Phone spamEstafas

Ping calls and flash calls: when a number rings you and hangs up to slip you a code

Flash calls and ping calls hang up instantly, but they're not after you calling back: they abuse your number to verify codes or generate traffic.

N
By Equipo NoCall
NoCall Editorial
31 May 20269 min read
Ping calls and flash calls: when a number rings you and hangs up to slip you a code
#flash calls#llamadas ping#OTP#verificación#fraude telefónico#seguridad

You get a call from an odd number. It rings once, sometimes not even that, and hangs up before you manage to answer. No message, no voice, nothing at all. If you think it's like wangiri, not quite: many of these calls don't want you to call anything back. They want your number, a code, or simply to generate traffic. Here's how they work.

This mechanism is known as a flash call or a ping call. And although on the outside it looks like any old missed call, on the inside it follows a very different logic from the one you already know from other phone scams.

What is a flash call and why does it hang up on its own?

A flash call is a call designed not to be answered. It starts, rings for a second or two and cuts off automatically. Whoever launches it doesn't want to talk to you. In fact, they don't even want you to pick up.

The key is the number that shows up on your screen. In the legitimate use of this technology, that number (or its last few digits) is itself the verification code. Instead of sending you an SMS with a six-digit OTP, an app asks you to confirm "the last four digits of the number that just called you". The system cross-checks the data and verifies that the phone is yours. All in seconds, without you having to copy anything.

So far, nothing shady: many large platforms use flash calls as a cheap alternative to SMS for verifying accounts. The problem is when that very same mechanism is used without your consent, against you, or at a third party's expense.

How is this different from wangiri?

This is the most common point of confusion, and it's worth clearing up because the defence is different.

Wangiri (we cover it in depth in our guide to calls that hang up instantly) is after getting you curious so you call back. The number is usually international or premium-rate, and the scammer's business lies in you dialling back so that the return call costs you money. You're the one who pays. The bait is your curiosity.

The flash call and the ping call work the other way round:

WangiriFlash call / ping
What it wants you to doCall backDo NOTHING (or read the number)
Who paysYou, by ringing back a pricey numberWhoever originates the call, or a client billed for "verifications"
Where the money isIn your return callIn the traffic generated, or in slipping through/abusing codes
The number on screenIt's the lure to make you dialSometimes it IS the code itself
If you ignore itIt costs you nothing (the defence is not to call back)It costs you nothing, but your number may be in use without your permission

In short: if the golden rule of wangiri is "don't call back", with flash calls and pings the rule is "you don't need to do anything, but understand what's being cooked up with your number".

What is this mechanism used for abusively?

Here's the interesting part. The same technology serves several purposes, and not all of them involve scamming you directly. Often you're a cog, not the final victim.

1. Verifying accounts without your permission. If someone has your number and tries to create or validate an account on a service that verifies by flash call, your phone gets the flash call. You haven't asked for anything. It's the equivalent, in call form, of receiving an SMS with a code you didn't request: a sign that someone is using your number to register or authenticate somewhere.

2. Traffic fraud (verification pumping). Companies that verify users pay for every verification call or SMS sent. There's a type of fraud, known as artificial inflation of traffic, in which waves of fake "verifications" are generated towards real numbers so that the company paying for that service ends up footing a huge bill for inflated traffic. You receive pointless pings because your number has been used as a destination to inflate someone else's bill.

3. Checking that a number is active. A call that rings and hangs up confirms there's a working line and a person who reacts behind it. For someone building target lists, a number that "answers" is worth more than a dead one. Then come smishing, vishing or aggressive sales calls.

4. A precursor to other scams. Once it's confirmed that your number is live and yours, it can enter more dangerous circuits. The most serious is SIM duplication or SIM swapping, where the attacker needs to have your number well pinned down before attempting to take over your line and intercept your real codes.

What if the ping is trying to get me to dictate a code?

There's a mixed, more manipulative variant worth knowing about, because it combines the flash call with classic social engineering.

