The future of phone scams: bots that sound like your loved ones

Every fifth unknown call in the US is spam. Despite a meager success rate, millions fall victim to fraudsters due to the sheer volume of attempts. Now, scammers have a dangerous new innovation that will make them even more productive and convincing.

If you want to protect yourself against scammers, it’s important to understand how they operate. Check Cybernews’ guide here on how to set up your phone’s defenses against scam calls.

Jonathan Nelson is a Director of Product Management and Data at Hiya, the company behind the anti-spam solution protecting more than 400 million users worldwide.

Working for almost ten years in the scammer fighting industry, Nelson experienced how voice scammers advanced into well-organized, established companies with large call centers and clear KPIs.

Phone spam has been a growing problem despite strides to contain it. In the third quarter, Hiya alone registered 6.55 billion spam calls worldwide. In the US, 22% of unidentified calls were suspected spam calls.

It’s worse elsewhere. The global average for spam calls is 24.3%, and some countries, such as Chile, Indonesia, or Argentina, have rates higher than 50%.

Brazilians receive an average of 26 spam calls per month, most of them being banking scams. For Americans, the spam call number is 11 per month.

“Scamming is pretty big business. There are literally billions of dollars in it. So, a lot of the scamming activity that goes on now is organized like a business. They are, generally, established companies. They have call center offices, maybe not fancy ones, but they still have employees. And what we’ll often find is the same call center might be running some sort of tax scam one week, and do customer support for a legitimate company the next week. For the agents, it’s just a different script,” Nelson explained in an interview with Cybernews.


Scammer KPIs

Call centers for criminal scams usually reside outside the US. Sometimes, the same infrastructure is used for both legal and illegal calls. Their agents have certain quotas they have to meet to get their paychecks.

“The main thing really that guides all of this is just profit. These businesses have bottom lines. They have key performance indicators that they're trying to meet,” Nelson explained.

He personally saw only two paths in which this industry evolved: scammers either found new ways to increase revenues and profit, or reduce operating costs.

“They can increase their profit if they get more takers, more victims, more people fall for it,” Nelson said.

And criminals are keen to experiment with their narratives, targeting, and scripts. Scammers often react to big news and seasonal events to improve their lure. And even the tones they use when speaking undergo A/B testing.

How do researchers know about this? They run “honeypots,” which are basically collections of phone numbers that have no other use just to wait until someone calls, either by mistake or trying to scam.

“We're able to capture the audio of that experience. I've heard the exact same prerecorded call, but one version has silence in the background, and the other version has the sound of a call center in the background. But the talk track was precisely identical,” Nelson said.

Jonathan Nelson
Jonathan Nelson

The other big shift now is towards efficiency. People are very expensive when compared to robocalls, as one operator can scam only one victim at a time. So, criminals began to innovate.

“They use what's known as sort of interactive voice response (IVR) systems, which you may recognize from calls to customer support, and you know you're talking to a robot,” Nelson explains. “But they started building versions of those with a large range of pre-recorded messages so that they could try and pass it off as a human. It would actually say something like, ‘How are you doing today?’ And then, based on how you responded, it might go down one or different paths.”

Money flows are ensured in a few different ways. The most direct one is to convince victims to make a transfer or give remote control of their devices and lure them into sharing their bank account information. Some “sloppy” fraudsters try to persuade victims into buying gift cards as a way “to settle a debt.”

Another profitable activity, which may be both legal and illegal, is called “lead generation” to help interested parties find potential customers or victims.

“Illegal lead generation is where they just simply cold call out of the blue. Often, they will make false claims, say you've won a trip, and collect your information. And then they'll make money by selling your information to travel agencies or vacation packages.”

“Churn and burn”

Nelson shared how scammers adapt to security innovations in detecting and blocking their calls.

Using voice-over-IP (VoIP) technology, scammers spoof domestic phone numbers.

“The trouble is that there is a tremendous amount of flexibility in the telephony industry. With VoIP, it’s very simple to create these calls. It’s very simple to get phone numbers. And you’re not just getting one phone number and using that. These days, they’re used to what we call ‘churn and burn.’ They take a number, they just churn through phone calls really fast until they got caught, and then they just burn the number, give up on it, move on to the next one,” Nelson said.

He explains that Hiya analytics or other service providers can easily detect a number used for spam. Therefore, criminals have to be “much more subtle.” Fraudsters jumped to short-term phone number leasing and frequent rotation, where criminals won’t use the same number for more than a couple of phone calls – possibly even just one.

