Toll fraud involves an attacker gaining unauthorised access to a company's systems to make calls or send messages at the company's expense.

Toll Fraud goes by various names such as "Artificially Inflated Traffic", "SMS Cracking", "SMS Pumping" and "API Spamming".

Toll Fraud can be expensive, with businesses potentially facing thousands of dollars in unexpected charges in a very short period.

Beyond the direct financial loss, victims of toll fraud may also experience damage to their reputation, loss of customer trust, and potential legal consequences if their communication systems are used to perpetrate further fraud.

Attack Methods

Common attack methods include hacking into a system using weak passwords, exploiting vulnerabilities in software, or through phishing attacks targeting employees. 

For Cloud-Hosted Voice, Fax and SMS systems such as those offered by TNZ, this involves fraudsters gaining access to a your:

  • API keys: this allows the attacker to use your account's credentials to send messages using their tools.
  • Dashboard login: this allows the attacker to log into TNZ's Dashboard as you and send messages.
  • Web-form: if you have a public web form that sends messages (such as a telephone number verification form), attackers can input any telephone number and send a message at your cost.


Detection Methods

Toll Fraud is typically accompanied by:

  1. A sudden spike in usage
  2. Messages sent to unusual countries and geographies
  3. Messages sent to sequential numbers at the same time

Regularly reviewing usage and reports can assist with detecting toll fraud.

In TNZ's Dashboard, select View Messages then Detailed Messages Sent to view a report of messages sent by destination number. Look for large spikes in usage or messages sent to unusual country prefixes.

Prevention Methods

Preventing toll fraud requires employee training and robust technology security policies.

  • Passwords and API Keys: Ensure that all Passwords and API Keys are regularly updated and stored safely.
  • Patching: Regularly update and patch software tools, particularly those that store Passwords and API Keys.
  • Access Controls: Restrict dashboard access to only those employees who require it.
  • Public App Security: If your application is publicly accessible and allows sending SMS, Voice or Fax messages (such as a telephone number verification tool):
    • Limit the country codes your application can send messages to. For example, if you are only sending to New Zealand and Australia, allow these prefixes only:
    • Use CAPTCHA tools to prevent bots completing forms.
  • Employee Training: Educate employees about the risks of phishing and social engineering attacks. Encourage them to report suspicious activities that could indicate a system breach.
  • Usage Reporting: Regularly review usage looking for abnormalities, particularly large spikes in spend as Toll Fraud attacks typically target expensive toll numbers.