They did previously mostly use phone contact as I understand it but using multiple numbers which appeared to originate from multiple origins. I don't know how they do this but apparently it can be done. More recently I think the contact was mostly via them posing as others via email and facebook messaging. In the more recent events I think there was also some contact was via his phone as he mentioned the need to change his number to prevent the same happening again. Screening incoming calls is a good idea if it can be done might be one of the ways of reducing the risk, but as the facebook attack shows they have multiple vectors via which they can approach an established target.