Recommended fraud mitigation best practices for Bandwidth customers


Thomas Soroka


Customer Obligations/Disclaimer

Bandwidth provides these Recommended Fraud Mitigation Best Practices (“Fraud Best Practices”) to help its customers reduce fraud by taking measures to protect themselves and the networks connected to Bandwidth. Neither Bandwidth's provision of these Fraud Best Practices nor anything included in these Fraud Best Practices alters any customer's contractual obligation to manage its network and its end users. 


This document is intended to help Bandwidth Customers to reduce their fraud attack surface and help them take measures to protect themselves, including their connections to Bandwidth. This document is not all-inclusive and can’t guarantee that the recommended best practices will stop all fraud. The intent is to provide a framework our customers can use toward the prevention and mitigation of fraudulent events and to lessen the risk associated with all types of telecommunications fraud.

Types of Fraudulent Traffic To Be Concerned About

The term “Fraud” typically relates to the practice of illegally extorting money, personal information, financial information, security credentials etc. The term “fraudulent traffic” also describes a wide range of devious telecommunications behaviors that are used to impersonate and mask identities with the intent to steal or harm.

Bandwidth considers the following types of voice calling and text messaging as fraudulent traffic:

  1. Traffic deemed invalid (per FCC rules)
  2. Traffic sent with intent to steal or harm
  3. Traffic sent with the intent to harm through impersonating or masquerading identities

Bandwidth reserves the right to protect itself and its networks by stopping fraudulent traffic from traversing its networks. Bandwidth’s customers who send traffic that the telecommunications industry, government authorities, and Bandwidth consider to be fraudulent, are at risk of having their traffic it blocked - either by Bandwidth or any downstream service provider.

The following specific types of illegal activities also violate Bandwidth’s Acceptable-Use Policies (AUP).

  • Unlawful Robocalls (North America)
  • Domestic Toll Fraud/Traffic Pumping
  • International Toll Fraud/IRSF
  • Toll Free Traffic Pumping (North America)
  • Phishing Scams (IRS, SSA, Vacations, Student Loans etc.)
  • Text messaging SPAM

Unlawful Robocalls (Within North America)

In November 2017, the Federal Communication Commission (FCC) issued a report and order that described a number of specific types of robocalls considered to be unlawful. Further, in May 2019, the FCC released a declaratory ruling that gives service providers leeway to block unlawful robocalls at the network level by default, with the intent of preventing unlawful calls from reaching the general population in the first instance. The types of robocalls the FCC has specifically determined to be unlawful are calls made with:

  • Invalid ANI/FROM telephone numbers (TNs)
  • Unallocated ANI/FROM TNs
  • Blank or alpha-numeric characters in ANI/FROM TNs
  • Telephone numbers on the Do Not Originate (DNO) List(s)

Here are the best practices that customers can follow to prevent the flow of unlawful robocalls from their network toward Bandwidth:


  • Make sure all of your voice calling traffic contains good/valid telephone numbers in the ANI/FROM fields. See the definitions of the various types of ANI/FROM fields below. Ensure that all of your calls toward Bandwidth meet the following “VALID” criteria.
    • VALID: A valid NPA-NXX-XXXX in the NANP
    • UNALLOCATED: A valid NPA NXX XXXX in the NANP, but NOT assigned either to a carrieror in the LERG
    • INVALID NUMBER: A complete telephone number (TN) that is NOT VALID, but of the correct format [2-9][0-9][0-9] [2-9][0-9][0-9] [0-9][0-9][0-9][0-9] (i.e. 10 digits in length, 1st and 4th are [2-9] all others are [0-9])
    • INVALID DIGITS: The calling party number is numeric, but doesn’t fit into a category defined above (all 1's, partial entry <10 digits, etc.)
    • 8YY: The calling party number is an 8YY number
    • 911: The calling party number is 911
    • 411: The calling party number is 411
    • N11: The calling party number is any of N11 number besides 911 or 411
    • 555: The NXX is 555
    • ALPHA: The calling party number has 'alpha' characters that are random or the word ANONYMOUS in it
    • EMPTY: There’s no calling party number present


  • Make sure that calls from your network or from your customer’s never have ANI/FROM phone numbers that fall into the UNALLOCATED, INVALID, N11, Alpha or Empty ANI categories. Please be aware that if any of these types of calls leave your network and are sent toward Bandwidth, you run the risk of these calls being BLOCKED by Bandwidth or another downstream service provider.


  • Review your customer use cases and discourage short-duration (<15 seconds) calling. Short duration calls raise flags on most service provider networks and may lead to Call Blocking per the FCC guidelines.


