Telecommunications fraud costs the global industry $32.7 billion annually, according to the Communications Fraud Control Association (CFCA). In 2023, this figure reached $38.95 billion, representing 2.5% of total sector revenue. For IT directors managing call centers or sales teams, the choice and configuration of SIP trunks are critical to the company's phone reputation.
A poorly secured SIP trunk doesn't just expose the business to fraud — it can lead to number spoofing, cascading spam reports, and ultimately the blacklisting of your lines. This technical guide gives you the keys to mastering this critical infrastructure.
What is SIP trunking and why does it impact your reputation?
SIP (Session Initiation Protocol) trunking is the virtual connection that links your internal phone system (IP PBX) to the public telephone network via the Internet. It replaces legacy physical T1/E1 lines with digital channels running over your IP connection.
Unlike an analog line, a SIP trunk exposes your telephony infrastructure to the Internet. This means:
- Your SIP headers are visible — caller ID information can be intercepted or forged if the trunk is not secured.
- Reputation is shared — if your SIP provider shares number ranges between clients, another user's behavior can affect your reputation.
- Attacks are automated — bots constantly scan SIP ports (5060/5061) looking for vulnerable trunks.
The 5 pillars of a SIP trunk that protects your reputation
1. Session Border Controller (SBC): your voice firewall
The SBC is the firewall equivalent for your telephony. Positioned at the border between your internal network and the SIP trunk, it performs several critical functions:
- SIP packet inspection — detection of malformed or suspicious requests.
- Topology hiding — your internal IP addresses remain invisible from outside.
- Toll fraud prevention — restricting authorized call destinations and detecting abnormal activity spikes.
- DoS attack protection — filtering massive SIP traffic designed to overwhelm your infrastructure.
Without an SBC, your IP PBX is directly exposed to the Internet. This is the most common and dangerous mistake for your phone reputation.
2. TLS + SRTP encryption: end-to-end confidentiality
The SIP protocol transmits data in clear text by default. To secure your communications:
- TLS (Transport Layer Security) encrypts SIP signaling — session information (who calls whom, when, duration) is protected.
- SRTP (Secure Real-time Transport Protocol) encrypts the audio stream — conversations cannot be intercepted.
Always require TLS 1.2 minimum (ideally 1.3) support from your SIP provider. If your carrier doesn't offer SRTP encryption, switch providers.
3. Authentication and access control
Authentication best practices for your SIP trunk:
- Digest authentication with complex credentials (minimum 16 characters, quarterly rotation).
- IP source filtering — only authorize your SIP provider's IP addresses on ports 5060/5061.
- Access Control Lists (ACL) on your SBC to restrict authorized address ranges.
- Concurrent call limiting per trunk to immediately detect any fraudulent activity.
4. Real-time monitoring and alerts
A SIP trunk without monitoring is like flying blind. IT directors must implement:
- Unusual destination alerts — a spike in calls to premium-rate or international numbers often signals compromise.
- Call volume monitoring — compare actual traffic against normal patterns.
- SIP response code tracking — high rates of 403 (Forbidden) or 407 (Authentication Required) indicate intrusion attempts.
- Reputation dashboards — integrate a tool like the HUHU API to track the spam status of your outbound numbers in real time.
5. STIR/SHAKEN: caller identity authentication
The STIR/SHAKEN protocol (Secure Telephony Identity Revisited / Signature-based Handling of Asserted information using toKENs) is the standard for call authentication. Developed in the United States and progressively adopted in Europe, it enables:
- Caller identity certification — each call is digitally signed by the originating carrier.
- Attestation levels — A (full attestation), B (partial attestation), or C (gateway, unverifiable identity).
- Spoofing detection — a call whose signature doesn't match the declared carrier is immediately flagged.
In France, ARCEP is working on progressive STIR/SHAKEN implementation. IT directors should ensure their SIP provider supports this protocol or has clear deployment plans, as it will become a key factor in phone reputation.
Choosing your SIP trunk provider: reputation criteria
Your SIP provider choice directly impacts your reputation. Here are the criteria to evaluate:
Dedicated vs shared numbers
Choose dedicated numbers (DID). With shared or pooled numbers, you potentially inherit the poor reputation of other users in the same pool. It's the same issue as recycled numbers inheriting bad reputation.
