AWS Contact Center

How to protect against spam calls for click-to-dial

Amazon Connect customers can configure click-to-dial functionality on their website using the StartOutboundVoiceContact API. This enables agents to reach out to callers located in a much wider global area, without requiring Amazon Connect customers to provision numbers in several regions. This provides a frictionless experience where customers provide a phone number and Amazon Connect initiates an outbound call, connecting the caller to an agent.

If you are building a voice application to utilize the click-to-dial functionality, you could be a target of toll fraud. On occasion, bad actors take advantage of click to dial functionality to initiate multiple callbacks, in order to game the system for personal gain, or to create a denial of service attack. This is disruptive to contact center operations due to the agent time spent handling these calls, taking them away from serving your callers. Additionally, the telephony charges for these spam calls can be burdensome.

This blog post provides measures you can take with Amazon Connect to protect against spam callers, while providing your valid customers a desirable click-to-dial experience. Key Topics:

  • Spam callers – what’s the draw?
  • Recommended criteria to offer click-to-dial
  • Best practices for setting up click-to-dial

Spam callers – what’s the draw?

International revenue sharing fraud (IRSF), domestic toll fraud, and traffic pumping are types of toll fraud where spammers generate a high volume of calls to international numbers or numbers that have high charges. Also, reputable service providers can end up getting billed high access charges by intermediary carriers that facilitate or allow the spammers to generate high call volumes to phone numbers owned by the intermediary carriers.

A common way for bad actors to exploit high-cost traffic pumping is to acquire phone numbers from a local exchange company and use various methods to generate high volumes of calls. As these phone numbers are high cost, the carrier supporting the initial call has to pay high rates to the end carrier, the end carrier then shares the profit with the spammer. Another method is to attempt running scripts against click-to-dial functionality on your website to request calls to international or higher cost rural domestic destinations. When these requests are fulfilled, agents are connected to a bot or recorded message, generating revenue for the spammer.

Recommended criteria for click-to-dial

Protecting against spam and fraud attempts starts with the planning of your website and is outside the scope of this blogpost. One key recommendation is offering click-to-dial only for authenticated users. If you choose to extend the click-to-dial functionality to all your website visitors, you should consider deflecting the callback requests to a chat channel instead for unauthenticated users.

Best practices for setting up click-to-dial

Restrict countries for outbound calling
Customers should limit the outbound countries that their agents or Amazon Connect can call to only the ones required to do business. By default, Amazon Connect restricts the countries that can be called based on the region. Additionally, certain prefixes are not allowed by default. Customers should be cognizant of the potential for toll fraud if you need to expand the list of countries that are allowed for outbound calling and review the Amazon Connect pricing page for outbound calling to any countries they are considering allowing.

Build and use a deny list
Customers should keep track of the IP addresses and click-to-dial requests along with the phone numbers the callbacks are being requested to. Customers can use Amazon DynamoDB or their preferred database to store and continually update this information as click-to-dial requests are received. Customers should then either mark which of these requests were spammer requests or build a separate list of spam call requests. The deny list should include the countries or specific prefixes that are experiencing spam calls. Customers should then check against the deny list before placing outbound calls. Additionally, customers should keep a count of these requests by IP address and phone number as some spammers try to hop between different IP addresses and phone numbers, but will reuse both in different combinations repeatedly as they are trying to earn money via toll-fraud to a specific carrier or carriers. There is a sample rate limiter project available on the Amazon Connect Snippets github repo.

Limit the number of click-to-dial requests
Only allow one outstanding callback request per phone number. This can be managed by keeping callback requests in a database similar to above and only submitting the callback requests if there is not currently a callback request in the queue. Once the callback is made, clear the number from the database. This helps with scenarios where a spammer is attempting to run scripts against your environment to flood it with callback requests. See Preventing duplicate callback requests in Amazon Connect for a sample solution.

Prevent click-to-dial requests based on risk
If a customer is connecting to your website from anonymous IP addresses including VPN, Tor nodes, proxies, or data centers you should hide the callback request option and prevent them from submitting callback requests. AWS Web Application Firewall offers managed rules protecting against these types of requests. WAF also provides the ability to allow traffic requests from IP addresses only in specific countries.  Also, if spammers are flooding your system with invalid phone numbers, using VoIP phone numbers, or numbers from providers that aren’t more typical in the countries you’re calling back you can prevent those callbacks. Amazon Pinpoint provides a phone number validation API that enables you to detect whether the number is valid, and what kind of provider the number is on like mobile or VOIP. It also provides information on what country the number is from, which can also help you make decisions on how to handle callback requests. Finally, If the country of origin for the IP address is different than the destination phone number, you may want to redirect those requests to either call in or use chat.

Require users to authenticate and have valid accounts to request callbacks
If you have user accounts for your services, only allow callback requests for authenticated users.

Offer a different channel instead of voice
In cases where spam is suspected based on all the information above, steer the requester to another channel, block the request. Additionally, it is important that you act like the request was successful but give no hint that you have confirmed the request to be spam. This will ensure that the spammer is not tipped off on your mitigation efforts and surveillance, which could spur the spammer to find alternate access points or methods of attack.

Monitor and iterate
Customers should set up alerts and monitoring for multiple click-to-dial requests. Ongoing reviews of emerging click-to-dial patterns would catch potential spam calls before they become an issue. Learnings from these reviews should then be incorporated into deny lists in an iterative manner.

Getting Help

Should you have any questions or need guidance on any of the topics covered here, we are here to help. You can reach us via the AWS Support Center. For AWS customers with Enterprise Support, engage your Technical Account Manager (TAM) to help with any support-related items and to help escalate any urgent issues.


Although no solution is perfect, customers can implement the measures above to dramatically reduce fraudulent attempts against their click-to-dial solutions. Taking this defense-in-depth approach enables you to provide great service to your customers, guard against unwarranted charges, while keeping spam click-to-call requests out of Amazon Connect.