AWS Contact Center

Deter spam callers using Amazon Connect

Contact centers often receive illegitimate phone calls where the caller is pretending to be someone else by using an existing customer’s phone number.  While you might simply fail a check on a web site because you don’t have the right credentials, contact center agents are trained to be polite even when something seems amiss, so they can become a target for social engineering, especially when the contact center uses the automatic number identification (ANI) to identify the customer and look up customer data.  Beyond the obvious pain this causes the real customer, it can also tie up agents, which can lead to increased wait times and potential loss of revenue.

This post describes a workflow to detect and deter such calls using Amazon Connect and other AWS services. The solution requires the caller to match a randomly generated three digit code to avoid automated spam calls.

Solution overview

The sequence consists of the following steps:

  1. Caller calls for customer service
  2. Call is sent to an Amazon Connect IVR by the carrier Public Switch Telecom Network   (PSTN)
  3. Amazon Connect IVR invokes a Lambda function (Function #1), and passes the customers phone number (ANI) as input.
    1. The Lambda function queries a DynamoDB table with that ANI and retrieves the customer’s name, if it exists.
    2. The Lambda function also returns a 3 digit random number.
  4. Amazon Connect plays back the random number to the caller and requests them to enter this number on their phone keypad.
  5. If number entry is successful, Amazon Connect greets the caller by their name (if it was returned) and workflow can continue / transfer to an agent, if number entry is not successful, the call is politely disconnected.

The flow is shown in the diagram below.


Deploying the Solution

Most of this sample configuration can be deployed into your account using AWS CloudFormation using a template. The CloudFormation template will create a new stack consisting of an AWS Identity and Access Management (IAM) role, IAM Policy, DybamoDB table and a Lambda Function. The remaining configuration is done in Amazon Connect and the Amazon Connect Console.

The high-level steps to configure are:

  1. Download the resource pack for this solution
  2. Deploy the CloudFormation template
  3. Provide Amazon Connect access to the newly created Lambda functions
  4. Import & modify Amazon Connect contact flows
  5. Configure a phone number
  6. Validate


For this walk-through, you should have the following prerequisites:

  1. An AWS account
  2. An Amazon Connect instance
  3. Basic understanding of AWS CloudFormation, Amazon Connect, Amazon Dynamo DB, and AWS Lambda

Step-by-step Instructions

These instructions assume a general working knowledge of Amazon Connect and AWS CloudFormation. For details on how to perform basic administration tasks with either, please refer to:

  1. Amazon Connect Administration Guide
  2. AWS CloudFormation User Guide


Deploy the CloudFormation Template

  1. Download the resource pack
  2. Unzip the file to your local machine, this will create a Resources folder which contains
    1. CloudFormation template
    2. Amazon Connect contact flow
  3. Login to the AWS Console and open the AWS CloudFormation Console
  4. Make sure that you have the console open to the same region as your Amazon Connect instance. See Choosing a Region in the Getting Started Guide
  5. In the CloudFormation console, choose Create stack ->With New Resources
  6. On the Create stack screen, leave the Prerequisite set to Template is ready
  7. In the Specify template section, select Upload a template file, then select the Choose file button
  8. Enter a name for the template, click ‘Next’, select the defaults in the ‘Configure Stack Options’, click ‘Next’, review all the options and check the acknowledgement and click ‘Create Stack’
  9. Navigate to the Resources folder that you created in step 2, open the CloudFormation folder inside, and select Cloud Formation Template – Deter Spam Callers.json
  10. Once the template loads, choose Next
  11. Provide a name for the stack, choose Next
  12. Apply any Tags as desired. Leave the rest of the options to their defaults and choose Next.
  13. Review the configuration. At the bottom of the page, select the checkbox to acknowledge that IAM resources may be created.
  14. Choose Create stack. This will launch the CloudFormation template and create the resources needed. Creation should only take a couple minutes.
  15. Once the stack is created, the status will change to CREATE_COMPLETE


Give Amazon Connect Access to the New Lambda Functions

  1. Login to the AWS Console
  2. Open the Amazon Connect console
  3. Choose the name of the instance from the Instance Alias column.
  4. In the navigation pane, choose Contact flows.
  5. For AWS Lambda, select RetrieveFirstNameFromANI from Function and choose Add Lambda Function. Confirm that the ARN of the function is added under Lambda Functions.

Import the Amazon Connect Contact Flow

  1. Log in to your contact center using your access URL.
  2. In the navigation pane, choose Routing, Contact flows.
  3. Choose Create contact flow. This opens the contact flow designer and creates an inbound contact flow (Type = Contact flow).
  4. Select the down arrow next to the grayed out Save button and choose Import flow (beta)
  5. Choose Select
  6. Navigate to the resources folder and select the “Amazon Connect Contact Flow – Deter Spam Calls” file in the ContactFlows folder, then choose Open
  7. Choose Import
  8. Once the flow imports, edit the third object in the flow, ‘Invoke AWS Lambda function’ by double-clicking the title
  9. Drop down the combo box for ‘Select a function’ and select the Lambda function that was added by the CloudFormation Template
  10. Click on the ‘Set working queue’ and in the properties, update the queue to an existing queue.
  11. Hit ‘Save’ and exit the object.
  12. Publish the contact flow
  13. In the navigation pane, choose Routing, Phone Numbers.
  14. Chose an existing phone number or claim a new one. Refer to the Claim a Phone Number section of the Administrator Guide for more information
  15. For the Contact flow / IVR value, choose the newly imported contact flow.
  16. Note the phone number and select Save.


Validate the Solution

  1. Wait roughly two minutes for the contact flow to publish and the phone number to reassign to the new flow.
  2. Update the Dynamo DB table with your phone number in the E.164 format and your first name – for example, phone-number = +14085550100, FirstName = John
  3. Dial the phone number that you configured in Amazon Connect from the phone number +14085551212
    1. IVR Playback: Hello, John. Please enter 565
    2. Customer enters ‘565’
    3. IVR Playback: Please hold for the next available agent.
  4. Change the phone number in Dynamo DB to be phone-number = +14085551213 and place a call again.
    1. IVR Playback: Please enter 785
    2. Customer enters ‘785’
    3. IVR Playback: Please hold for the next available agent.
  5. Call from an unknown ANI (for example, +14085551213)
    1. IVR Playback: Please enter 757
    2. Customer enters ‘400’
  6. Call is disconnected


Adapt to Your Use Case

This configuration can easily be adapted to your use cases. The contact flow can be used as the authentication flow in a larger business specific workflow. The Dynamo DB table or any database table with customer phone numbers can be used as a source of truth for authentication.

Cleaning up

To avoid incurring future charges, disconnect the contact flow from the phone number that you used. If you claimed a new phone number, you should also release it. The remaining resources can be deleted by deleting the CloudFormation stack, which will remove the Lambda functions, DyanmoDB table, and the IAM resources used in this sample.


The blog post demonstrates a way to thwart spam callers. Additional reporting can be added to demonstrate the number of calls identified as spam and disconnected – which could be built in future blog posts.