  • If you receive voice traffic that falls into the FCC’s ‘unlawful’ categories, please take measures to detect, mitigate, block, and educate your customers to cease sending these types of calls.

Domestic Toll Fraud/Traffic Pumping

Delivering phone calls to all areas of North America doesn’t cost the same for each area. Marketplace dynamics dictate that supporting remote or lightly populated markets is generally more expensive than more densely populated cities.

The intercarrier compensation regime that applies to connected carriers that exchange traffic in the higher cost areas allow for the billing of access charges for calls to and from these more rural destinations.Thus, it’s much more expensive to deliver calls to areas like rural Iowa, as opposed to Des Moines or Cedar Rapids, IA. Bad actors know this and will frequently turn-up automated phone-answering systems to generate traffic in these expensive areas.Then, they advertise through social media, websites, texts and emails to generate calls into these automated phone-answering systems.

The fraud schemes that arise in such scenarios are a function of intermediate service providers being billed higher call handling (access) charges, which subsequently contribute to the fraudulent payments to bad actors.Traffic pumping of this sort is typically robotically dialed, lasts over 15-30 minutes and is connected into automated systems that provide little or no value to the caller. Many of these calls complete into systems that return dead-air, barking dogs, ‘press 1 to continue’ loops, chat lines, recorded messages that never end, and in many cases, loud screeching tones.

The most common ways for bad actors to exploit high-cost traffic pumping is to acquire phone numbers from the local exchange phone company, stand-up fraudulent systems in an unknowing service provider’s colocation or cloud data centers, and then launch campaigns on social media to entice people to dial these recently acquired local numbers by the hundreds and asking them to leave the calls up, once connected. A nefarious service provider in the money chain will overcharge reputable carriers exaggerated access charges and give a portion of these charges to bad actors.

Here are the best practices that customers can follow to prevent the flow of Domestic Toll Fraud/Traffic Pumping from their network toward Bandwidth:


  • Set up detection alarms on yours and your customer’s traffic to alert you on numerous, robotically dialed calls made to known high-cost areas of North America. These areas include but aren’t limited to rural Iowa, rural South Dakota, and rural Massachusetts. Look at the NPAs, compare the rates within your typical rate decks, and either convince your customers to stop sending this kind of traffic to you, or block this kind of traffic from terversing your network. Bandwidth may also be monitoring for this type of traffic and typically alerts its customers upon detection.


  • Educate your customers on this type of fraud and encourage them to prevent, detect, and mitigate such fraudulent Domestic Toll Fraud traffic before it reaches your network.

International Toll Fraud/International Revenue Share Fraud (IRSF)

Similar to domestic toll fraud, international toll fraud is perpetrated by bad actors exploiting parts of the world that are extremely expensive to deliver phone calls to. This type of fraud is called International Revenue Share Fraud (IRSF) because oftentimes, nefarious/fraudulent companies acquire expensive international phone numbers and sell them to anyone who’ll pay money for them.

These phone dealers are often referred to as International Premium Rate Number Providers (IPRN), who often buy cheap, low-cost circuit connections to reputable carriers, so they can get paid for calls that terminate on the phone numbers that they have acquired. Bad actors buy expensive international phone numbers from the IPRNs and have their people (lieutenants) robo-dial calls to these phone numbers.

The payment chain begins when the calls are placed from a location in the U.S. The remainder of the money chain includes all intermediate service providers that have to pay their upstream provider partners to handle these international calls. Eventually, the IPRN companies get a ‘cut’ of the charges to complete these calls, because they’re the “holders” of the fraudulent phone numbers in the first place. The diagram below shows the typical money flow and how IRSF can be perpetrated.

Typical Money Flow of IRSF

IRSF Fraud can take on many forms and cost innocent, unknowing victims a lot of money. Many times bad actors “hack” into PBXs, IP-PBXs, Cloud-phone systems and enterprise phone systems, and enable outbound international calling. Once this hack occurs and outbound international calling is fraudulently enabled, the bad actors proceed to dial-out to extremely expensive international phone numbers in countries all over the globe. This, in turn, costs all intermediate service providers, as well as the innocent victim, who'll most likely receive an expensive bill in the next 30 days.

Here are the best practices that customers can follow to prevent the flow of International Toll Fraud/IRSF from their network toward Bandwidth:


  • Consider MANDATING the use of an authorization code, or PIN, that must be used by customers, employees, and end-users before placing international calls.


  • As end-users attempt to make international calls through your network, ensure that their account code, authorization code, or PIN is accurately and securely VERIFIED before they are allowed to make international calls.


  • Determine which countries, your platform specifically supports calling to, and then restrict calling to all the remaining countries. Limit international dialing to only authorized customers, employees, and end-users who require it. Restrict all others.


