Talos: Track phone numbers in VoIP scams; urge tactile breaks
Cisco Talos urged analysts to take short tactile breaks to reduce fatigue and announced it will track phone numbers as indicators of compromise in API-driven VoIP scam campaigns.
On May 7, Cisco Talos said in its Threat Source newsletter that it will track phone numbers as indicators of compromise in scam emails and urged security analysts to take short tactile breaks to reduce mental fatigue.
Talos reported that organized call centers use programmable VoIP APIs to create large blocks of disposable numbers, rotate through sequential ranges, apply cool-down periods and recycle the same digits across unrelated lures and impersonated brands. The team described these API-driven operations as a primary method for running high-volume scam campaigns.
The researchers explained that phone numbers, rather than ephemeral sender addresses, link otherwise separate messages, documents and calls. Because attackers reuse numbers across formats and brands, tracking those numbers can reveal connections between incidents that appear unrelated when viewed only by sender address.
Talos recommended security teams shift incident investigations to cluster scam content around shared phone numbers and telephony infrastructure. The team advised implementing real-time reputation monitoring for phone numbers and combining phone-number telemetry with email and document analysis so cross-format reuse is visible during triage and threat hunting.
The briefing cited Cisco Secure Email Threat Defense as one example of an AI-driven email defense that can analyze multiple elements of incoming messages. Talos added that a full list of related indicators of compromise is available on its blog.
Talos outlined operational details: attackers acquire or generate VoIP numbers through programmable APIs, scale to high volumes at low cost, automate rotation to avoid reputation checks and reuse exact digits across different lures. The reuse patterns allow analysts to group incidents and attribute activity to the same call center or operator.
The newsletter also included a guidance item on analyst well-being. The team encouraged short tactile breaks such as walking without earbuds, knitting, painting miniatures or assembling a mechanical keyboard. Talos wrote that moving briefly to a hands-on activity can refresh attention and help analysts return to technical tasks with clearer thinking.
“Tracking ephemeral sender email addresses is a losing game, but phone numbers are the true operational anchors for these organized scam call centers,” the briefing wrote, adding that clustering telephony infrastructure can map and dismantle broader malicious operations.
Cisco Talos is the threat intelligence arm of Cisco and regularly publishes research and advisory notes on active campaigns and vulnerabilities.
