Cisco Talos: VoIP Number Reuse Exposes Scam Call Centers

Cisco Talos reported that between Feb. 26 and March 31, 2026 it identified 1,652 unique phone numbers used in scam email campaigns. Six of the ten largest campaigns in that period relied on VoIP infrastructure. The report finds that attackers provision large blocks of VoIP numbers through programmable APIs and rotate sequential numbers to sustain high-volume operations.

Talos found a median phone number lifespan of about 14 days in the sample. Most numbers were active for two to six days, a few remained in use for nearly a month, and attackers sometimes pause numbers for several days before reusing them to evade reputation filters.

The research shows Voice over Internet Protocol lines dominated the dataset, but attackers also used cellular and landline numbers. Cellular lines are harder and costlier to provision because they typically require physical SIM cards and stricter verification. Landlines appear in campaigns to suggest local legitimacy. Talos notes many VoIP numbers follow the E.164 international numbering plan and that attackers often buy Direct Inward Dialing (DID) blocks so they can rotate through adjacent numbers when specific lines are blocked.

Talos measured reuse patterns across campaigns that impersonated brands including PayPal, Geek Squad, McAfee and Norton LifeLock. Of the 1,652 numbers, 57 (about 3.4%) were reused on consecutive days, with the longest consecutive reuse lasting four days. A larger group of 108 numbers (about 6.5%) remained active for more than one day.

The report documents repeated tactics that mix lures and hide links between campaigns. The same phone number appeared in different subject lines, in multiple attachment formats such as PDFs and HEIC images, and across campaigns impersonating different brands. Talos recorded one number used in 117 scam emails in a single day and many adjacent numbers in a block deployed across multiple brand lures.

Talos describes telephone-oriented attack delivery, or TOAD, as a method where attackers move victims from email to live phone conversations to obtain account credentials, payment details or to social-engineer the installation of malicious software. The company recommends treating phone numbers as indicators of compromise and implementing real-time reputation monitoring across email, messaging and telephony channels.

The report calls for centralized databases that flag high-risk numbers to help correlate campaigns and for closer information sharing between telecommunications carriers and VoIP providers. Talos also advises using machine learning and natural language processing in email defenses to detect social-engineering elements common to these scams, such as subscription renewals, billing invoices, account-security alerts, order confirmations and technical support notices that prompt recipients to call, click, reply or open attachments.