I was recently asked what is the best bang-for-the-buck policy the government could implement to curtail cybercrime.

Without hesitation, and so quickly it took me by surprise, I said: “Eliminate voice over IP phone calling.” I followed up, well, not eliminate, because legitimate businesses are too reliant on the technology, but we can certainly regulate the hell out of it!

Voice over IP telephony (VOIP) is a primary delivery mechanism for fraud. Banking scams. IRS impersonation. Grandparent scams. Tech support fraud. Romance scams that end in wire transfers. Many of these schemes begin with a phone call, and that call originates from a foreign criminal infrastructure that routes through American telecom networks with almost no friction.

And it’s not just the overt scam attempts; it’s the non-stop stress of dealing with the calls. Many older adults aren’t getting 5 calls per day; they’re getting 5 calls per hour… every hour.

We already regulate who can move money. We regulate who can sell securities, who can dispense drugs, and who can sell firearms. We have an entire army working in the name of anti-money laundering. Yet, we do not meaningfully regulate who can provision thousands of American phone numbers and point them at elderly citizens in Kansas.

When a fraud call reaches an American consumer, nobody in the telecom chain faces meaningful consequences. The upstream carrier made money, the reseller made money, and the number provisioner made money. But the victim lost money, and none of the commercial businesses that facilitated it are ever held accountable.

Let’s make upstream carriers jointly liable for the volume of fraud originating on their infrastructure when they cannot demonstrate they performed adequate due diligence on their customers. This is not a novel concept. It is how banking regulators treat financial institutions under the Bank Secrecy Act. The bank didn’t launder the money, but the bank faces consequences if it can’t show it tried to prevent it. Telecoms should work the same way.

A criminal call center in Southeast Asia can acquire thousands of U.S. area code numbers through layered resellers with essentially no identity verification that would survive scrutiny. This is a regulatory gap, not a technical limitation.

Mandate KYC standards for bulk number provisioning that mirror what we already require for financial accounts. If you want to provision more than the defined threshold, you verify who you are, where you operate, and what you’re using them for. If you’re a legitimate business, this is a minor compliance cost, but if you’re a fraud operation, this is a huge obstacle.

Well, we have STIR/SHAKEN, right? Most STIR/SHAKEN enforcement focuses on domestic origination, but most fraudulent calls don’t originate domestically. They come in through international gateways, where authentication requirements are weaker and oversight is thinner.

How about we treat inbound international VoIP traffic as its own regulatory category? Require carriers to label it as such at the point of delivery so consumers know that the call claiming to be from their local bank actually originated overseas. And impose strict accountability on the gateway carriers who accept that traffic. If you’re the bridge between a foreign VoIP network and the American phone system, you bear responsibility for what crosses that bridge.

The bad guys are operating in a space where the cost of access is minimal and the cost of getting caught is effectively zero. Let’s change the economics, shift the liability upstream, and require the Telcom industry to know its customers the way every bank in America is required to know its account holders.

Cue the telecom meltdown in 3..2..1...

I’m not suggesting we require Telcoms to solve this complex technical problem. VOIP providers just need to know who their customers are and take responsibility for the traffic on their network. Every other regulated industry in America does exactly that.

Criminal doorbells

One of the most common things I hear from small business owners is: "I'm not a target. I don't have anything worth stealing." Do you have an email account or website? I ask. That's enough. They'll use those resources to attack others who do have financial resources.

And as this new report from the Digital Citizens Alliance and risk3sixty shows, they'll be just as happy with access to your Internet connection as with access to your bank account. The report highlights how vulnerable IoT devices such as doorbells, security cameras, and other smart home technology can be hijacked to route criminal traffic and help attackers hide their true location.

Even if you don't have money to steal, turning your home Internet connection into a proxy server is a win for the bad guys.

https://23693881.hs-sites.com/hubfs/resproxy/DCA_Cybercrime-by-Doorbell-Report.pdf?hsCtaAttrib=215683707287

The News

And now we have Sandwich Bots. Named after an infamous pedophile, no less. What the hell is a sandwich bot? The JaredfromSubway.eth sandwich-attack bot lost at least $7.5 million in a reverse honeypot exploit. The attacker tricked the bot into granting approvals for token spending and stole its assets. https://www.chainalysis.com/blog/sandwich-attack-jaredfromsubway-hack/

A task force comprising private technology companies and international law enforcement executed a major operation to dismantle the infrastructure of three “cybercrime as a service” malware operations, SocGholish, Amadey, and StealC, which are critical components of the cyberattack supply chain. The effort seized 326 servers and 142 domains, disrupting the highways criminals use to deploy ransomware, commit financial fraud, and compromise critical infrastructure. https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/

Google is implementing hand-gesture verification to ensure you’re not a bot. But testing shows it can be beaten by using stock images of hands. https://www.neowin.net/news/googles-new-hand-wave-recaptcha-can-be-bypassed-with-a-stock-photo/

A recent study shows that US adults now spend an average of $111 per month, totaling $1,332 annually, on services such as streaming platforms like Youtube, Netflix, Hulu, and Prime. The authors point out the problem of “subscription creep,” where Americans waste about $21 each month ($252 annually) on unused subscriptions an increase from the previous year. Millennials spend the most, at $125 per month. https://www.cnet.com/tech/services-and-software/subscription-survey-2026/

The the best thing I read this week…

“AI, this cutting-edge technology, actually makes the oldest skills more valuable than ever. Reading. Thinking. Knowing things. Empathy. Having taste. Understanding context. Detecting lies or nonsense.” - Ryan Holiday.

https://ryanholiday.net/39-or-so-lessons-on-the-way-to-39/

dfir

Sans instructor Ovie Carroll agrees with me (Issue 290) that AI agents will provide cover for cybercriminals, or as he puts it, a defense of “Some Artificial Intelligence Did It”. https://ovie.coffee/f/ai-did-it-why-digital-investigative-analysts-must-not-outsource

Share Threats Without Borders

Cool Jobs

Manager of Cybersecurity Operations, Dutch Bros Coffee. https://careers.dutchbros.com/us/en/job/DUTDBCUSREQ18645EXTERNALENUS/Manager-Cybersecurity-Operations

Director of Field Loss Prevention, Dicks Sporting Goods. https://dickssportinggoods.wd1.myworkdayjobs.com/DSG/job/Remote---US/Director-of-Field-Loss-Prevention_202609785

Senior Investigation Partner, QVC. https://qvc.wd5.myworkdayjobs.com/QRG/job/Pennsylvania-Remote/Senior-Investigations-Partner_R82560

Cool Tools

Carrier look-up service. https://www.freecarrierlookup.com/

Irrelevant

Clearly inspired by Lenderman, Darius Foroux emphasizes the importance of personal branding, particularly in the era of AI. https://dariusforoux.com/why-your-personal-brand-is-your-most-valuable-asset-in-the-ai-era/?

Sign Off

I’m never quite sure how to refer to Pennsylvania in general. It’s not exactly part of the Northeast, and it’s not really Mid-Atlantic, which is why it’s called the “Keystone State.” However you refer to it, one thing to agree on: it’s HOT here. And I know many of you are experiencing the same. Stay cool!

Happy 250th America! Let’s do it for 250 more.

See you all next week.

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.