• Home
  • Hosted Voice

Identify a Ghost Call

Written by Mira Beltre

Updated at August 22nd, 2025

Contact Us

  • The Essentials
    FAQs Forms OIT Learning Academy
  • Announcements
    Carrier Events mFax Events Platform Events Release Notes
  • Billing Administration
    Datagate OneBill
  • Faxing
    mFax - Analog mFax - Digital Native Fax
  • Hardware & Software
    Manual Configuration Provisioning NDP Axis Cisco Fanvil Grandstream Polycom Snom Yealink Mobile Applications Desktop Applications Mobile-X SNAPbuilder TeamMate Connector UC Integrator
  • Hosted Voice
    Auto Attendants Branding Call Queues Call Routing CDRs Conferencing E-911 Features Fraud Integrations Inventory / Phone Numbers Local & Toll Free Porting Onboarding Recommendations SNAP.HD SIP Trunking SMS / MMS Users Voicemail Caller ID
  • Troubleshooting
    VoIPmonitor Firewalls PBX
  • Ray's Stuff
+ More

Table of Contents

Scope How to Prevent Ghost Calls Change the SIP Listening Port Block SIP Traffic at the Firewall Disable Direct IP Calls

Scope

Intended Audience: All End Users

This document explains how ghost calls occur, how to identify them, and how to prevent them.

 

Ever received a call with no one on the line—and nothing in your call history?

These are known as Ghost Calls.

Ghost calls typically occur when a partner or client becomes a victim of SPIT (Spam over Internet Telephony). In the VoIP landscape, SPIT is a common nuisance. Cybercriminals attempting toll fraud use SIP dialers to scan random IP addresses, sending SIP INVITE requests to detect active devices. When they find one, they often try to access the phone's web interface and set up call forwarding to high-cost destinations.

By default, many SIP phones automatically respond to any SIP INVITE they receive. This not only reveals the device’s presence to attackers but also triggers unwanted phone rings—leading to the “ghost call” experience.

The rise of scanning tools like SIP Vicious has made these incidents more frequent. Some of these ghost calls even display suspicious caller IDs like "SIPVicious" or other unusual patterns. An example is given below:

To determine whether your system is being targeted, check your PBX call logs. If the calls don’t appear there, it’s a strong indicator that SIP scanning is the cause.

How to Prevent Ghost Calls

Change the SIP Listening Port

Most SIP scanners focus on port 5060—the default for SIP traffic. Changing the phone's SIP listening port (usually via override settings) can reduce the likelihood of being targeted. Note: This won’t be effective if the scanner sweeps all ports.

  • Yealink: sip.listen_port="(port)"
  • Grandstream: p40="port"


Block SIP Traffic at the Firewall

Configure firewall rules to block all inbound SIP packets, except those from trusted SIP server IPs -IP Addresses & Ports. This is one of the most reliable ways to protect against unsolicited traffic. 

Disable Direct IP Calls

Some phones offer the option to disable direct IP calls, allowing only calls from the device’s registered SIP server. This greatly reduces exposure to external SIP probes. Sample override settings are provided below if needed.

  • Polycom: 

    voIpProt.SIP.requestValidation.1.method="source" 
    voIpProt.SIP.requestValidation.1.request="INVITE"
     
  • Yealink V73 Firmware and Below

    features.direct_ip_call_enable="0"
    account.1.sip_trust_ctrl="1"
     
  • Yealink V80 Firmware Plus

    features.direct_ip_call_enable="0"
    sip.trust_ctrl="1"

Note: Devices that are properly provisioned will already have these settings.

 

ghost call detect

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Getting Started Guide
  • Extension Numbering & Reserved Number Space
  • PBX Transfer Checklist
  • Interoperability Testing Checklist
  • 10 Digit Dialing

Knowledge Base Software powered by Helpjuice

Expand