Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Critical Cursor RCE: CVE-2024-XXXXX lets Git repos auto-execute code
July 15, 2026
Home/Threats/Scammers Evade Call Blocking with VoIP Numbers and Windows Reuse
Threats

Scammers Evade Call Blocking with VoIP Numbers and Windows Reuse

Key Takeaways Scammers are increasingly using Voice over Internet Protocol (VoIP) numbers in phone-based attacks, known as Telephone-Oriented Attack Delivery (TOAD). These VoIP numbers are rapidly...

Sarah simpson
Sarah simpson
May 7, 2026 4 Min Read
70 0

Key Takeaways

  • Scammers are increasingly using Voice over Internet Protocol (VoIP) numbers in phone-based attacks, known as Telephone-Oriented Attack Delivery (TOAD).
  • These VoIP numbers are rapidly provisioned and discarded, often within a median lifespan of 14 days, to evade detection by reputation systems.
  • Attackers embed these numbers in emails across various lure types and file formats, impersonating major brands like PayPal and McAfee.
  • Cisco Talos research highlights the need for security teams to focus on phone numbers as primary indicators of compromise and enhance real-time reputation monitoring and cross-provider collaboration.

Phone-based scams are undergoing a significant transformation, with threat actors adopting sophisticated methods to circumvent established security measures. A recent analysis by Cisco Talos reveals a growing reliance on Voice over Internet Protocol (VoIP) numbers, which attackers frequently abandon before detection systems can effectively flag them. This strategic shift leaves both individual users and cybersecurity defenses struggling to keep pace.

Table Of Content

  • Key Takeaways
  • Scammers Exploit VoIP for Evasion
  • Recycling Lures to Maintain Covert Operations
  • What You Should Do

These fraudulent campaigns typically originate via email, where perpetrators embed contact numbers directly within subject lines, message bodies, and even attached files. The primary objective is to entice recipients into initiating a call to a deceptive number, subsequently extracting sensitive personal or financial information. Engaging victims in a live conversation allows scammers to employ manipulative tactics far more effectively than static links or attachments alone.

Cisco Talos researchers identified this pivot towards phone-centric attack delivery, termed Telephone-Oriented Attack Delivery (TOAD), as a dominant strategy in contemporary email-borne threats. Their investigation, conducted between late February and late March 2025, concluded that the most extensive scam operations leveraged VoIP infrastructure for scalable, low-cost execution.

Scammers Exploit VoIP for Evasion

The allure of VoIP for scam operations stems from the ease with which numbers can be acquired and disposed of en masse. Threat actors utilize API-driven provisioning from a limited number of providers to rapidly generate hundreds of numbers. These numbers are then used for a short period and discarded before reputation systems can register them as malicious. The study observed a median lifespan of approximately 14 days for these scam-associated phone numbers.

The structure of an example VoIP phone number (Source - Cisco Talos)
The structure of an example VoIP phone number (Source – Cisco Talos)

The ramifications extend beyond individual victims. Organized scam call centers are orchestrating campaigns that masquerade as reputable brands such as PayPal, Geek Squad, McAfee, and Norton LifeLock, all while funneling victims to the same centralized fraudulent operations. This infrastructure is deliberately designed to resist traceability, seamlessly integrating into global legitimate telecommunications networks.

Scammers do not randomly select phone numbers. Instead, they strategically acquire large, sequential blocks of numbers, frequently by purchasing Direct Inward Dialing (DID) blocks from providers. When a number is flagged, they simply transition to the next in the sequence, a method known as sequential number grouping, ensuring uninterrupted operation.

Cisco Talos reported that six of the ten largest campaigns analyzed during the study period were entirely dependent on VoIP infrastructure. Sinch was identified as the most frequently exploited Communications-Platform-as-a-Service (CPaaS) provider, which offers programmable APIs for voice and messaging. These platforms, built for automation and high call volumes, are attractive and widely abused tools for large-scale scam operations.

The patterns of number reuse are equally deliberate. Out of 1,962 distinct phone numbers examined, 68 were observed being reused across multiple consecutive days. Scammers often implement a “cool-down” period, temporarily deactivating a number for several days before reintroducing it into a new campaign. This timing is calculated to outlast the update cycles of third-party reputation services, which can take days to disseminate new intelligence.

Recycling Lures to Maintain Covert Operations

A notable tactic documented by Cisco Talos involves the recycling of the same phone number across disparate lure types. A single number might appear in emails purporting to be an order confirmation, a subscription renewal notice, and a financial alert within a brief timeframe. This intentional diversification of lure types helps attackers evade pattern-based detection by automated filters.

Two scam emails with different attachment file types that contain the same phone number while impersonating the same brand (Source - Cisco Talos)
Two scam emails with different attachment file types that contain the same phone number while impersonating the same brand (Source – Cisco Talos)

In one specific campaign, the identical phone number was embedded within both HEIC and PDF attachment formats, illustrating how attackers avoid over-reliance on a single delivery method. HEIC files, commonly associated with iPhone photos, were utilized to bypass conventional file-type detection while preserving high image quality. Talos confirmed observing campaigns with even broader attachment varieties, underscoring the adaptability of these threat actors.

What You Should Do

  • Prioritize Phone Numbers as IoCs: Shift focus from solely filtering email senders to treating embedded phone numbers as primary indicators of compromise (IoCs).
  • Implement Clustering Techniques: Utilize clustering analysis to link seemingly unrelated scam campaigns that share common phone infrastructure.
  • Enhance Real-time Reputation Monitoring: Deploy and maintain robust real-time reputation monitoring across all communication channels, not just email.
  • Foster Cross-Provider Collaboration: Encourage active collaboration and intelligence sharing between cybersecurity teams and telecommunications providers to counter organized scam networks effectively.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Palo Alto Networks Patches Critical PAN-OS Zero-Day RCE, Exploited Since April

Next Post

UAT-8302 Threat Group Steals Government Data With Custom Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
FaceTime Call Impersonation Fraud Hijacks Bank Accounts
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us