  • Consider blocking the following frequently “Fraudulent” countries in your systems, your network and in your customer’s systems:
    • AC Ascension Islands 247
    • AG Antigua/Barbuda 268
    • AI Anguilla 264
    • AS American Samoa 684
    • BB Barbados 246
    • BM Bermuda 441
    • BS Bahamas 242
    • CD Democratic Republic of the Congo 243
    • CF Central African Republic 236
    • CG Congo 242
    • CZ Czech Republic 240
    • DM Dominica 767
    • DO Dominican Republic 809 829 849
    • GD Grenada 473
    • GQ Equatorial Guinea 240
    • GU Guam 671
    • HT Haiti 509
    • JM Jamaica 876
    • KN St. Kitts & Nevis 869
    • KY Cayman Islands 345
    • LC St. Lucia 758
    • LT Lithuania 370
    • MA Morocco 212
    • MF St Martin 590
    • MP Northern Mariana Islands 670
    • MS Montserrat 664
    • MV Maldives 960
    • PK Pakistan 92
    • PW Palau 680
    • SC Seychelles 248
    • SX Sint Maarten 721
    • TC Turks and Caicos Islands 649
    • TD Chad 235
    • TN Tunisia 216
    • TT Trinidad and Tobago 868
    • UG Uganda 256
    • VC Saint Vincent and the Grenadines 784
    • VG British Virgin Islands 284
    • VI U.S. Virgin Islands 340
    • SL Sierra Leone 232
    • SD Sudan 249
    • LR Liberia 231
    • LV Latvia 371


  • Look for large volumes of SIP 487 response codes in short periods of time on your network. Using something known as “Hyper-duration robocalls”, bad actors typically “probe” networks looking for cracks in the network that will allow completed international calls. During these “hyper-duration” storms, bad actors typically launch large volumes of SIP INVITE messages in a short period of time (thousands of INVITE messages within 5 mins or less), followed very rapidly by SIP HANGUP (487) messages.
  • It’s important to note that call attempts that don’t complete, don’t necessarily equal unsuccessful calls. All rapid-fire attempts/hangups in a short period of time should be considered a red flag for possible fraudulent activities in the near future.
  • When you see more than an average of about 60 SIP 487 messages per hour, look at your traffic for fraudulent activity and calls to fraudulent destinations. If you discover suspicious/fraudulent behaviors, take measures to block/prevent future attempts of these types of international calls from reaching Bandwidth.


  • Ensure that passwords to your company’s network equipment are unique to each unit of equipment, contain random characters, made random in length, and are NOT the passwords that were pre-configured at the time of purchase/installation. These passwords must be changed often and only shared with personnel authorized to make changes to your network equipment. Zero-knowledge password managers are highly recommended.

Toll-Free Traffic Pumping (Within North America)

In North America, businesses, individuals, and non-profits often buy the right to use a toll-free (8XX) telephone number to allow legitimate customers call them free of charge. They instead agree to pay their long-distance service provider to receive these “wanted” incoming calls. Unfortunately, bad actors have found ways to exploit the intercarrier compensation regime that applies to these toll-free phone numbers and use robotically dialed fraudulent calls with the intent to harm legitimate businesses, individuals, or non-profits by making them pay inflated charges for unwanted/illegitimate toll-free inbound calls.

Here are the best practices that customers can follow to prevent the flow of toll-free Traffic Pumping from their network toward Bandwidth:


  • When acquiring toll-free (TF) phone numbers from Bandwidth, put them in an “aging” database and don’t place them into service until you need to assign them to your customer(s). If these TF phone numbers aren’t in service, they can’t and “should not” receive fraudulent/unwanted inbound calls from bad actors.


  • When holding/aging TF phone numbers from Bandwidth, monitor inbound call attempts to this TF phone number as a way of verifying if a TF number is "clean" while it’s out of service. If you receive many unwanted/unsolicited inbound calls to this TF phone number while it’s not in service, notify the Bandwidth Fraud Mitigation Team immediately at and alert them of the suspicious traffic.


  • If you need to offer a toll-free phone number for your services, use a pool of toll-free numbers and cycle through them when placing them into use. An example of this use case would be to use a different toll-free number from a pool of numbers for every new conference call, in a conference calling service. This prevents bad actors from focusing on and exploiting a single toll-free number .


  • Alert Bandwidth’s Fraud Mitigation Team and SOMOS of any new Toll-Free Fraudulent calls/events and we’ll engage an industry Toll-Free Fraud Traceback Group that will conduct tracebacks to discover the source(s) and provide information directly to law enforcement.