Provider security capabilities
| Criterion | Minimum acceptable | Recommended |
|---|---|---|
| Signaling encryption | TLS 1.2 | TLS 1.3 |
| Media encryption | SRTP | SRTP + ZRTP |
| Access control | IP whitelisting | IP + mutual certificates |
| Anti-fraud | Manual alerts | Auto-detection + cutoff |
| STIR/SHAKEN | Published roadmap | Implemented with A attestation |
| Managed SBC | Optional | Included in offering |
Major providers in France
Tier 1 operators like Orange Business and Bouygues Telecom Business offer SIP trunks with high security levels and control over their core network. Cloud players like OVHcloud Telecom provide flexible solutions with Carrier SIP Trunk packages for high volumes (up to 100 channels per trunk). Specialists like Ringover or Keyyo target SMBs with turnkey solutions.
The decisive criterion remains the quality of assigned number ranges: a carrier that aggressively recycles numbers or pools them exposes its clients to inherited reputation problems.
Recommended architecture for IT directors
Here is the recommended architecture to protect a call center's phone reputation:
┌─────────────┐ ┌─────────┐ ┌──────────────┐ ┌─────────────┐
│ Agents │────▶│ IPBX │────▶│ SBC │────▶│ SIP Trunk │
│ (stations) │ │ │ │ (TLS+SRTP) │ │ (carrier) │
└─────────────┘ └─────────┘ └──────────────┘ └─────────────┘
│ │ │
▼ ▼ ▼
┌─────────┐ ┌──────────────┐ ┌──────────────┐
│Internal │ │ SIP Logs │ │ HUHU API │
│Monitoring│ │ (analysis) │ │ (reputation) │
└─────────┘ └──────────────┘ └──────────────┘
Key points:
- SBC is mandatory between IP PBX and SIP trunk — never expose directly.
- SIP logs must be retained and analyzed for anomaly detection.
- Reputation verification API should be integrated before calling campaigns to check each outbound number's status.
- Monitoring triggers automatic alerts for abnormal behavior (call spikes, suspicious destinations, high rejection rates).
Mistakes that ruin your reputation from the SIP trunk
IT directors frequently make these mistakes that directly impact number reputation:
- No SBC — an IP PBX directly exposed to the Internet gets compromised within hours. Fraudulent bots make calls from your numbers, which end up blacklisted.
- Unprotected default SIP ports — ports 5060 (SIP) and 5061 (SIPS) are constantly scanned. Without IP filtering, it's an open door.
- Weak trunk credentials — simple passwords on SIP authentication enable brute force attacks.
- No concurrent call limits — without caps, a compromise can generate thousands of fraudulent calls in minutes.
- Ignoring shared numbers — accepting a number pool without checking their reputation history.
Each of these mistakes can turn your numbers into "spam" in the eyes of carriers and anti-spam apps. Cloud telephony (Teams, Zoom) amplifies this risk as these platforms rely on shared reputation databases.
Technical checklist: secure your SIP trunk in 10 points
- ☐ Deploy an SBC between IP PBX and SIP trunk.
- ☐ Enable TLS 1.2+ on SIP signaling.
- ☐ Enable SRTP on all media streams.
- ☐ IP source filtering on trunk connections.
- ☐ Configure complex credentials (16+ characters) with quarterly rotation.
- ☐ Cap concurrent calls per trunk and destination.
- ☐ Block premium-rate destinations not needed for business.
- ☐ Set up real-time alerts for traffic anomalies.
- ☐ Check number reputation before each campaign via a dedicated API.
- ☐ Require STIR/SHAKEN support from your SIP provider.
FAQ
What is a SIP trunk and how does it differ from a traditional phone line?
A SIP trunk is a virtual connection linking your phone system (IP PBX) to the public network via the Internet. Unlike analog or ISDN lines using dedicated physical cables, SIP trunks transmit voice as data packets over your IP connection. They offer more flexibility (channels on demand) and lower costs but require specific security measures since they're exposed to the Internet.
How do I know if my SIP trunk is properly secured?
Check these three essentials: 1) An SBC (Session Border Controller) is installed between your IP PBX and the trunk, 2) TLS encryption is active on SIP signaling (port 5061 rather than 5060), 3) SRTP encryption is enabled on audio streams. If any of these elements is missing, your infrastructure is vulnerable.
Can my SIP provider affect my number reputation?
Yes, significantly. If your provider pools number ranges across multiple clients, another user's spam behavior can degrade your own number reputation. Prioritize dedicated numbers (DID) and ask your provider to check reputation history before assignment.
Is STIR/SHAKEN mandatory in France?
As of March 2026, STIR/SHAKEN is not yet mandatory in France, but ARCEP is actively working on its deployment. In the United States, it has been mandatory since 2021 for large carriers. French IT directors should get ahead by choosing a SIP provider that already supports it or has a clear roadmap.
