Scammers Reuse VoIP Numbers to Evade Email Filters
Cisco Talos found scammers using API‑provisioned VoIP numbers in scam emails, rotating sequential blocks and reusing lines with a median lifespan of 14 days to evade reputation filters.
Cisco Talos analyzed scam campaigns from Feb. 26 to March 31, 2026, and identified 1,652 unique phone numbers embedded in impersonation emails. The campaigns targeted brands including PayPal, Geek Squad, McAfee and Norton LifeLock. Six of the ten largest campaigns relied on VoIP infrastructure.
The report describes attackers using programmable VoIP services and communications platform APIs to provision numbers at scale. Talos identified wholesalers that sell number blocks in bulk and retailers that offer finished business-calling services. During the study window, CPaaS providers were the most commonly abused, while some carriers, including Verizon and NUSO, appeared less targeted.
VoIP numbers were the most common line type because they are quicker and cheaper to obtain than wireless or landline numbers. Wireless lines require physical SIMs and stricter verification. Landlines were sometimes chosen to give messages a local appearance.
Phone number reuse and lifespan varied. About 3.4% of numbers were used on multiple consecutive days, with the longest continuous reuse lasting four days. Roughly 6.5% of numbers were active for more than one day. Many lifespans clustered between two and six days, the median lifespan across the sample was about 14 days, and a few lines remained active for almost a month.
Attackers also used cool-down periods, pausing a number for several days before reintroducing it. Scammers commonly bought Direct Inward Dialing blocks and rotated through sequential numbers so that if one line was blocked they could move to the next. Talos documented cases where a single number appeared in many messages and where one number was used in 117 scam emails in a single day.
The analysis found the same phone numbers used across different subject lines, business contexts and attachment types, including PDFs, JPEGs and HEIC files. Talos recommends real-time reputation monitoring for telephone identifiers, centralized databases to flag high-risk numbers across platforms, and increased information-sharing between telecommunications companies and VoIP providers.
