Insights into the clustering and reuse of phone numbers in scam emails

Cisco Talos analyzed scam email campaigns (Feb 26–Mar 31, 2026) and found phone numbers—predominantly VoIP—as durable, high-value IOCs: 1,652 unique numbers were observed with a median lifespan of ~14 days, frequent reuse and cool-down tactics, sequential DID block provisioning, and cross-brand recycling. Talos recommends shifting detection from ephemeral sender addresses to phone-number clustering and real-time reputation sharing between security and telecom providers to expose organized call-center infrastructure and mitigate these large-scale social-engineering campaigns.