  • Refrain from advertising TF numbers publicly via websites/email/social media. This type of communication can be seen by bad actors and lead to unwanted inbound traffic to TF phone numbers. This type of toll-free fraud is often seen in instances where TF phone numbers are used and publicly advertised to access conference bridges.


  • If a toll-free phone number must be used to access your services, implement a “pool” of many TF phone numbers and rotate/cycle through it to keep bad actors guessing.

Phishing Scams (IRS, SSA, Vacations, Student Loans etc.)

There are companies out there that have product teams, engineering teams, and even billing teams that exist solely for the purpose of defrauding innocent victims of money, information, and credentials. These companies are involved in some of the most widespread phishing and extortion scams across the world. Some of the more commonly known scams include the IRS scam, the Social Security scam, the computer/PC repair scam, the student loan and vacation scams. Most of these scams involve victims paying the bad actors with Apple iTunes cards, Bitcoin and various other gift cards that are very difficult to track or recoup the value of..

Here are the best practices, that customers can follow to prevent the flow of Phishing Scam calls from their network toward Bandwidth:


  • Use data analytics to map customers’ sign-up information with valid/legitimate addresses, credit card accounts, email addresses, and phone numbers. Keep track of suspicious sign-ups and immediately disable/disconnect fraudulent accounts as they become known.


  • If phone numbers are disconnected because they were found to be used in a fraudulent manner to perpetrate a phishing scam, DON’T auto-provision phone numbers to the same account.


  • Sometimes bad actors use “call-forwarding” to evade detection. Oftentimes, they use multiple call forwarding layers to evade detection. If your network or service offering includes a call-forwarding function, be aware of customers who enter large numbers of entries in your call forwarding tables, especially through web page interfaces. Please send all call-forwarding tables/forwarding information that contain Bandwidth phone numbers to


  • Keep an eye out for accounts that use numerous phone numbers across a large geographic area. Please report all accounts, and account information, that have numerous phone numbers across large geographic areas to


  • Monitor for and be aware of end users who cycle through phone numbers at higher than normal rates, volumes, and frequencies. This rapid phone number swapping behavior could indicate that they're trying to avoid detection by carriers, law enforcement, and government agencies. The perpetrators of the IRS and Social Security scam calls will typically swap phone numbers at unusual rates to cover their tracks after initial calls are placed and received.

Text Messaging SPAM

Text messaging is a very convenient mode of simple and fast communication. Messages sent out via public networks to end users are required to comply with all relevant laws and regulations, including but not limited to the Telephone Consumer Protection Act (TCPA).

Unfortunately, bad actors can also leverage these technological capabilities to commit crimes by defrauding, impersonating, and extorting innocent victims. The text messaging industry generally operates in a more lightly regulated environment than voice calling does, so text messaging service providers must be that much more vigilant on fraud prevention and mitigation best practices.

At the outset, it’s important to understand the differences between Person-to-Person text messaging (P2P) and Application-to-Person text messaging (A2P).

Consumer (P2P) Messaging

P2P (Person-to-Person) is defined as two-way messaging. Typically, this is the conventional conversational two-way SMS or MMS messaging between individuals. From CTIA best practices: "Consumer (P2P) messaging is sent by a Consumer to one or more Consumers and is consistent with typical Consumer operation (i.e., message exchanges are consistent with conversational messaging among Consumers)."

Attributes of Typical Consumer Operation

  • Throughput: 15 to 60 messages per minute. A Consumer is typically not able to originate or receive more than about one message per second.
  • Volume: 1,000 per day. Only in unusual cases do Consumers send or receive more than a few hundred messages a day. A Consumer can't typically send or receive messages continuously over a long period of time.
  • Unique Sender: 1 telephone number assigned to or utilized by a single Consumer. A single Consumer typically originates messages from a single telephone number.
  • Unique Recipients: 100 distinct recipients/telephone numbers per message. A Consumer typically sends messages to a limited number of recipients (e.g., 10 unique recipients).
  • Balance: 1:1 ratio of outgoing to incoming messages per telephone number with some latitude in either direction. Consumer messages are typically conversational. An incoming message typically generates a response from the recipient.
  • Repetition: 25 Repetitive Messages. Consumer messages are uniquely originated or chosenat the direction of the Consumer to unique recipients. Typical Consumer behavior is not to send essentially or substantially repetitive messages.

Consumer (P2P) Messaging Automation

Some Consumers utilize automation to assist in responding to communications. For example, a Consumer may direct their messaging service to auto-reply to a phone call in order to inform the caller about the Consumer’s status (e.g., “I’m busy” or “Driving now, can’t talk”). Such use of automation to assist Consumers in their composition and sending of messages falls within the attributes of typical Consumer operation. In contrast, the use of automation, in whole or in part, by Non-Consumers to facilitate messaging is not a typical Consumer operation.

