Cyber attacks are lurking around nearly every virtual corner, and the growing use of Internet phone technology could be exposing systems to yet another threat.

As more businesses move their telephone systems off of traditional “land lines” and make calls using Voice Over Internet Protocol technology, the vulnerabilities and risks associated with VoIP should not be overlooked, experts say.

VoIP technology is seen as offering a cost-effective and flexible way for businesses to manage and simplify their communication networks, as it gives the users the ability to place calls over the Internet with the use of a private network.

VoIP users can set up a central facility and then make calls at other locations using simple equipment, including cell phones that can be configured to a company's network. This cuts down on the infrastructure costs associated with traditional phone lines, and expenses related to long-distance calling and other charges.

About 33% of U.S. businesses have adopted VoIP systems, according to Scottsdale, Ariz.-based In-Stat, a technology research and consultant group and unit of Reed Elsevier P.L.C. In-Stat also forecasted that U.S. business use of VoIP could reach 79% in 2013.

While risk managers have addressed many cyber risks, they may be ignoring VoIP-related exposures—at their peril.

“VoIP hacking is not really a risk that's on the radar for risk managers,” said Brad Gow, Philadelphia-based Zurich North America Commercial senior vp of errors and omissions for Zurich's specialties unit. “I wouldn't say it's something they are ignoring, but it's something they're probably not thinking of when they address their network security.”

In a November 2009 white paper on VoIP vulnerabilities, McAfee Labs identified several hacking exposures including eavesdropping and “voice phishing,” in which spoof calls are used to extract financial information from a consumer or business. The Santa Clara, Calif.-based computer security company also said the risks are increasing as VoIP technology proliferates.

In addition, VoIP systems can be vulnerable to denial-of-service attacks in which hackers attempt to make computer networks unavailable. For example, a hacker could force the network to reset, which would obstruct legitimate communication over the network.

Even routine Internet outages can cause big problems.

“If you're using VoIP, you have to be aware that if the Internet goes down, you will lose your data and voice capabilities as well,” said Kevin Kalinich, professional risk solutions co-national managing director for Chicago-based Aon Corp. “There are some pretty nonobvious challenges with a network like this.”

“Some of the risks associated with VoIP are not new and have been around for years,” said Ivan Acre, chief technology officer and co-founder of Boston, Mass.-based Core Security Technologies. “As the increased interest for VoIP emerges as people look for low-cost ways to operate, the risks will emerge as well.”

Alan E. Brill, New York-based senior managing director of technical services for Kroll Inc., a unit of Marsh & McLennan Cos. Inc., said that while there are obvious advantages of a business changing to a VoIP system from standard telephone lines, companies need to weigh the risks and liabilities. For example, technology and software exists that could allow individuals to access sensitive information.

“Risk is evolving at the speed of technology...at the speed of the Internet,” Mr. Brill said. “It's really a situation that the risk officer or the risk manager has to monitor.”

Mr. Brill said an employee could compromise a VoIP system by using their personal account under a service such as Skype, a software application provided by Luxembourg-based Skype Ltd. that allows users to make calls over the Internet.

Mr. Brill and his colleague Brian Lapidus, New York-based chief operating officer of Kroll's fraud services division, said risk managers need to set up a policy stating how programs and the network should be used.

“Skype is just the latest entryway into a network, and your business is the one that can take the hit,” Mr. Lapidus said.

In what is believed to be the first conviction associated with reselling hacked VoIP services, Edwin Pena in February pleaded guilty to one count of conspiracy to commit computer hacking and wire fraud, and one count of wire fraud (see story). Co-defendant Robert Moore was accused of a form of eavesdropping, or a “man-in-the-middle attack” in which a third party intercepts a call between two VoIP servers., prosecutors said..

Bill McGee, marketing manager for San Jose, Calif.-based Cisco Systems Inc., which provides VoIP equipment, said VoIP lines can be encrypted so that anyone listening in on a conversation would not be able to understand the information being transmitted.

Mr. McGee and Randy Birdsall, technology marketing manager for Cisco's voice technology group, also said Cisco is able to supply security software, separate voice lines from data lines and monitor lines for indications that someone is listening or creating a disturbance.

“There is a fear that you if you use VoIP you will open up your network and create more holes and vulnerabilities, but that's not necessarily true,” Mr. Birdsall said.

Harry Emerson, VoIP security technology entrepreneur and president of Flanders, N.J.-based Emerson Development L.L.C., said the cost advantages of VoIP can draw attention away from the risks.

“Companies just now it seems are aware of the Internet threats VoIP creates, and those threats need to be addressed on a serious level,” said Mr. Emerson, who retired from 25 years at AT&T and is co-founder of SurferNETWORK, an Internet broadcasting service.