cyber

Utilizing VOIP for Fraud

Michaelion

06 Dec 2025 — 2 min read

My phone rings from an unfamiliar number and per the usual, the caller ID identifies it as spam. Expecting another cold call from a foreign "business service," I pick up anyway.
Part curiosity, part boredom.

Yet surprisingly, I'm greeted with:

"Hi Dear, we are calling from Affirm.

We've detected an unusual login attempt from your account ending in [Last 4 of Phone #]

If this was not you, please 'Press 1'

Okay, now I'm genuinely curious. I press 1.

To cancel this request, your identity needs to be verified.

We have sent a 6-digit verification code to your phone number.

Please enter the code to continue..."

And as expected, I promptly receive a text message with a 6-digit code... from Affirm.
Wait, how did they do that?

How the Attack Works

This scam is deceptively simple. As such, we're going to look at each step in the process of how this was executed and discuss why this method is so effective.

The attacker calls you and impersonates a known brand/company. (In this case, Affirm).
By using an automated voice, VOIP infrastructure (in this case, Twilio), and providing a touch of personal information, it hooks your curiosity.
By you pressing 1, the attacker sends a login request to Affirm.
They’ve entered your phone number via an event trigger in the VOIP platform and initiated a login request which triggers a real MFA code from Affirm.
You receive a legitimate text message from Affirm.
And because the timing lines up with the call, it appears authentic as if it's just another step in the verification process.
You enter the code via your keypad, unknowingly handing it over to the attacker.
They immediately enter it via another event trigger, completing the login. They now have access to your account and your payment information.

You've now been compromised.

This doesn't require any malware, phishing pages, or compromised websites. It simply utilizes: Social engineering, real/legitimate infrastructure, and your trust in familiar brands.

It's a brilliant method that's low cost, easy to deploy, and difficult to detect because everything is done more or less legitimately. All that is going to be seen is a user logging in and verifying themselves with their MFA code.

Final Thoughts

This type of scam is prolific and a direct abuse of your trust.

Attackers don’t need to break in when they can trick you into opening the door. But it's on you to recognize these attempts and react accordingly.

Stay sharp. Question urgency. And as always:

Thank you for reading,
~Michaelion

Leadership Philosophy in Cyber Security

Beginning my MBA studies, I've been asked or rather encouraged to lay out and devise a 'Leadership Philosophy'. To explain briefly, a leadership philosophy is essentially the foundation and pillars that serve as your guide in your decision making processes. It is intended to be your

Kenosis Prayer

This practice originates from the Jewish concept of Nothingness (Ayin) and the concept of Kenosis, as mentioned in Philippians 2:5-9. In reverent respect for that, I refer to it as the Kenosis Prayer. In essence, we are to nullify our will before His will. This is to humble ourselves

URL Analysis w/ URLScan - Indication of Compromise

As I'm currently attending a conference I've been enjoying the variety of talks and presentations. But one problem I tend to encounter frequently is the practical application of certain actions described in these talks is lacking. Many talks at conferences explain the ‘why’ behind threats, but

On Chemical Dependency

It’s past midnight and I’m laying in bed staring at the ceiling in the dark of my bedroom. Instead of sleeping, I’m having a conversation with myself: don’t look at your phone, just go to sleep. By writing this, it’s obvious which voice won. It’