Non-Consumer (A2P) Messaging

A2P (Application-to-Person) is one-way SMS to which recipients aren’t expected to reply. Typically this represents high-volume messaging between businesses and individuals. Some common examples are a logistics company sending delivery statuses and notifications, a dentist’s office sending one-way alerts and reminders, or a financial institution sending PIN codes to individuals either using short codes or long codes.

Non-Consumer (A2P) message traffic includes, but isn't limited to, messaging to and from large-to-small businesses, entities, and organizations. For example, Non-Consumer (A2P) messages may include messages sent to multiple Consumers from businesses or their agents, messages exchanged with customer service response centers, service alerts and notifications (e.g., fraud, airline), and machine-to-machine communications. Non-Consumer (A2P) Message Senders may also include financial service providers, schools, medical practices, customer service entities, non-profit organizations, and political campaigns. Specifically, such Message Senders should adhere to the Non-Consumer (A2P) Best Practices, described in the CTIA Messaging Best Practices.

Non-Consumer (A2P) message traffic includes all messaging traffic that is automated, in whole or in part, but isn’t described as Consumer (P2P) messaging automation. If Consumer (P2P) messaging traffic is operating in a manner inconsistent with typical Consumer operation, such traffic may be filtered or subject to a Service Provider’s Unwanted Messaging threat mitigation efforts consistent with a Service Provider’s individual messaging service terms and conditions.

The one SMS/number/second message limits imposed in the guidelines for P2P messaging don’t apply to A2P messaging services. The use of an A2P text messaging service requires formal approval by Bandwidth (and potentially carriers, depending on the use case and the company generating outbound traffic).

The major difference between the current P2P service that Bandwidth offers today on U.S. and Canadian local 10-digit phone numbers, and the A2P Messaging service using toll-free numbers is that A2P formally allows TCPA compliant and opted-in use cases for many application-to-person use cases, such as alerts, PIN codes, requested marketing, and automated high-volume interactions between business/government and consumers.

Unwanted Messages

Protecting consumers from unwanted messages, particularly from high-volume messaging traffic, is a key consensus-based goal among messaging ecosystem stakeholders.

Unwanted Messages (or Unwanted Messaging) may include:

  • Unsolicited bulk commercial messages (i.e., spam)
  • “Phishing” messages intended to access private or confidential information through deception
  • Messages that required an opt-in but didn’t obtain it (or had it revoked)
  • Unwanted content, including other forms of abusive, harmful, malicious, unlawful or otherwise inappropriate messages

We recommend customers to follow best practices for Toll-Free (A2P) messaging and the CTIA messaging principles and best practices, as well as check out the CTIA Short Code Monitoring Handbook. Though this handbook is about text messaging short codes, the same basic principles and rules apply. We also recommend customers follow these additional industry sanctioned Short Code guidelines.

Here are the best practices that customers can follow to prevent the flow of Text Messaging SPAM from their network toward Bandwidth. This type of SPAM traffic runs the risk of being BLOCKED by either Bandwidth or by a downstream provider:


Never send text messaging content that is related to S.H.A.F.T.:

  • Sex
  • Hate
  • Alcohol
  • Firearms
  • Tobacco (including cannabis)

Text messages with content that’s directly or remotely related to these categories will most likely be blocked as SPAM by either Bandwidth and/or one or more Tier 1 Mobile Network/Handset operators in the U.S.



Make sure users explicitly say they want messages from you.

  • The single most important practice is ensuring you have accurate, reliable opt-ins specific to the type of messages you’re sending consumers. Generally, opt-out rates are consistently low when you have obtained reliable and clear consumer opt-in consent. At any time, Bandwidth or other wireless carriers may request evidence of documented opt-in consent for a particular message sent from you (or your customers).



  • These same ‘free-public’ URL shorteners are used by bad-actors to evade detection and get their SPAM messages passed through text messaging platforms. Bandwidth encourages you to build custom URL shorteners that relate to your company or product name. They’re still free. If a custom URL shortener is found to be used for fraudulent purposes, Bandwidth can and will block messages containing them.
  • Bandwidth and partnering ‘“downstream” carriers will block text messages that contain these publicly available URL shorteners:


  • Provide opt-out functionality within the text messages sent, so receiving end-users can easily opt-out at their discretion. Failing to have opt-out in the text messages sent may lead to carriers flagging and possibly blocking these messages as SPAM.



Be sure your users can opt out of receiving messages.

