Lesson 3.1

Text and Phone Scams

8 minutes

In April 2023, Jennifer DeStefano answered a phone call and heard her daughter’s voice, sobbing and terrified. A man took the phone and demanded ransom, saying her daughter had been kidnapped. The voice was perfect — it was unmistakably her daughter. Except her daughter was safe, hundreds of miles away, and had never made the call. The “voice” was an AI clone, created from just a few seconds of audio scraped from social media.

Phishing has moved well beyond email. Text messages and phone calls now carry some of the most effective — and most personal — attacks. And with AI voice cloning, the line between real and fake has nearly disappeared.

Text message scams (smishing)

The Federal Trade Commission reports $470 million lost to text message scams in 2024 — five times higher than 2020. The share of text scam reports involving actual money lost climbed from 5% to 11% in that same period. Text scams are growing fast and getting more effective.

The Smishing Triad

One reason for the surge: organized crime has industrialized text scams. A Chinese eCrime group known as the Smishing Triad has been operating since 2023, targeting 121 countries across six continents. They’ve registered over 194,000 malicious domains and send more than 100,000 SMS messages per day.

Their key innovation: using iMessage and RCS (Rich Communication Services) instead of traditional SMS. Carriers can filter traditional text messages, but iMessage and RCS are internet-based messaging protocols — they bypass carrier spam filters entirely. The messages arrive looking like any other iMessage conversation.

The Triad operates as a Phishing-as-a-Service business through Telegram, with what they describe as “300+ front desk staff worldwide.” It’s a franchise operation for fraud.

The toll scam epidemic

Since March 2024, the FBI’s IC3 has received over 60,000 complaints about fake unpaid toll messages. Nearly 90,000 phishing domains have been registered specifically for toll scams, active in at least 8 US states. The messages follow a simple pattern: “You have an unpaid toll. Pay now to avoid additional fees.” The link goes to a lookalike domain — poybyphone.com instead of paybyphone.com, for example.

Parking meter scams have hit Austin, Texas (29 compromised stations), Redondo Beach, California (150 meters with fake QR stickers), Fort Lauderdale, Florida (7 locations), and Houston, Texas (multiple locations).

Common text message lures

  • Package delivery: USPS is the most impersonated brand in text scams, with 28,045 phishing domains registered using USPS branding
  • Bank fraud alerts: “Suspicious activity detected on your account”
  • Toll violations: “Unpaid toll — pay within 24 hours to avoid penalties”
  • Government notices: IRS, Social Security, DMV notifications

How to spot and handle them

  • The link goes to a domain that isn’t the real company — use the skills from Module 1
  • The message comes from a regular phone number, not the company’s official short code
  • There’s urgency pressure: “act now or face consequences”
  • Never click links in unexpected text messages. Go directly to the carrier, bank, or agency website or app yourself

Phone call scams (vishing) and AI voice cloning

Phone scams have existed for decades. What’s changed is that AI has made them nearly undetectable.

How voice cloning works

Current AI voice cloning technology needs as little as 5 to 10 seconds of recorded speech to create a convincing replica. A 2025 Cambridge University study found that AI can now replicate up to 95% of subtle vocal characteristics — up from 78% in 2023. The improvement is rapid and continuing.

Source audio is everywhere: social media videos, voicemail greetings, YouTube uploads, conference talks, podcast appearances, even brief clips from company “about us” pages. If your voice exists anywhere online, it can be cloned.

Real cases

The attacks are no longer hypothetical:

  • Arup, February 2024: $25.6 million lost via a video call where every face and voice was AI-generated deepfake
  • Singapore multinational, March 2025: $499,000 lost via Zoom call with all-deepfake attendees
  • WPP CEO, 2024: Deepfake impersonation attempt using CEO’s voice and likeness on a Teams call — detected before financial loss because the target verified
  • Regina, Canada: A grandparent lost $7,000 after receiving a call from their “grandchild’s” cloned voice claiming to need bail money

The scale

Vishing attacks surged 442% in 2025. An estimated 52.5 billion robocalls were placed in 2025 — roughly 2.5 billion per month. And deepfake-enabled vishing surged 1,600% in Q1 2025 compared to Q4 2024. The technology is getting cheaper and the attacks are scaling fast.

Caller ID spoofing

The number that appears on your phone when it rings can be faked. The SIP protocol — the technology underlying most modern phone calls — has a “From” header that is not authenticated by default. Any VoIP system allows manual configuration of the caller ID display.

The STIR/SHAKEN framework was designed to address this, but adoption has been slow — only 44% as of September 2025. That means more than half of phone networks still can’t verify whether the caller ID is genuine.

A call displaying your bank’s real phone number, your boss’s cell phone, or your company’s main line could be from anyone.

The “stay on the line” trap

Attackers often ask you to stay on the phone while you take action: “Stay on the line while you process the transfer.” This is deliberate. As long as you’re on the phone with them, you can’t call the real person to verify. The moment someone asks you NOT to hang up is the moment you should hang up.

Can you tell? An audio exercise

Hearing is believing — or so we think. Listen to these audio clips and try to determine: is this a real human voice, or AI-generated?

Try it yourself: Listen to this audio clip. Is it a real human voice, or AI-generated?

Reveal answer

This is AI-generated. The voice has subtle robotic qualities and unnatural cadence. It lacks natural emotional inflection — the tone stays consistently flat. Notice the absence of natural breathing sounds and micro-variations you'd hear in real speech. Now imagine hearing this voice claiming to be your boss, your bank, or your child.

Try another: Real human or AI-generated?

Reveal answer

This is also AI-generated. Modern voice synthesis has become remarkably convincing. If you struggled to tell the difference in a calm exercise like this, imagine trying to make that judgment during an unexpected phone call claiming your child is in danger, or your CFO needs an urgent wire transfer.

The point of this exercise isn’t to train your ear — it’s to convince you that your ear can’t be trusted. You cannot reliably tell the difference between a real voice and a cloned one. Which means the defense can never be “I’d be able to tell.” The defense is always procedural: hang up and call back.

The Rule: Hang up and call back. You can't trust incoming calls or texts.