AWS Contact Center

Deter spam callers using Amazon Connect

Contact centers often receive illegitimate phone calls where the caller is pretending to be someone else by using an existing customer’s phone number. While you might simply fail a check on a web site because you don’t have the right credentials, contact center agents are trained to be polite even when something seems amiss, so they can become a target for social engineering, especially when the contact center uses the automatic number identification (ANI) to identify the customer and look up customer data. Beyond the obvious pain this causes the real customer, it can also tie up agents, which can lead to increased wait times and potential loss of revenue.

This post describes a workflow to detect and deter such calls using Amazon Connect and other AWS services. The solution requires the caller to match a randomly generated three digit code to avoid automated spam calls.

Solution overview

The sequence consists of the following steps:

  1. Caller calls for customer service.
  2. Call is sent to an Amazon Connect IVR by the carrier Public Switch Telecom Network (PSTN).
  3. Amazon Connect IVR invokes an AWS Lambda function, the Lambda function returns a 4 digit random number.
  4. Amazon Connect plays back the random number to the caller and requests them to enter this number on their phone keypad.
  5. If number entry is successful, Amazon Connect workflow can continue with steps specific to your business, if number entry is not successful, the call is politely disconnected.

The flow is shown in the following diagram.

Deploying the Solution

Most of this sample configuration can be deployed into your account using AWS CloudFormation using a template. The CloudFormation template will create a new stack consisting of an AWS Identity and Access Management (IAM) role, IAM Policy, a sample contact flow and a Lambda Function. The remaining configuration is done in Amazon Connect and the Amazon Connect Console.

The high-level steps to configure are:

  1. Download the resource pack for this solution
  2. Deploy the CloudFormation template
  3. Assign a phone number to the sample contact flow
  4. Place phone call and validate


For this walk-through, you should have the following prerequisites:

  1. An AWS account
  2. An Amazon Connect instance
  3. Basic understanding of AWS CloudFormation, Amazon Connect, and AWS Lambda

Step-by-step Instructions

These instructions assume a general working knowledge of Amazon Connect and AWS CloudFormation. For details on how to perform basic administration tasks with either, please refer to:

  1. Amazon Connect Administration Guide
  2. AWS CloudFormation User Guide

Deploy the CloudFormation Template

  1. Login to the AWS Management Console and open the AWS CloudFormation Console
  2. Choose the Create Stack drop-down option to create a stack and pick With new resources (standard) – make sure that you have the console open to the same region as your Amazon Connect instance. See Choosing a Region in the Getting Started Guide
  3. Obtain the ARN for your Amazon Connect instance which will be used as an input to the CloudFormation template
  4. Under ‘Prerequisite- prepare template‘ Select Template is ready
  5. Under ‘Specify template‘ select Amazon S3 URL and enter this URL and click Next
  6. Enter a name for the template, and provide the ARN of your Amazon Connect instance (collected from Step 3) in the Parameters field. Click ‘Next’, select the defaults in the ‘Configure Stack Options’, click ‘Next’, review all the options and check the acknowledgement and click ‘Create Stack’
  7. Review the configuration. At the bottom of the page, select the checkbox to acknowledge that IAM resources may be created
  8. Choose Create stack. This will launch the CloudFormation template and create the resources needed. Creation should only take a couple minutes.
  9. Once the stack is created, the status will change to CREATE_COMPLETE

Assign a phone number to the Sample Contact Flow

  1. Log in to your contact center using your access URL
  2. Acquire a new phone number
  3. The CloudFormation template creates a sample contact flow named ‘<Template Name>-FLOWDETERSPAMS’ where ‘TemplateName’ is the name of the CloudFormation template provided earlier
  4. Assign the phone number acquired in Step 2 to this contact flow
  5. Note the phone number – you will use the phone number to validate the functionality

Validate the Solution

  1. Non Spam call: Dial the phone number that you configured in Amazon Connect
    1. IVR Playback: Thank you for calling, please use your phone keypad to enter 7665 to continue
    2. Customer enters ‘7665’
    3. IVR Playback: Thank you. In real world, this call would proceed as normal. Thank you for calling, goodbye.
  2. Spam Call: Dial the phone number that you configured in Amazon Connect
    1. IVR Playback: Please enter 7634
    2. Customer enters ‘2323’
    3. IVR Playback: Thank you your entry did not match. In real world, this would be treated as a spam call. Thank you for calling, goodbye.

Adapt to Your Use Case

This configuration can easily be adapted to your use cases. The contact flow can be used as the authentication flow in a larger business specific workflow.

Cleaning up

To avoid incurring future charges, disconnect the contact flow from the phone number that you used and delete the CloudFormation template. If you claimed a new phone number, you should also release it. Deleting the CloudFormation template deletes the Lambda function, the IAM resources and the sample contact flow used in this sample.


The blog post demonstrates a way to thwart spam callers. Additional reporting can be added to demonstrate the number of calls identified as spam and disconnected – which could be built in future blog posts.