It works like this: the attacker is already trying to get into one of your accounts (email, messaging, banking) and triggers the sending of a real verification code to your phone. Right afterwards, they call you posing as technical support, your bank, or the platform itself. In a hurry and with a believable tone, they ask you to "confirm the code you just received to validate your identity".

That code validates nothing for them: it's the key to your account, and by dictating it you're opening the door for them. It's the same script as vishing impersonating your bank, wrapped in the urgency of a code that has just arrived.

The rule here is categorical: a verification code is a secret that only you enter, in the official app or website. No legitimate party will ever ask you for it over the phone. Never. Not your bank, not the tax authority, not a platform, not a "technician".

How do I recognise a flash call or a ping call?

It's not always easy, because by design they leave little trace. But there are recurring patterns:

  • Minimal duration. It rings for one or two tones, sometimes not even showing up as a full missed call.
  • Unknown number, often long, international, or with an odd sequence of digits.
  • Repetition in waves. It's not a one-off call: you get several in a row or at intervals.
  • It coincides with something. Right afterwards you try to log into an account, or you receive a code by SMS you didn't request, or you get a "support" call.
  • No message, no reason. Nobody leaves a message, nobody calls back to talk.

If you recognise the pattern, the most important thing is what you shouldn't do: don't call back, don't read out any digit to anyone, don't enter codes wherever a stranger tells you to.

What do I do if I get these calls?

Here's an action guide ordered by priority, according to what you're experiencing:

SituationWhat to do
I only get isolated pings, nothing elseIgnore them and block the number. Don't call back.
I get pings + an SMS with a code I didn't requestSomeone is trying to use your number. Don't give the code to anyone. Check the account of the service involved and change its password.
I'm called "from support/the bank" asking me for a codeHang up. It's fraud. Verify by calling the known official channel yourself.
I get constant waves from several numbersBlock, enable filters on your phone and from your carrier, and consider reporting it.
I suddenly lose coverage and stop receiving SMSPossible SIM swapping alert. Contact your carrier and your bank right now.

About blocking: your own phone already comes with tools. You've got the detailed steps in our guides to how to block spam calls on iPhone and blocking on Android by manufacturer. For a general overview of filters and lists, head over to the guides centre.

And an important note about codes: if at any point you did dictate one or share data, don't just sit there. Follow the post-incident action plan to protect your accounts and regain control and alert the affected services as soon as possible.

Why is it so hard to stop?

For the same reason that caller ID spoofing is hard: the phone system trusts the presented number by default, and there's no simple way to tell from your mobile whether a one-second call is a legitimate verification or an abuse.

What's more, much of this traffic is automated and low-cost. Whoever launches it doesn't need to talk to you or convince you of anything: it's enough for your number to exist and react. That makes it cheap to produce and profitable at scale, just as happens with fraudulent call centres from the inside.

The good news is that a flash call, on its own, doesn't steal your money or empty your account. The real danger appears when it's combined with social engineering (getting you to dictate a code) or with the theft of your line. If you break those two links (don't dictate codes to anyone, watch for signs of SIM swapping), the ping stays a nuisance, not a fraud.

The golden rule, in three sentences

So it sticks with you:

  1. A call that hangs up on its own demands no response. Don't call back (that's the wangiri trick) and don't read out digits to anyone.
  2. A verification code is never shared over the phone. Only you enter it, in the official app or website. Whoever asks you for it is scamming you.
  3. If your number receives verifications you didn't request, someone is using it. Check your accounts and strengthen passwords and your second factor.

Every number that behaves this way leaves a trail, and the more people who identify it, the sooner the pattern is detected. At NoCall we collect and analyse these behaviours from the community's reports; you can check our methodology and see which numbers, prefixes and carriers accumulate the most warnings in the spam number directory, the most reported prefixes and the current trends.

If you've received one of these flash calls, report it. You help the next person who gets it already know what it's about.

Received a suspicious call?

Look up the number in NoCall before sharing data, calling back, or clicking any link.

Search a phone number or a company name (ESB, Vodafone and Three...) to check if it has been reported as spam.