Hacker News new | past | comments | ask | show | jobs | submit

The Three-Second Theft: Why AI Voice Fraud Outruns Every Defence

https://smarterarticles.co.uk/the-three-second-theft-why-ai-voice-fraud-outruns-every-defence
loading story #48923655
Sounds like AI is just greasing the wheels of a long established 'grandparent scam'... goes something like this:

1) voice one: young adult calls, sobbing 2) grandparent inquires with a name... "Ben, is that you?" 3) voice one: "Yes grandma, it's me, Ben... I'm in trouble, please don't tell mom 4) voice two: "Hello, I'm attorney..."

My grandmother fell victim to this almost 20 years ago, which only stopped when Western Union refused to let her continue sending wires... she was forced to call her daughter (at which point they just called my brother.)

Our takeaway (at the time)... the voice doesn't even need to be terribly accurate, since the original interaction is brief / somewhat inaudible over the tears. Typically just requires an older vulnerable adult, a lucky strike with the initial setup (e.g. grandparent actually has a grandkid), and a lot of high pressure / duress salesmanship.

loading story #48922627
loading story #48921402
loading story #48921467
loading story #48921717
loading story #48924194
So, you answer your phone to the scam and… now they have your voice too.

Talking on the phone is now an unmitigated liability.

loading story #48921567
The only solution? Answer the phone in an over the top comedy accent, such as Simpsons characters, or just whatever comes to mind.
loading story #48922137
A terse, altered "Hello" is all I say. Sometimes I don't say anything. Most humans would wait a few seconds then prompt with "...Hello?", whereas bots tend to hang up after ~2s silence
loading story #48924389
loading story #48922571
loading story #48921517
loading story #48921787
This blog is kind of an interesting hybrid:

> Every article published on SmarterArticles is authored and editorially controlled by Tim Green. Artificial intelligence tools are used within a structured and supervised workflow as research and drafting instruments. All arguments, framing decisions, source selections, and final publication choices remain human-directed and under my full responsibility.

There are references at the bottom, but I would have preferred direct links or footnotes within the article. Also, direct quotes are nice. I didn’t notice any glaring AI cliches.

loading story #48922188
loading story #48922234
loading story #48921745
loading story #48921599
loading story #48921782
loading story #48925686
Everyone suffers from this, not just the scam victims. I opened a bank account for a new business this year, and the friction for doing perfectly normal things was ridiculous due to the bank’s paranoia about scams. I couldn’t even make an initial deposit from my previous business, or transfer money to my personal account, without triggering a fraud alert and freezing the entire account (couldn’t even log into the bank website) until I could call and verify that it really was me on both ends of the transaction.
loading story #48923956
loading story #48925474
loading story #48925191
Arrange a secret phrase in advance- ideally generated randomly. Stick it up on the wall of the aging parent or grandparent- maybe in the bedroom, where guests are unlikely to go. Make it innocuous-looking (hidden in plain sight). Require that phrase to be said to prove identity. Reset it if it ever gets used on a call legitimately.
loading story #48923925
AI definitely amplifies this problem, but it's not like it didn't exist before. Old people get scammed the old way all the time too. My mom calls me every once in a while asking about some freebie offer that she gets emailed from sketchy domains claiming to be spotify or something.

Not saying that "there's nothing we can do" or anything, but it does feel like this is one of those instincts that you develop growing up with the internet. Like, my first instinct reading that (and I hope getting that call) would be "what the hell is the lawyer doing at the scene". You have to treat _everything_ coming through your phone as potentially untrusted. I don't have any data on this, but it feels like my friends, and especially younger people, do that automatically.

The primary defence against all phishing is to tell yourself: nothing is ever really that urgent. Nothing is ever that good.

loading story #48924220
I've been waiting for a steelman argument why building the world's best deepfake machine is a good thing. Unironically cryptography could verify identity for all comms.
loading story #48924030
> Welcome to Voice Print Identification. When you see the red light turn on please state in the following order: Your destination, Your nationality, and your Full Name.
{"deleted":true,"id":48921735,"parent":48920432,"time":1784127059,"type":"comment"}
One reasonably effective defense: "Okay, let me call you right back." Yes, there's always the whole "my phone is dead, I borrowed someone else's" or "I'm calling from a jail payphone", so I think it might become common practice to start making authentication phrases or "tell me something only we know".

