The TOAD Trap: Why Scammers are Trading Malicious Links for VoIP Phone Numbers
Ddos 
Two scam emails
While security teams have spent years perfecting the art of spotting malicious URLs and suspicious sender domains, threat actors have found an effective way to bypass the digital gatekeepers: theyβre picking up the phone. A recent intelligence report from Cisco Talos reveals a significant shift toward Telephone-Oriented Attack Delivery (TOAD), where the “anchor” of the scam is no longer a link, but a phone number.
Scammers are increasingly moving communication away from the easily tracked medium of email into real-time voice conversations. By doing so, they can manipulate victims with much higher efficiency. As the report highlights:
“Telephone-oriented attack delivery (TOAD) continues to be a prevalent tactic in modern email threats”.
These attacks typically start with a lureβan “urgent” invoice from PayPal or a “subscription renewal” for Norton LifeLockβthat provides a “support” number for the victim to call.
The backbone of these operations is Voice over Internet Protocol (VoIP). Unlike traditional landlines, VoIP numbers are easy to provision in massive quantities through automated APIs.
Key findings regarding line types include:
- VoIP Dominance: Approximately 55% of detected scam campaigns rely on VoIP infrastructure.
- Ease of Access: Attackers prefer VoIP because of the “ease of API-driven provisioning,” which allows for high-volume, cost-effective operations that remain difficult to trace.
- Provider Abuse: Sinch was identified as the most commonly abused provider in the studied window, while Verizon and NUSO were among the least abused.
Most of these numbers follow the E.164 international standard, which limits numbers to 15 digits and includes an international prefix, country code, area code, and subscriber number.
Scammers don’t keep their numbers active forever. To stay ahead of reputation-based security filters, they treat phone numbers as disposable assets.
If a specific number gets flagged, the actor simply moves to the next one in the block. In one extreme instance, a single numberβ+1 804-713-4598βwas used in 117 scam emails in just one day.
These campaigns “maximize their reach by recycling the same phone numbers across diverse, seemingly unrelated lures”.
Researchers found that a single phone number might be used to impersonate PayPal and Norton LifeLock simultaneously, directing victims to the same central call center. To bypass traditional file-based detection, scammers are also experimenting with diverse attachment formats, including PDFs and even HEIC (iPhone/iPad photo) files.
The ephemeral nature of email addresses makes them poor indicators of compromise. However, phone numbers are the actual “anchors” of the operation. By shifting focus to these numbers, defenders can use clustering techniques to map connections between what look like completely different campaigns.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
