Cybercriminals are increasingly utilizing Voice over Internet Protocol (VoIP) numbers to navigate around security measures, posing significant challenges for protection mechanisms. These numbers, often temporary, are employed before detection systems can recognize and block them, exposing individuals to potential scams.
Emerging Threat: VoIP-Based Scams
These fraudulent schemes typically initiate through emails, where scammers embed contact numbers within the message content, titles, or attachments. The primary aim is to persuade recipients to call these numbers, leading to the extraction of sensitive personal or financial information. This live interaction allows scammers to exploit victims more effectively compared to traditional phishing techniques.
Research conducted by Cisco Talos highlights a significant shift towards telephone-oriented attack delivery (TOAD) as a preferred strategy in current email threats. Their study, spanning from late February to late March 2025, revealed that prominent scam operations heavily rely on VoIP technology for large-scale, cost-effective execution.
VoIP Numbers: A Scammer’s Weapon
VoIP numbers are appealing to attackers due to their easy acquisition and disposal. With API-driven services from select providers, scammers can swiftly generate and discard hundreds of numbers, often eluding reputation systems. The median lifespan of these numbers during the study was approximately 14 days.
Beyond individual victims, organized call centers orchestrate campaigns impersonating well-known brands such as PayPal and McAfee, using these VoIP infrastructures. This setup is intentionally designed to blend into legitimate telecom networks, making detection and tracing difficult.
Scammers strategically acquire large blocks of numbers, often through Direct Inward Dialing (DID) purchases. When a number is flagged, they simply switch to the next in the sequence, ensuring uninterrupted operations.
Strategic Reuse and Adaptation
Cisco Talos identified that six out of ten major campaigns during their study period depended solely on VoIP infrastructure. Sinch, a communications-platform-as-a-service (CPaaS) provider, emerged as the most frequently exploited due to its programmable API capabilities that support high call volumes, making it ideal for large-scale scams.
The reuse of phone numbers is meticulously planned. From the 1,962 numbers analyzed, 68 were utilized on multiple consecutive days, often with a cool-down period before reactivation. This strategy is crafted to outpace third-party reputation services, which require time to update and disseminate new intelligence.
In addition, scammers recycle numbers across different lures. A single number may appear in emails as an order confirmation, a subscription renewal, or a financial alert, avoiding detection by varying the context.
Security experts recommend moving beyond traditional email sender filtering, which is less effective as attackers cycle through temporary domains. Treating phone numbers as key indicators of compromise and applying clustering methods to link related campaigns is advised. Enhanced real-time reputation monitoring and collaboration among telecom providers are crucial steps in combating these organized scam networks.
