{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/geek-squad/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Geek Squad"],"_cs_severities":["medium"],"_cs_tags":["email","phishing","voip","scam"],"_cs_type":"advisory","_cs_vendors":["Cisco","Virtue","Twilio","Bandwidth","AT\u0026T","Verizon","RingCentral","Sinch","NUSO","Best Buy","McAfee","Norton LifeLock","PayPal"],"content_html":"\u003cp\u003eTalos has started collecting intelligence around phone numbers within emails as an additional indicator of compromise. Their analysis of scam campaigns between February 26 and March 31, 2026, reveals the prevalence of phone number reuse, especially with VoIP numbers due to their ease of acquisition and difficulty of tracing. Attackers use VoIP providers, particularly CPaaS platforms like Sinch, for rapid, API-driven number provisioning. They rotate through sequential blocks of phone numbers with a median lifespan of 14 days to evade reputation-based security filters. This allows them to maintain operational continuity and project a consistent brand presence. Attackers also recycle phone numbers across diverse lures, including varied subject lines and different attachment formats like HEIC and PDF, to impersonate multiple brands simultaneously, like PayPal, Geek Squad, McAfee and Norton LifeLock.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial email sent to victim with a lure impersonating a known brand (e.g., PayPal, Geek Squad).\u003c/li\u003e\n\u003cli\u003eThe email contains a phone number, often a VoIP number, directing the recipient to call.\u003c/li\u003e\n\u003cli\u003eVictim calls the provided phone number.\u003c/li\u003e\n\u003cli\u003eAttacker, posing as customer service or technical support, engages the victim in a real-time conversation.\u003c/li\u003e\n\u003cli\u003eAttacker manipulates the victim into disclosing sensitive information (e.g., financial details, personal data).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker persuades the victim to install malicious software under the guise of legitimate software updates or security tools.\u003c/li\u003e\n\u003cli\u003eIf malware is installed, attacker gains remote access or control over the victim\u0026rsquo;s device.\u003c/li\u003e\n\u003cli\u003eAttacker uses stolen information for financial gain or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eScam campaigns utilizing phone numbers in emails can lead to significant financial losses and data breaches for victims. The abuse of VoIP services enables attackers to operate cost-effectively and at scale.  While the exact number of victims is not specified, the report highlights the widespread use of this tactic and the potential for substantial impact across various sectors, targeting brands like PayPal, Geek Squad (Best Buy), McAfee, and Norton LifeLock. If the attack succeeds, victims may experience identity theft, financial fraud, and compromise of their devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor email traffic for the presence of phone numbers, particularly those associated with VoIP providers like Sinch, using the IOCs provided.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect suspicious email patterns and phone number usage.\u003c/li\u003e\n\u003cli\u003eBlock known malicious phone numbers identified in scam campaigns at the telecom provider level.\u003c/li\u003e\n\u003cli\u003eEducate users about Telephone-Oriented Attack Delivery (TOAD) and the risks associated with calling phone numbers provided in unsolicited emails.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T10:01:45Z","date_published":"2026-05-06T10:01:45Z","id":"/briefs/2026-05-phone-number-scams/","summary":"Talos has begun tracking phone numbers in emails as indicators of compromise, revealing insights into their reuse in scam campaigns where attackers use API-driven VoIP services for cost-effective operations, rotating phone number blocks to evade security filters, and maximizing reach by recycling numbers across diverse lures.","title":"Phone Number Reuse in Scam Email Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-05-phone-number-scams/"}],"language":"en","title":"CraftedSignal Threat Feed — Geek Squad","version":"https://jsonfeed.org/version/1.1"}