Interesting!
First off - do you know for certain that this gent being transferred to IT is doing anything your company believes criminal? I don't think you have established that..

However for the fun of it....

I can think of several things this gent is trying to do...
Hack the voicemail to listen to private messages, enter DTMF tones during transfer to attempt getting an outside line to make additional calls, or maybe an internal arrangement with someone to do the same without all the hacking. (the voicemail - depending on it's intelligence - may be able to be programmed to allow access to outside lines).
Anybody hear of a feature called voicemail callback? Someone leaves you a voicemail and it will call you to alert you of the voicemail left. With minor mod's it could just be made to make a call not a callback. Some voicemail systems today can be programmed for voicemail to email notification. Similar notification but via email - not callback. What would you do with this? Either way the key to tracing this out starts with the "IT" telephone number and account you're transferring him to - you would need to look at the programming on the switch and voicemail system. Maybe the vulnerability (if he is exploiting a vulnerability) doesn't exist in your system but in the carrier provided connection between Dallas and NYC? If asked your phone company can identify the caller relatively easily (at least the calling country and number) and take steps to block them.
Again, Interesting....