“They’ll lease 100,000 phone lines for a day, then create their calls, and then just release those lines and get another batch of lines. So, they're constantly moving”.

Now, a third of reported spam calls in the US are from phone numbers that were observed doing something illicit on the very same day, and there are millions each month.

Three big topics scammers want to talk about

The less novel aspect is what scammers tell their victims. Here, old becomes new again. Usually, all schemes, to appear credible, revolve around personal finance (debts, loans), health (insurance, programs, treatments), and law endorsement. Of course, other types of scams exist, such as technical support.

“We haven’t seen any really big creative shifts – only very short term. The scammers are kind of always chasing whatever’s hot in the news. It's all just social engineering. They’re trying to tell a convincing story to get as many people as possible to actually believe it,” Nelson said.

He noticed that scammer tactics travel around the globe: firstly, many scams are tried in the US, and depending on the success, experiments drift to other English-speaking markets, such as Canada, UK, and Australia. Then Europeans get to taste. Again, it depends on the profitability of the market with the lowest costs.

Nelson also has some ideas as to why some markets may be more susceptible to scam calls than others, as shown by Hiya’s statistics.

“Brazil, I think, has one of the worst spam problems in the world. Probably the quick answer is it's partially cultural, and it's partially federal, and I think the federal actually plays a pretty big role. It’s a matter of how many protections are in place on calling behavior. Is cold calling illegal?” he opinioned. “In the US, you can't just simply cold call anyone. You need consent. In some places, they don't have that protection, so you get a lot more telemarketing and phone scams.”

Nelson noted that carriers in Brazil themselves may be responsible for a large percentage of spam calls, advertising services, or sales.

Even in the US, there are debates on how much power carriers should have to fight back, whether they should be allowed to block suspicious calls, and how they would pick which calls to allow through.

“Now there’s a push within the industry for KYC, or ‘know your customer.’ Someone is allowing these calls onto the network. Someone’s actually connecting them to the telephony network and letting them ring your cell phone,” Nelson noted.

Telecom providers need to be involved to detect scams in the call routing process earlier. Nelson hopes that providers being aware of the calls they allow through could make real ground against fraudsters.

“They can try and hide across many different phone numbers, they can do all the short-term leasing, but there’s still just one customer for someone out there. It’s much more expensive to change your business than it is to change your phone number.”

The future may be gloomy with AI calls

Generative AI is already being used for deception. Hiya’s researchers indicate that scammers with voice-cloning technology can try to convince victims that a child, grandchild, or other loved one is in trouble and needs immediate financial assistance or ransom to be paid for their release.

Also, soon, conversations like this may become a reality: “Hello, can you hear me?” – “Yes” – “Thank you for your purchase.”

These are the “yes” scams, where callers just ask a simple question, and instinctively, the recipient says “yes.”

That “yes,” recorded and edited later, can be used to authorize a major purchase. In August, Better Business Bureau issued a scam alert about the “Can you hear me?” scam.

The next big wave of spam calls, Nelson believes, will be based on large language models, enabling scammers to generate audio in real-time without pre-recordings adjusting scripts on the fly.

“This will probably be one of the fastest shifts in this industry that has ever happened because it is so simple, it’s so straightforward to use generative AI for this. So far, the only cases we have seen are some voice impersonation attacks,” Nelson said.

Until now, spear phishing attacks targeting specific persons required bad actors to collect some personal information about their victims, such as checking their social media. Nelson fears that unique campaigns will become quite common with little effort.

“They're just sort of dabbling in the water right now, starting with spearfishing ideas. But even the mainstream industry is looking at using generative AI and generated voices for customer support call centers to give us a much better regular call experience. So these scammers will probably be first to do it,” Nelson warned.

Scammers are known to use information from cybersecurity breaches and leaks, allowing them to tailor a story, including personal data.

Methods to protect yourself remain the same

While scammers invent new methods and develop new lures, it still boils down to their ultimate goal – stealing identity and money or generating leads.

“The way that we protect ourselves largely isn't changing. If you don’t have some layer of protection from your carrier, find an app, get something that can give you some insights before you answer the call. And the only call that can be trusted is the one that you created. The scammers can spoof the call that they created. They can’t spoof the call that you make. So, you know, be very cautious about inbound calls. When in doubt, just hang up, and then you call whoever you need to speak with. Don't call them back,” Nelson advised.

Reporting spam calls in the used apps or services helps providers protect other users.

“Services like ours are desperate for that data. It's very helpful for us to hear firsthand what actually happened on that call,” Nelson assured.