Scammers Evade Call Blocking with VoIP Numbers and Windows Reuse
Key Takeaways Scammers are increasingly using Voice over Internet Protocol (VoIP) numbers in phone-based attacks, known as Telephone-Oriented Attack Delivery (TOAD). These VoIP numbers are rapidly...
Key Takeaways
- Scammers are increasingly using Voice over Internet Protocol (VoIP) numbers in phone-based attacks, known as Telephone-Oriented Attack Delivery (TOAD).
- These VoIP numbers are rapidly provisioned and discarded, often within a median lifespan of 14 days, to evade detection by reputation systems.
- Attackers embed these numbers in emails across various lure types and file formats, impersonating major brands like PayPal and McAfee.
- Cisco Talos research highlights the need for security teams to focus on phone numbers as primary indicators of compromise and enhance real-time reputation monitoring and cross-provider collaboration.
Phone-based scams are undergoing a significant transformation, with threat actors adopting sophisticated methods to circumvent established security measures. A recent analysis by Cisco Talos reveals a growing reliance on Voice over Internet Protocol (VoIP) numbers, which attackers frequently abandon before detection systems can effectively flag them. This strategic shift leaves both individual users and cybersecurity defenses struggling to keep pace.
Table Of Content
These fraudulent campaigns typically originate via email, where perpetrators embed contact numbers directly within subject lines, message bodies, and even attached files. The primary objective is to entice recipients into initiating a call to a deceptive number, subsequently extracting sensitive personal or financial information. Engaging victims in a live conversation allows scammers to employ manipulative tactics far more effectively than static links or attachments alone.
Cisco Talos researchers identified this pivot towards phone-centric attack delivery, termed Telephone-Oriented Attack Delivery (TOAD), as a dominant strategy in contemporary email-borne threats. Their investigation, conducted between late February and late March 2025, concluded that the most extensive scam operations leveraged VoIP infrastructure for scalable, low-cost execution.
Scammers Exploit VoIP for Evasion
The allure of VoIP for scam operations stems from the ease with which numbers can be acquired and disposed of en masse. Threat actors utilize API-driven provisioning from a limited number of providers to rapidly generate hundreds of numbers. These numbers are then used for a short period and discarded before reputation systems can register them as malicious. The study observed a median lifespan of approximately 14 days for these scam-associated phone numbers.

The ramifications extend beyond individual victims. Organized scam call centers are orchestrating campaigns that masquerade as reputable brands such as PayPal, Geek Squad, McAfee, and Norton LifeLock, all while funneling victims to the same centralized fraudulent operations. This infrastructure is deliberately designed to resist traceability, seamlessly integrating into global legitimate telecommunications networks.
Scammers do not randomly select phone numbers. Instead, they strategically acquire large, sequential blocks of numbers, frequently by purchasing Direct Inward Dialing (DID) blocks from providers. When a number is flagged, they simply transition to the next in the sequence, a method known as sequential number grouping, ensuring uninterrupted operation.
Cisco Talos reported that six of the ten largest campaigns analyzed during the study period were entirely dependent on VoIP infrastructure. Sinch was identified as the most frequently exploited Communications-Platform-as-a-Service (CPaaS) provider, which offers programmable APIs for voice and messaging. These platforms, built for automation and high call volumes, are attractive and widely abused tools for large-scale scam operations.
The patterns of number reuse are equally deliberate. Out of 1,962 distinct phone numbers examined, 68 were observed being reused across multiple consecutive days. Scammers often implement a “cool-down” period, temporarily deactivating a number for several days before reintroducing it into a new campaign. This timing is calculated to outlast the update cycles of third-party reputation services, which can take days to disseminate new intelligence.
Recycling Lures to Maintain Covert Operations
A notable tactic documented by Cisco Talos involves the recycling of the same phone number across disparate lure types. A single number might appear in emails purporting to be an order confirmation, a subscription renewal notice, and a financial alert within a brief timeframe. This intentional diversification of lure types helps attackers evade pattern-based detection by automated filters.

In one specific campaign, the identical phone number was embedded within both HEIC and PDF attachment formats, illustrating how attackers avoid over-reliance on a single delivery method. HEIC files, commonly associated with iPhone photos, were utilized to bypass conventional file-type detection while preserving high image quality. Talos confirmed observing campaigns with even broader attachment varieties, underscoring the adaptability of these threat actors.
What You Should Do
- Prioritize Phone Numbers as IoCs: Shift focus from solely filtering email senders to treating embedded phone numbers as primary indicators of compromise (IoCs).
- Implement Clustering Techniques: Utilize clustering analysis to link seemingly unrelated scam campaigns that share common phone infrastructure.
- Enhance Real-time Reputation Monitoring: Deploy and maintain robust real-time reputation monitoring across all communication channels, not just email.
- Foster Cross-Provider Collaboration: Encourage active collaboration and intelligence sharing between cybersecurity teams and telecommunications providers to counter organized scam networks effectively.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.