentication (2FA) with access to telecommunications networks. In many cases, toll fraud goes undetected until the malicious activity scales and becomes financially significant.

Even large communication platforms, such as Twilio have failed to safeguard companies from toll fraud. Especially, considering how sophisticated these attacks tend to be. 

What Is SMS Pumping?

Did you know that fraudsters can exploit your 2FA text messages? Similarly to toll fraud, scammers can force your platform to send thousands of SMS to various mobile phone numbers owned by a particular mobile network operator (MNO). This is usually referred to as “SMS pumping”. 

Often, the term “toll fraud” is used as an umbrella term that includes both fraudulent phone calls and SMS pumping. That’s how we’ll use the term throughout this article.

How Does Toll Fraud Work?**

There are two scenarios where these types of fraud occur:

  • There is a revenue-sharing agreement between the MNO and the fraudsters that make the MNO complicit in the scheme
  • Fraudsters exploit MNOs without their knowledge

The second scenario involves smaller MNOs getting paid by larger MNOs for subscribers and traffic, so scammers can create fake companies and promise large traffic volumes. An MNO may be unconcerned with the source of the traffic and support the fraud.

Toll fraud can affect any company with a voice application. In most cases, it occurs through:

  • Voice verification code spamming
  • SMS verification code spamming

Let’s explore each one.

Voice Verification Code Spamming

Some companies offer a 2FA phone call option, in case users have trouble receiving text messages. These systems usually allow international calls, and scammers can take advantage of this. Fraudsters often exploit voice verification features and launch automated attacks.

Through abusive account creation and complex automation, fraudsters can request up to thousands of verification phone calls. The result? An uncommonly high phone bill for your company and thousands of dollars for the attackers. 

SMS Verification Code Spamming

Fraudsters can request thousands of fake verification text messages from your platform. Nevertheless, this scheme is not very lucrative unless the phone numbers come from long-distance locations where SMS messages are highly-priced. 

To carry out these schemes, the perpetrators will need to create accounts on your platform. So, you’ll be particularly vulnerable if you offer a free trial or plan.

How Does Toll Fraud Take Place?

Here’s how toll fraud works, step-by-step:

  1. Scammers get access to virtual phone numbers, allowing them to place outbound calls.
  2. In order to find holes in the network, fraudsters place short-duration calls to test numbers, which are provided by international premium rate resellers.
  3. Upon reaching a test number, the scammer purchases an International Premium rate number from the reseller.
  4. Once an attacker purchases a number, they arrange for it to receive dozens of concurrent calls. Including your 2FA phone calls.
  5. Fraudsters are paid by mobile networks in accordance with a revenue-sharing arrangement.

Now you know how toll fraud occurs. So, let’s take a look at how you can prevent it from affecting your business.

5 Best Practices to Prevent Toll Fraud** 

All in all, your best defense against toll fraud is to implement a combination of security measures to limit a scammer’s access to your calling & messaging capabilities. Fraudsters monetize these attacks in multiple ways, but you can prevent the most common schemes through a handful of strategies.

We recommend:

  • Adopting SaaS management software
  • Implementing robust bot detention
  • Setting international calling restrictions
  • Implementing rate limits
  • Reviewing your call logs regularly

Let’s take a closer look.

Use SaaS Management Software

With a robust SaaS management software platform, you can have a virtual card to pay for your customer engagement platform, setting a hard limit on your phone spending. So, if toll fraud does happen, it will quickly hit your card limit, which will prevent fraudsters from making further attempts.

Implement Robust Bot Detection

Toll fraud is only profitable when done at scale. So attackers will create tons of user accounts. And they'll probably do it automatically. So, to become less vulnerable to toll fraud, you can:

  • Strengthen your implementation of CAPTCHAs 
  • Request users to verify their email before activating 2FA

Although these small changes in your UX may introduce some friction for legitimate users, they can help deter automated, at-scale attacks.

Set International Calling Restrictions

This type of fraud can be prevented by limiting certain users' access to international numbers. For example, some companies only enable international calling for a limited number of countries. For the rest of the world, you can offer other 2FA methods, such as:

  • Email verification
  • 2FA tools

Implement Rate Limits

A good way to prevent this type of fraud is by limiting fraudsters’ ability to generate a large volume of traffic in a short period of time.

For instance, you can limit:

  • SMS or calls per second/minute/day
  • Call duration
  • Concurrent calls

In fact, you can set rate limits by:

  • User
  • IP
  • Device identifier

Although rate limits may not completely prevent fraud, they can hinder your attackers’ plan so much that they decide your app’s not worth exploiting.

Review Your Call Logs Regularly

By regularly reviewing your call logs, you can detect any suspicious activity and take action before it becomes a problem. This will also give you an overview of the types of calls you’re currently making. That way, you can better understand how your resources are being used and identify potentially malicious activity.

Protect Yourself from Business Fraud With Cledara**

There’s no doubt that toll fraud can have a significant impact on your finances. Fraudsters can make multiple unauthorized phone calls through sophisticated techniques, leaving you with a large, unexpected, and wrongful expense.

To protect yourself from toll fraud, it's important to take preventative measures, such as using Cledara.

Cledara is a SaaS management platform that allows you to:

  • Set individual virtual cards for each of your software subscriptions
  • Set an expense limit for each of your virtual cards
  • Get a centralized view of all your subscriptions
  • Identify unnecessary software and unsubscribe with one click
  • Prevent shadow IT
  • Get 2% cash back on your subscriptions
  • And more

Curious? Book a demo and try Cledara today.



The software management solution for finance teams.

Learn more

Subscribe to our newsletter

Receive the latest insights in your inbox

Nikesh Ashar

I currently look after Quality Assurance and IT at Cledara. Having built a robust QA process and now a team, we work with Product and Engineering to make sure that our software is robust and well tested.

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

9 Shadow IT Risks (And How to Avoid Them)

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.
Read more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Read more

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.
Read more

2020 GDPR Fines on the Rise

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS
Read more

The Way Fintech Startups Buy SaaS is About to Change Forever

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more