  • Consumer opt-in and opt-out functionality is enforced at the network level via the STOP and UNSTOP keywords (Note: this is available on toll-free only). This functionality can’t be disabled for service providers or message senders. Message senders have obligations to process the opted-out consumer phone number, so it’s removed from all distribution lists and logged as “opted out” from SMS communications. This ensures that withdrawal of consumer consent is honored and future messages aren’t attempted.

  • Examples of valid opt-out messages:
    • STOP
    • Stop
    • stop
    • STop
  • For toll-free SMS, there’s no need for you to send an acknowledgment to the consumer. The generic opt-out confirmation message returned to a consumer from your network provider gives instructions on how to opt back into service
    • Example: “NETWORK MSG: You replied with the word STOP which blocks all texts sent from this number. Text back UNSTOP to receive messages again.”



Allowing users to opt back in after opting out at the network level (Note: this is available on toll-free numbers only).

  • A consumer can opt back in at any time to receive messages by texting the keyword “UNSTOP” or "START" to a message sender’s phone number. The keyword is not case sensitive and triggers an opt-in only when sent as a single word, with no punctuation or leading spaces (any trailing spaces are trimmed). If the consumer uses the opt-in keyword within a sentence an opt-in is not triggered.
  • Examples of valid opt-ins:
    • UNSTOP
    • Unstop
    • unstop
    • UNStop
    • START
    • Start
    • start
  • The message returned to a consumer is generic and informs the consumer they can start two-way texting with the message sender’s phone number again.
  • Example: “NETWORK MSG: You have replied UNSTOP and will begin receiving messages again from this number.”



Don’t spread your campaigns over several numbers.

  • Using a single number for both text and voice calls is not only a best practice but also a better overall user experience. Your customers can call and text the same number. But more importantly, you should avoid spreading messages across many source phone numbers, specifically to dilute reputation metrics and evade filters. This is referred to as “snowshoeing” and can result in your content being blocked. If your messaging use case requires the use of multiple numbers to distribute “similar” or “like” content, please discuss it with your Bandwidth rep (or other carrier rep).



Include your company name in the messages you send.

  • Your application, service, or business name should be included in the content of the body of your message(s).
  • Example: “[Your Business Name]: You have an appointment for Tuesday, 3:00PM. Reply YES to confirm, NO to reschedule. Reply STOP to unsubscribe.”



Any campaign URLs should be from a single, specific domain.

  • Each campaign should be associated with a single web domain owned by you, the customer. Although a full domain is preferred, a URL shortener may be used to deliver custom links.

Good Cyber Hygiene

In today’s telecom environment, the same servers and computing hardware used for websites and databases are also used for IP-PBXs, voicemail systems, call-center platforms and Interactive Voice Response (IVR). These servers typically operate with Windows and/or Linux (CentOS, RHEL) operating systems, which continue to be exploited by hackers and fraudsters everyday. For this reason, it’s extremely important to exercise good cyber hygiene (i.e., good cybersecurity best practices,) in order to protect your systems from being hacked, breached, or exploited for fraudulent phone calling all over the world.

Customer Premise Equipment (CPE)

The following suggested best practices are drawn from industry-wide sanctioned practices, as well as Bandwidth-approved actions that can help secure your communications systems.

Often referred to as Customer Premise Equipment (CPE), servers and their connection to IP networks and the internet represent your single most vulnerable point of fraudulent entry. It’s critical for you to take all necessary and practical measures to secure these customer-owned systems, so you can reduce your attack surface and slow/prevent the perpetration of telecom fraud.

It’s important to keep in mind that there are no guarantees to preventing all telecom fraud. The criminals who perpetrate telecommunications fraud, in its numerous forms, are always working to circumvent countermeasures and security features that enterprises may deploy.

Implementing some and/or all of the listed suggested best practices to secure your CPE can dramatically reduce your exposure to several types of telecom fraud.

Best Practices for Securing Your CPE

Since most local VoIP systems (PBX, IP PBX, Call Managers), voicemail systems, and enterprise grade Session Border Controllers (SBCs) are built on off-the-shelf computing platforms (i.e., Linux servers), we recommend that you exercise Linux and IP network cybersecurity best practices. Implement a company-wide security plan that includes instituting policies on call restrictions, leveraging call blocking, creating processes around closing customer accounts or unused services, utilizing password best practices, actively managing voicemails, and reporting anomalies. Educate all of your employees on the established security plans.

Here are the best practices you and your employees can follow to secure your CPE:


Back-up your systems fully and often

  • In the event a system is compromised, you can restore it from a known “clean” backup. Although you may lose some amount of data, you’ll be able to restore your critical systems.


