It looks like an invoice, but it is not an invoice. It looks like the scam occurs when the invoice is sent, but the scam hinges upon the victim calling the real US phone number on the fake invoice. This US phone number is then forwarded to a scam center in a foreign country, where the scammer will pretend to represent a legitimate business like HP or Citibank. These are the scams that the US comms industry does not want the public to know about, because they reveal the extent to which know-your-customer (KYC) controls have been neutralized by the corrupt businesses which provide American phone numbers to criminals. For all the talk of raising consumer awareness, the US comms sector wants the public to remain unaware of the reasons criminals keep obtaining control of the phone numbers they supply. Thankfully, deep research by the Demurrage scamhunter collective, in collaboration with the AVAHS victim advocacy group, has revealed how these crimes depend on the intransigence of US comms providers including RingCentral and Bandwidth.
The story begins with a reminder that the American comms industry and its regulators keep wanting to misdirect the public’s gaze away from the most severe flaws in their anti-scam policies by continuing to concentrate on robocalls despite the need to tackle the inadequate KYC that enables callback frauds.
…it should be noted that this report, along with the previous two reports, does not involve robocalls. While Demurrage understands that robocalls are a problem heavily focused on by governing bodies such as the FCC and FTC, the cases presented involve the use of DIDs (VoIP numbers) such as toll-free and non-toll-free numbers, as well as prepaid SIM residential numbers, being used to commit tech support fraud.
In this type of fraud, scammers set up campaigns with the goal of making the consumer call them. While scammers may call victims back, they do so manually rather than using bots or machines to initiate automated robocalls.
Robocall laws and tactics used to combat them have no effect on tech support fraud…
The story continues with a series of invoices made to look like they come from well-known businesses like HP and Canon for services like printer IT support or network firewall management.
The following series of scam invoices used by this call center were sent to Demurrage by anonymous sources along with victim advocate groups, such as AVAHS. All of the numbers that appear within these invoices traced back to RingCentral.
RingCentral is an American cloud communications provider. During February 2026, the AVAHS victim advocacy group spoke with numerous victims and found the stories pointed to a scam call center enabled by RingCentral’s negligence.
AVAHS concluded that they had spoken to 157 victims from the beginning of February to the 18th and that 75% were victims of these printer support scammers, or possibly even higher…
AVAHS also concluded that this same call center was running insurance-type scams but had moved to printer support scams…
More concerning still, AVAHS shared the scammers’ intake data on these scams, which they received anonymously, and the results were very concerning. Once again, RingCentral has done little to nothing about the numbers and traffic that were reported to them.
RingCentral is a wholesale customer of Bandwidth. Demurrage reported phone numbers to Bandwidth that had been used by scammers which had been obtained through RingCentral. The response from Bandwidth clarified that they do not have a relationship with the end-user that originated the call, so they forwarded the complaint to their customer, RingCentral. Bandwidth suggested it was ‘typical’ for their wholesale customers to respond to such complaints within 48 hours.
The last half of that response is key and is where the problems begin with Bandwidth, as it is not uncommon for many wholesalers to ignore the 48-hour period that Bandwidth supposedly claims is the allotted time for their customers to respond.
The US comms industry has a code of silence which precludes any serious examination of which businesses are failing to protect the public from scams. Wholesale providers like Bandwidth have little incentive to police the failings of a significant customer like RingCentral. In turn, RingCentral has little incentive to police the crooked number resellers who are the go-betweens that obtain phone numbers on behalf of criminals.
Though many telecoms claim to have “robust KYC policies,” scammers have already defeated these checks through the use of intermediaries referred to as “marks” by the Demurrage team…
Demurrage defines a “mark” as a complicit wholesaler who exploits telecom reseller programs by selling pre-verified VoIP accounts directly to scammers operating out of illegal call centers in India and elsewhere.
As is the norm for so much telecoms fraud, these crooked businesses find their clients through social media.
These wholesalers typically operate through Facebook, Telegram, and WhatsApp groups, charging a premium because the buyer is not required to submit any personal information for KYC verification.
The key to the US industry’s failure is that they apply insufficient effort to rooting out these crooks. It costs money to employ diligent staff who reduce fraud, and reducing fraud also means reducing revenues. Although Bandwidth referred to 48 hours being the ‘typical’ time required to deal with a scam complaint, Demurrage’s experience was quite different.
…it took five days for RingCentral to respond.
That is five more days of victims being scammed while a business drags its feet. But the eventual response just showed how readily RingCentral and Bandwidth dismiss their responsibility to the public.
Demurrage then proceeded to call the number back, and the scammer once again answered the phone, claiming to be “support” and did so for days afterward, effectively proving that RingCentral took no action whatsoever. More telling still, this also proves that Bandwidth does not actually read the responses that their wholesalers send to them, as Bandwidth marked this case as “solved” and closed the ticket, despite RingCentral taking no action and not notifying Bandwidth of any actions that may have been taken.
The specific number in this incident was eventually removed from service, 12 days after it was reported. Why would it take 12 days to withdraw a phone number that forwards to a scam call center in a foreign country that is pretending to be a legitimate business? And which includes the phone number on scam invoices? You already know the reasons why. The only people who claim not to know are the US comms providers involved, and the regulators that are covering up their inadequacy. Furthermore, once it has been demonstrated that a reseller is enabling crime, you might think that the supply of numbers through that reseller would come to an end. The repeated nature of Demurrage’s investigations into callback frauds involving US phone numbers shows how little effort is going into prohibiting business with the ‘marks’.
The US comms industry maintains a code of silence but it is worth mentioning that Demurrage does not consider all comms providers to be equally bad. Their new report heaps praise on Lumen, treating them as an example for others to follow.
Where Bandwidth fails to step in and take direct action against the “marks” and wholesalers on its network, Lumen takes a different approach and has consistently proven to be the most effective telecom regarding eliminating fraud from its network when cases are submitted.
In fact, Lumen’s track record has been so consistent that Demurrage has only ever encountered two cases where Lumen did not adequately respond in the six years that Demurrage has been active as a unit.
Excuses will be made for the US industry’s KYC failures. Based on Demurrage’s experience, I expect it will not be long before US comms providers are blaming AI for their inadequacies.
Some telecoms require video confirmation, but “marks” have also defeated this by supplying that evidence themselves through the use of AI-generated videos or by paying complicit individuals to submit evidence for the scammers. “Marks” create the accounts, allow them to age for a few weeks, and then sell them to scammers for use in tech support fraud.
The US comms industry is currently preoccupied with demands for international cooperation to tackle fraud. This ignores a key reason for their incompetence: the lack of cooperation between US companies and their regulators. Crooked resellers would soon become evident if data about US numbers involved in callback scams was effectively pooled. A simple comparison would reveal which businesses are involved in the supply of these numbers, and which businesses are delaying their removal from service. The detailed narrative supplied by Demurrage shows how some US comms providers prefer to be credulous about the minimal information shared by their business partners instead of working with regulators to raise industry standards for the collective good.
The new report from Demurrage, entitled “RingCentral: A Third Review of Recurrent Negligence and Broader Challenges in the VoIP Sector” is another masterpiece of investigation supported by thorough documentation. You can read the report below, or click here to download it.



