PBX Hacking
Unauthorised access to a business phone system (Private Branch Exchange) to make large volumes of fraudulent calls at the company's expense, often generating IRSF revenue.
Also known as: PBX fraud, VoIP PBX compromise, business phone system hack, DISA fraud
Last reviewed: 10 June 2026
Private Branch Exchange (PBX) systems are the internal telephone switchboards used by businesses. When a PBX is connected to the internet for VoIP functionality, inadequately secured systems are vulnerable to automated scans that test default or weak credentials. Once inside, attackers add call-forwarding rules or use the system as a platform to dial out thousands of calls per hour to premium-rate or international revenue-share numbers.
PBX fraud losses can reach tens or even hundreds of thousands of dollars in a single weekend. Attackers prefer to operate over holidays and weekends when they are least likely to be detected. By Monday morning, the company has accumulated an enormous international call bill, much of which they may be legally obligated to pay under carrier contracts. Small businesses are disproportionately targeted because they often lack the monitoring tools and security expertise of larger enterprises.
Mitigation includes changing default PBX credentials, disabling international dialling unless required, setting per-period spend alerts and hard limits, restricting SIP connections to known IP addresses, and using a firewall in front of the PBX. Businesses that discover PBX fraud should contact their carrier immediately; many carriers have fraud teams that can block suspicious traffic retroactively.