Cisco Talos: VoIP number blocks fuel wide scam emails

Cisco Talos collected phone numbers embedded in scam emails between Feb. 26 and March 31, 2026, and analyzed reuse patterns and infrastructure. The team logged 1,652 unique numbers tied to campaigns impersonating PayPal, Geek Squad, McAfee and Norton LifeLock.

The analysis found VoIP numbers were used most often. Six of the 10 largest campaigns in the sample relied primarily on VoIP infrastructure. Talos identified Sinch, a communications platform provider, as the most frequently abused vendor in the window; larger carriers such as Verizon and NUSO appeared much less often.

Attackers commonly buy Direct Inward Dialing blocks, ranges of sequential numbers that differ only in the last digits, then rotate through those numbers when individual lines are flagged. Talos observed examples where numbers from the same block were used across several days and across different brand lures. In one case, a single number appeared in 117 scam emails in a single day.

Researchers noted several tactics used to avoid detection. Scammers take advantage of API-driven provisioning offered by programmable voice platforms to obtain large volumes of numbers quickly and at low cost. They also pause use of a number for several days before reusing it, a practice Talos described as a cooldown period, and rotate through sequential blocks when carriers or reputation services block specific lines.

Phone number reuse was common but usually short. About 3.4% of numbers were used on consecutive days, with the longest continuous reuse lasting four days. Roughly 6.5% of numbers were active for more than one day. Most numbers had lifespans of two to six days; the median lifespan across the study window was about 14 days. A small number of instances showed infrastructure active for nearly a month. Lifespan varied by impersonated brand: PayPal-themed campaigns tended to use more persistent numbers than Norton LifeLock impersonations.

Talos documented cross-brand recycling of numbers. The same number appeared under different subject lines, in different email body content, and in attachments in multiple formats, including PDF, JPEG and HEIC. In several examples, emails claiming to be from different brands directed victims to the same call center number.

The dataset included a mix of line types. While VoIP was dominant, scammers also used cellular and landline numbers. Cellular lines were less common because they require physical SIMs and stricter verification, making them costlier to provision at scale. Landlines were used to convey a local presence or legitimacy by matching area codes.

The report explains basic VoIP numbering and the roles of wholesalers and retailers in the supply chain. Wholesalers sell large volumes of numbers to smaller providers; CPaaS platforms offer programmable APIs that enable automation and high-volume provisioning. Those platform features were cited as factors in their frequent appearance in the dataset.

Talos expanded its threat intelligence to include phone numbers as indicators of compromise and provided the dataset and examples to illustrate patterns of reuse, lifespan and block-level clustering observed during the study period.