"If someone starts abusing your telephone system, you are potentially on the hook for a lot of money," Digium's Todd said.

Liberty Bank First Vice President Jill Hitchman believes that the scammers who targeted her bank probably hit between 30 and 35 businesses and were making between 20,000 and 30,000 phone calls per day. "I don't think these companies realize they're probably going to be getting charges," Hitchman said. "The bigger issue is, how are these phone systems being accessed and why can't we stop it?"

Only a few Liberty customers fell for the scam, Hitchman said, but the attackers knew what they were doing. First they would sign up for AOL accounts, to test that the card numbers worked. Because AOL offers free trial memberships, these charges do not show up for months. By that time, the scammers have put the information on fake ATM cards and emptied the bank accounts.

Businesses could prevent a lot of these attacks by changing the port they use for Session Initiation Protocol (SIP) connections on their VoIP systems, by blocking connections after a certain number of failures, and by simply using better passwords on their voice systems, security experts say.

The problem is that for most small and medium-sized businesses, security is just not a priority. "People care way more about whether their conference calls are going to have decent phone quality," said Rodney Thayer, chief technology officer with VoIP security company Secorix.