Source: Cisco Talos Blog
Author: Omid Mirzaei
URL: https://blog.talosintelligence.com/insights-into-the-clustering-and-reuse-of-phone-numbers-in-scam-emails/
[‘## ONE SENTENCE SUMMARY:\nTalos analyzes scam-email phone-number IOCs, revealing VoIP-driven reuse, rotation, clustering, and defenses to expose call-center infrastructure across brands and lures.\n\n## MAIN POINTS:\n1. Cisco Talos now tracks phone numbers in emails as additional IOCs.\n2. TOAD scams move victims from email to calls for coercion and malware.\n3. VoIP dominates campaigns because APIs enable cheap, scalable, hard-to-trace provisioning.\n4. Providers split into wholesalers, retailers, CPaaS, UCaaS; CPaaS most abused.\n5. Sinch appeared most commonly abused; Verizon and NUSO least abused in study.\n6. Analysis found 1,652 unique numbers; 57 reused on consecutive days.\n7. Typical reuse spans two days; maximum observed consecutive reuse lasted four days.\n8. Cool-down gaps extend operational continuity; median number lifespan measured about 14 days.\n9. Recycling numbers across brands, subjects, PDFs, HEIC, JPEG increases reach and bypasses filters.\n10. Sequential DID blocks and clustering by shared numbers reveal organized call-center infrastructure.\n\n## TAKEAWAYS:\n1. Shift investigations toward phone-number intelligence to anchor and connect otherwise ephemeral campaigns.\n2. Build block-level correlation to surface sequential DID allocation patterns and shared scam infrastructure.\n3. Coordinate with CPaaS/VoIP providers to disrupt API-driven provisioning pipelines used by attackers.\n4. Tune detections for rotation and cool-down behavior instead of relying solely on sender reputation.\n5. Combine NLP-driven email analysis with attachment-format inspection to catch diverse TOAD lures.’]