Review and utilize traffic data

  • By collecting and graphing call logs and Call Detail Records (CDRs) from your VoIP platform, you can see incoming and outgoing calls, and determine if any of the “graphed” traffic behaviors match or conflict with your business model and service offerings. Monitor and review your LD usage on a regular schedule, or as often as practical.


Secure your Voicemail (VM) Systems

  • Implement strong PIN and VM password policies. Disconnect/disable outbound calling or call-through functionality within the voicemail system.
  • Never allow call forwarding or return call features within a voicemail system. Hackers often exploit voicemail platforms to program fraudulent outbound calling.


PBX management

  • Keep IP-PBX and voice platform operating systems up-to-date
  • Be sure your systems are updated with the latest releases and security patches. Hackers often exploit outdated and unpatched operating systems. Please remain vigilant about maintaining and enhancing your security.


Consider adding time of day/day of week call handling

  • Turn off/disable outdial features (allow inbound calls and 911 only) during non-business hours. At a minimum, restrict international dialing to core business hours only


Set-up a SIP-based firewall within your IP/PBX systems

  • A SIP-based firewall can inspect voice and data packets as they pass through your network, and only allow what’s authorized between your platform and your service provider. Firewalls can also alert you when various thresholds or unauthorized access attempts occur.
  • Monitor SIP traffic and automatically block suspicious IP addresses that are SIP scanning the equipment for access.
  • Monitor and alert on all registration events into your PBX, IP PBX, and Call Manager, including failed attempts. Blacklist foreign IPs you don’t recognize/do business with.
  • Utilize strong Access Control Lists designed to allow for secure communications while preventing unauthorized access.


Disable DISA (Direct Inward System Access)

  • Prevent external callers from accessing internal PBX features by disabling DISA.
  • Delete unassigned voice mailboxes and associated DISA codes.
  • Consider two-factor authentication for any remote access and/or administrative users


Disable ALL IP ports not currently in use

  • On Linux based IP-PBX systems and ancillary platforms, like voicemail systems, disable all IP ports that aren’t being used or needed. Hackers look for unused IP ports that can be exploited to gain unauthorized access. Pay special attention to IP ports 5060 and 5080 on IP-PBXs, like Asterisk, Mitel, Polycom, Cisco, and Avaya.


Utilize enterprise-grade Session Border Controllers (SBCs)

  • Enterprise-grade SBCs will provide an added layer of security, which is especially important if you use Unified Communications (UC) services, like video conferencing. Hackers will quite often ping the IP address of an IP-PBX. However, with an SBC in place, they’ll get a response from the SBC, not the IP-PBX, and won’t gain access or visibility into your IP-PBX. Hackers most always seek the path of least resistance. If they encounter an IP address that’s protected, they’ll move on to IP addresses that aren’t.
  • Enterprise-grade SBCs also provide additional layers of protection by allowing operator-configured rules to be executed based on authorized calling patterns and services offered. Enterprises can configure SBC rules for geographic restrictions, number of calls per hour, time of day and days of the week. This can be very effective in preventing robocalls, toll fraud, international fraud, and suspicious calling behaviors during nights or weekends when employees aren’t typically in the office.

User Management Tips for Securing Your Users (UAs, Handsets, Remote Users)


Improve security through rate limiting login attempts

  • Never allow unlimited login attempts.
  • Enable system lock-out functionality on all voice-processing and voicemail systems that only allow a finite number of attempts, typically three, to enter a password before being locked out.
  • Consider using multi-factor authentication for enhanced security.


Monitor for and block account scanners

  • Look for unauthorized user agents (UAs) like “User-Agent: friendly-scanner” or UAs that are free and/or don’t match your authorized user’s systems. In a VoIP network environment, numerous unauthorized registration/attempts should be a significant red flag that your network and systems are being probed/scanned for vulnerabilities.


Block/filter traffic from suspicious IP addresses

  • You should filter, block or blacklist suspicious IP addresses (especially in high-risk countries), as they’re identified, so no traffic is allowed to enter your network from them.


Monitor for and disable or remove fake accounts and account sign-ups

  • Look for random email addresses (i.e., or addresses and ZIP codes that don’t align. It’s not recommended to solely rely on third-party platforms or application stores to validate your new account sign-ups.
  • If you already use third-party platforms or application stores for account validations and sign-ups, please reach out to your Bandwidth Support Team confirming their current practices leverage security features that will monitor and alert you to fraudulent activities.


Install security software applications on all of your voice processing systems

  • Most security products can flag and reduce the rate of incorrect authentication attempts. They can check for login and VoIP/SIP registration errors and stop brute force attacks against root passwords, injections of malicious traffic, and registration attempts of unauthorized peers with suspicious credentials.

