VoIP Infrastructure used as a key tool in cyber scam operations

Telephone-based scam campaigns are increasingly relying on short-lived “Voice over Internet Protocol” (VoIP) numbers that are used briefly and discarded before detection systems can identify them, reducing the effectiveness of reputation-based blocking mechanisms.

These campaigns are primarily distributed through email, where attackers embed phone numbers directly into message bodies, subject lines and file attachments. The objective is to convince recipients to call fraudulent numbers and disclose sensitive personal or financial information during live conversations. Unlike links or malicious attachments, live phone interactions allow scammers to manipulate victims more effectively. This technique is commonly referred to as “telephone-oriented attack delivery” (TOAD).

The primary reason VoIP numbers are attractive to cybercriminals is the ease with which they can be obtained in bulk and rapidly abandoned. Through API-driven number provisioning, threat actors acquire hundreds of numbers within a short period, use them temporarily and replace them before reputation systems can flag them. Observations indicate that the average lifespan of these numbers is approximately 14 days.

The campaigns reportedly impersonate well-known brands such as PayPal, Geek Squad, McAfee, and Norton LifeLock. The same phone numbers are repeatedly reused across different fraudulent scenarios, including order confirmations, subscription renewals and financial alerts. This tactic complicates the ability of automated filters to identify consistent malicious patterns.

Scammers do not select phone numbers randomly. Instead, they frequently acquire sequential “Direct Inward Dialing” (DID) number blocks from providers. When one number is blocked or identified, operators simply switch to the next number in the sequence. This tactic, known as “sequential number grouping,” enables campaigns to continue operating without interruption.

Researchers also identified campaigns in which the same phone number was embedded in both HEIC and PDF attachments, demonstrating that attackers do not rely on a single delivery method. HEIC files, commonly associated with iPhone images, were specifically used to bypass traditional file-type detection mechanisms while maintaining high image quality.

Security experts emphasize that filtering email senders alone is insufficient against such campaigns. Monitoring phone numbers as indicators of compromise, correlating campaigns that share the same infrastructure, implementing real-time reputation monitoring, and strengthening cooperation between telecommunications providers are considered more effective mitigation measures.