Researchers Expose Phone Number Reuse Tactics in Large-Scale Scam Campaigns
Cisco Talos researchers have uncovered that scammers are systematically reusing phone numbers across diverse email campaigns to maintain operational continuity and evade security filters.

Cisco Talos researchers have identified a sophisticated pattern of phone number reuse in scam emails, highlighting a shift in how threat actors maintain operational continuity. By tracking phone numbers as primary indicators of compromise (IOCs), security teams can now better map the infrastructure behind Telephone-Oriented Attack Delivery (TOAD) campaigns, which often rely on real-time voice interaction to deceive victims into disclosing sensitive data or installing malware Cisco Talos.
The technical mechanism behind these scams leverages the ease of API-driven provisioning, allowing attackers to acquire and rotate through large blocks of Voice over Internet Protocol (VoIP) numbers. These numbers, which adhere to the E.164 international numbering standard, are favored by scammers for their cost-effectiveness and the difficulty they present in tracing back to an origin Cisco Talos. Between February 26 and March 31, 2026, six of the ten largest campaigns analyzed by Talos relied specifically on this VoIP infrastructure Cisco Talos.
Attackers maintain their operations by cycling through sequential blocks of numbers and employing strategic "cool-down" periods. According to Cisco Talos, the median lifespan of a phone number used in these scams is approximately 14 days, a duration specifically calculated to evade reputation-based security filters that might otherwise flag the numbers as malicious Cisco Talos.
To maximize their reach, threat actors frequently recycle the same phone numbers across seemingly unrelated lures. These campaigns use diverse subject lines and various attachment formats, such as HEIC and PDF files, to impersonate multiple brands simultaneously. By shifting the focus from ephemeral email addresses to the underlying phone numbers, researchers can use clustering techniques to connect disparate campaigns that would otherwise appear unrelated Cisco Talos.
The VoIP ecosystem facilitates this activity through a tiered structure of wholesalers and retailers. Wholesalers provide the high-volume, API-driven access necessary for attackers to deploy these scams at scale, often sitting between major Tier 1 carriers and smaller service providers Cisco Talos. This infrastructure allows for high-volume, cost-effective operations that are notoriously difficult for defenders to trace or block effectively.
This research underscores a broader trend in cybercrime where attackers are increasingly diversifying their delivery methods to bypass traditional email security. As TOAD attacks continue to evolve, the ability to cluster campaigns based on phone number reuse provides a vital defensive advantage. Security professionals are encouraged to incorporate phone number intelligence into their threat hunting and defensive postures to better anticipate and mitigate these persistent, multi-channel threats Cisco Talos.