95% of the fraud I have seen has been from blank SIP passwords. double check this. Never let the password be your extension.
a great thing you can do to prevent unwanted traffic is to block your dialplan. if you dont ever dial international block it. block '0' operator access. block 900 numbers, etc etc.
also make sure users dont use easy voicemail PIN numbers...