General Best Practices for Working with Bandwidth


Develop a Fraud-Contact distribution email address list. This will allow Bandwidth to contact more than one person at your company about fraudulent events or behaviors. You’ll need to manage the distro list, as your staff changes.


Update all “fraud” contacts every 6 months within your account and reach out to your Bandwidth Support Team to alert them that you made edits/changes.


Any/All Fraud-Contact distribution email address lists provided to Bandwidth must reach people that are on-duty or on-call, in a way that allows Bandwidth to communicate with someone regarding fraud events 24 hours a day, 7 days a week, 365 days a year (24X7X365).


Any/All Fraud-Contact distribution phone number lists provided to Bandwidth must reach people that are on-duty or on-call, in a way that allows Bandwidth to communicate with someone regarding fraud events 24 hours a day, 7 days a week, 365 days a year (24X7X365).


Any/All Fraud-Contact distribution lists provided to Bandwidth must reach people that are technically capable of mitigating fraudulent events on your network.


Any/All Fraud-Contact distribution lists provided to Bandwidth must reach people that are authorized to make network decisions, such as blocking fraudulent traffic, disabling fraudulent international calling, and/or accepting “Fraud” charges, as spelled out in your Bandwidth Master Service Agreement - Contract.


If you need to reach the Bandwidth Fraud Mitigation Team, you can contact us in any of the following ways:

  • Email:
    • [Note: this will auto-open a ticket with Fraud Mitigation Team]
  • Phone Customer Support: 855-864-7776
  • Phone Bandwidth Corporate: 888-969-5009, Press 3, Press 1, Press 1

Recommended Fraud Mitigation Best Practices FAQ

We’re building internal fraud policies for fraud mitigation. Can Bandwidth provide area codes for known high-cost areas in North America?

Unfortunately, Bandwidth can’t provide a list of high-cost areas in North America for several reasons:

  1. The cost to deliver traffic to various parts of the U.S. changes every day. Therefore, what may be considered “high-cost” today, may not be high-cost tomorrow.
  2. Federal regulations require carriers to deliver valid traffic to every part of the U.S, and specifically to rural calling areas. Although Bandwidth periodically detects fraudulent traffic to various NPA-NXXs in the U.S., that doesn’t mean that the whole NPA-NXX is fraudulent or that all calls to “high cost” areas are fraudulent. Bandwidth can’t provide you with legal advice, so it’s incumbent upon you to seek your own legal guidance and develop your own specific fraud mitigation policies and traffic blocking rules in keeping with such guidance.

How did [this fraudulent event] happen?

Generally speaking, Bandwidth doesn’t have visibility to the end points in your network. Therefore, we can’t definitively say how fraudulent traffic was generated. However, there are several common methods used to “hack” into vulnerable systems and services, which are outlined in our Recommended Fraud Mitigation Best Practices. While this list of methods isn’t exhaustive, it does indicate several ways in which toll fraud can be attempted against your network. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.

How do I stop fraudulent traffic coming from my network from reaching Bandwidth?

The first step is to secure your systems (#SYS). Take all practical measures to prevent unauthorized external and internal access to your systems, by managing your system passwords and changing them often. Limit who can access your systems, and implement as many of the Recommended Fraud Mitigation Best Practices as possible. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.

Please keep in mind that Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and its customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth.

Can Bandwidth protect me from all fraudulent traffic?

Unfortunately not. Since Bandwidth doesn’t manage your customers’ communications, nor has a direct visibility into your affected customers’ networks, equipment, and systems, Bandwidth isn’t in a position to stop fraudulent traffic that may emanate from your network through compromised systems and end-users. Please keep in mind that Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.

How did Bandwidth let [this fraudulent event] happen?

Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and its customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly. We also ask that you cooperate with us, so we can help identify instances of fraud and be able to better assist you with your fraud prevention objectives in the future.

Bandwidth alerts its customers of suspicious traffic behaviors as a courtesy, in order to allow you time to secure any vulnerabilities, block fraudulent traffic, and mitigate possible hacks or unauthorized access to your, or your customers' systems.

Can Bandwidth secure my customers?

No. Since Bandwidth doesn’t manage your customers’ communications, nor has a direct visibility into your affected customers’ networks, equipment, and systems, Bandwidth isn’t in a position to stop fraudulent traffic that may emanate from your network through compromised systems and end-users. Please keep in mind that Bandwidth monitors for, detects, and mitigates fraudulent traffic to protect its own networks and its customers. Per your contractual obligations with Bandwidth, you’re responsible for managing your traffic, detecting fraudulent activity, and stopping it on your networks, before it reaches Bandwidth. We ask that you work with your network staff, your network equipment vendors, and your customers to review your network security and secure all of your systems accordingly.

Article is closed for comments.