Another pillar of basic trust that's being eroded on an industrial scale. Sigh.

In practice this often doesn't work.

Article said the imposter in this case claimed her phone had been confiscated.

Fraudsters tend to also plan things such that the impersonated person can't be reached by phone at that time, either by choosing a time when they somehow know they're unavailable (e.g. impersonated person posted on social media they're boarding a plane) or in one case (12 years ago though) my SIL's parent's landline was bombarded with spam calls until they decided to leave the phone off the hook at which point the scammers phoned bank who couldn't reach the parents on their main line, of course this was the bank's problem (and there was probably an inside person facilitating) so they got their money back, but still a major inconvenience for the victim.

Probably the only sure advice is to be exceptionally wary of phone calls with supposed extreme time pressures to send the money now.

> Probably the only sure advice is to be exceptionally weary of phone calls with supposed extreme time pressures to send the money now.

Quick note: you mean “wary” instead of “weary” there.

It's a very common error that happens in both written and spoken language. I've wondered if it's because weary is kind of "in between" wary and leery, like an incorrect mashup, or something.
Appreciated and fixed. I'm a native English speaker, but I think not a word I often write.
> Another pillar of basic trust that's being eroded on an industrial scale.

Remember, trust is like a rainforest: takes a long time to grow, provides a valuable ecosystem essential to human life, but can also be burned down for a quick profit.

The example in the article says the police took her phone. Then her "attorney" gets on to talk instead.

Yes, having a secret code is probably the right answer. My wife's family always has, but mine doesn't. I suppose we should probably fix that.

For extra security against these text-to-speech model zero-shot clones, you might also want to use made-up gibberish words for which the pronunciation can't be reliably inferred from the spelling
I mostly answer unknown calls with monotone "hello" and then wait for their introduction before talking normally.
I answer with silence. I wait for them to speak first. Not even once has a scammer ever spoken first. I say nothing, they say nothing for a full minute before they hang up.
I mostly just don't answer them unless it seems like something that may be legit.
This is the only way to avoid validating your number for spam lists,

and receiving more.

I think it's a somewhat South African cultural thing, but when I get calls from businesses or spammers, the first thing the caller tends to say is "Hello, how are you?", which is completely stupid when you're calling someone who wouldn't know who you are, so it tends to immediately make me annoyed that they don't know that they should have introduced themselves first.

As 99% of the time these are spam calls, I used to respond with something like "I'm fine, but who are you / do I know you?", but that was pretty much always inefficient as that might say their name (which from a spammer is useless information), maybe a sales pitch "how much do you spend on x?" or maybe something deliberately misleading about their company and saying something like <major brand name> even though they're some independent sales crowd getting commission selling contracts for them.

Eventually I found that the most effective response is "Sorry. Where are you calling from and what is this in regard to?" which I've found without fail seems to surprise, disarm them and immediately elicit whether the call is a waste of my time. At which point I either become very friendly (because it's a call I'm expecting) or I simply respond with "Sorry, not interested, goodbye." and immediately put down the phone.

I just want the disruption to be as minimal as possible and to not let myself even get an emotional reaction from it, so I don't want to get annoyed at them, never mind wasting time telling them off, besides, I suspect that my ruthlessly efficient getting rid of them without them even having a chance to try their pitch is received as a super cold shoulder, akin to being told to f-off.

me and my wife made up a word in 2024 for this. the word doesn't exist in any language. we say it to each other all the time. even if i give you the spelling for it, you will say it wrong. i recommend everyone to do something similar. i should do it with my parents too.
our family has had a special 'code word' we have had since the kids were in elementary school. If someone ever needed to pick up our kids from school (they never did) our kids were taught to ask for that word.

This is a good reminder that we should review that, since its been 10 years or so.

This. All of this is a solved problem. It's just not a thing that most families do and do regularly. Code word, insider info, etc. "Oh I am so sorry you got arrested Tommy. Before I wire the $, where did we go on vacation last year?'
Family OTP helps against passphrase leakage
The opening example is of a person listening to their daughter’s voice on an unknown number, how would calling them back help? Or am I missing something obvious?
We're gonna need two-way passwords for conversations.

Fun.

