Service Disruption or “Denial of Service” (DoS) — DoS attacks are generally the most simple and thus most common type of attack faced by data networks. For VoIP, the attack would simply bombard the call processing/managing application with an inordinate amount of simultaneous requests that it cannot process, causing the application to essentially shut down and deny service to authorized and intended users. Calls in process would be abruptly terminated and any attempt to originate a call would be unsuccessful.
Primary risks of successful denial of service attacks include loss of revenue due to lost sales call volume, negative customer experience resulting from lost support calls and productivity lost as communications with remote offices drop off.
Toll Fraud/Service Theft — Toll fraud or service theft will likely be the most common attack or exploit that will be seen, at least in the early stages of VoIP deployment. The attack would simply take the form of an unauthorized user gaining access to the VoIP network by mimicking an authorized user or seizing control of an IP Phone and initiating outbound long distance calls. This is one of the most common forms or fraud or “hacking” in the PSTN environment, particularly for expensive, international toll calls.
Risks include increased expenses and decreased productivity as billing issues must be investigated and resolved.
Eavesdropping — VoIP services measurement and troubleshooting software make eavesdropping on a packetized voice call possible. Hackers can take the data and convert it into a WAV audio file.
Lost revenue, and disclosure and compliance issues are among the risks of successful VoIP eavesdropping.
Phishing — “Phishing,” an attempt to obtain information from someone by posing as a legitimate party, is becoming more and more prominent over e-mail, but the same tactics can be used over VoIP if an unauthorized user begins calling individuals in the organization and initiating requests sensitive information using a legitimate name and phone extension.
For example, someone receives a call from an extension in human resources wanting to make sure records are up-to-date and asks to verify their name, Social Security number and date of birth. Once obtained, this information is a simple launching pad for identity theft. This exercise could also be used to obtain sensitive customer information as well.
Primary business risks include legal exposure from the release of employee and/or customer information.