We all have a safe word in the family just for this issue to identify if it´s the real person or not.
loading story #48922519
If they were still around i would have to warn them for sure! Crazy stuff this new future!
What’s terrible is each time I am forced to call the bank, the more they try to tell me voice ID is secure and want me to provide my voice to authenticate. Never. Did ya’ll never play Uplink? With voice cloning as good as it is now, there’s no way a voice ID is secure enough for authentication.
loading story #48921614
loading story #48921458
loading story #48921378
The problem described in the article is unsolvable, given that a mid-range desktop from a few years ago can easily clone a voice that's convincing enough and there are no guardrails to those. Some silly KYC laws might limit a highschool kid making deepfakes of his crush, but once a model exists it's trivial to spread it around, and for organized groups to get ahold of those. Similar will happen with images, it's just that nobody with any serious money bothered releasing image gen models that compete with gemini or chatgpt -- but it's just a question of time. A year or three, what difference does it really make?

As the cost goes down to near-zero you can scale it up almost infinitely, especially if the profits are high enough to get some smart people working on the problem, which going by the article is already the case ("INTERPOL's finding that AI-enhanced fraud is four and a half times more profitable than the traditional kind"; incidents rose by 26% last year). If AI does succeed on mutilating white collar work enough there will be a large supply of knowledge workers that might just join International Scam Co. rather than have their families go homeless. Drowning man clutching at straw and all.

So if technologically it's impossible to prevent and societally it's impossible to prevent (like the attorney that got pwned same as the grandma), I'm not sure if there exists an answer that isn't worse than the thing it's supposed to prevent. I suppose we'll soon be in a situation where nothing we don't directly perceive in real life is provably true. That journalism and media in general seem to be in a deep crisis of trustworthiness means that you won't even get the benefit of the chain-of-trust as a proxy for whether something is or isn't real.

Ignoring everything happening outside of your immediate surroundings is a choice, and probably even good for people's mental health, but my gut feeling is that it does make humanity as a whole dumber and disempowered. What does corruption matter if nobody cares, or even hears about it? It was AI generated by $current_enemy anyway; nothing to see here, citizen.

loading story #48921393
loading story #48921291
I don't know about that but finding excuses for the scum of this earth is certainly not a solution.

Take Europe for example: nobody dies of hunger in Europe. And yet there are plenty of thieves. People stealing tens of thousands, hundreds of thousands, millions of EUR aren't doing it to "feed their families".

Think of the situation today. Think of the victims today. Instead of thinking of tomorrow's hypothetical situation where supposedly all the honest fathers out of work would join the crime syndicate, think of today's victims.

Projecting your own insecurity about the future to excuse scummy behavior by the scum of this earth is of no help.

There are people, right now, who have a roof. Who have a family. And who are fucking scums stealing the hard earned money of others because they choosed the easy life of crime.

Zero tolerance for such motherfuckers. I care about the victims and you should too.

loading story #48922345
loading story #48921454
loading story #48921513
loading story #48921331
I fear this whenever I acidentally say too many words to a telemarketer/scam call.
What are legitimate uses for copying someone's voice without permission? I see none. Those scientists are just helping criminals to fully automate scamming and governments to create fake videos.
loading story #48921692
"They kidnapped my daughter? That's terrible. Yes, I'll definitely pay the ransom but to get access to my bank account I need you to write a poem about corn and a curl script in PHP. Please go ahead."

Inspired by this headline I saw in the news today... haven't read the full article yet: https://arstechnica.com/security/2026/07/now-defenders-are-e...

One regulation i would like to see is some auditory fingerprint in an AI voice where any person can immediately recognize their speaking to a clanker but it's not unpleasant.

It should be illegal to "impersonate" a human voice.

loading story #48922985
loading story #48923103
i wish i could still warn them...
loading story #48924875
> ... the hardest for its victims to be believed about — because the evidence, by design, sounds exactly like someone they love.

Uh? Surely this makes believing the victims easy not hard to believe.

Its like revenge porn. "It's not me. It's a deepfake" is easy to believe.

> It requires, second, regulating the supply of the weapon

Heavy sigh. The “weapon” is software. It cannot be regulated unless we live in the fascist dystopia where I have to ask the governments approval to run any piece of software.

loading story #48923494
loading story #48924109
They make you give a voice sample now when you're arrested. You need to do so in order to use the phone.
loading story #48920857