Sign in

AI & Bot Phone Threat Intelligence

Last updated on 
AI & Bot Phone Threat Intelligence

The rapid commoditisation of AI voice synthesis and automated telephony has fundamentally changed the social-engineering threat environment. What once required a skilled human caller can now be executed at scale with minimal cost, perfect accent mimicry, real-time script adjustment, and zero fatigue. This wiki is a reference for employees, security teams, and anyone who regularly gives or receives phone calls.

⚠️ Why This Matters Right Now
  • AI voice cloning tools can replicate a voice from as little as 3 seconds of audio.
  • Automated dialler platforms can execute thousands of personalised calls simultaneously.
  • Large Language Models allow bots to hold convincing, dynamic two-way conversations.
  • Caller ID spoofing makes any number — including your employer or bank — displayable.
  • Social media, data breaches, and LinkedIn profiles give attackers rich personal context to exploit.

Types of AI & Bot Phone Attacks

Vishing (Voice Phishing)

A caller — human, scripted bot, or fully autonomous AI agent — impersonates a trusted entity to extract credentials, financial information, or personal data.

Attack VariantHow It Works
Bank / financial impersonationCaller claims your account has been compromised and requests OTPs, card numbers, or banking credentials "to verify your identity."
Government / tax authorityCaller threatens legal action or arrest unless a payment is made immediately via gift cards, wire transfer, or cryptocurrency.
IT helpdesk impersonationCaller claims to be internal IT or a software vendor and asks you to install remote-access software or reveal login credentials.
CEO / executive fraud (vishing BEC)AI voice clone of a known executive calls a finance employee requesting an urgent wire transfer or confidential data.
Healthcare / insuranceCaller claims to be from your provider and needs to "confirm" your date of birth, national ID, or insurance number.
Package delivery / courierCaller states a parcel is held and a small fee or identity confirmation is required to release it.

AI-Powered Discovery Calls

The attacker's goal is to build a detailed intelligence profile on a target organisation — mapping employee roles, vendors, internal processes, and security posture. This intelligence is then used to craft highly targeted follow-up attacks.

  • Mapping the org chart: "Can you tell me who handles IT purchasing here?"
  • Identifying vendors and software: "Are you still using [specific platform] for your payroll?"
  • Probing security posture: "What's the process if I forget my access badge?"
  • Harvesting schedule data: "Is the CFO available this week, or are they travelling?"
  • Validating email formats: "Is the email format firstname.lastname@company.com?"
🔍 Discovery Calls Are Slow and Subtle
  • A discovery bot may spread calls over days or weeks to avoid triggering thresholds.
  • Questions are framed as routine sales, survey, or recruitment enquiries.
  • The caller may be perfectly polite and never ask for anything "sensitive" on the first call.
  • Multiple calls to different employees are cross-correlated to build a complete picture.
  • An AI can maintain a consistent cover story across hundreds of calls without inconsistency.

Automated Robocall Scams

Pre-recorded or dynamically generated audio combined with the ability to navigate phone trees and automated attendants using DTMF. Rarely engage in complex dialogue but operate at enormous scale.

  • Extended warranty / insurance renewal calls
  • Prize / lottery winner notifications requiring personal information to claim
  • Debt collection intimidation (fake collectors fishing for payment or PII)
  • Survey calls harvesting demographic and behavioural data
  • Verification code harvesting: "Press 1 to confirm your identity"
  • Silent / hang-up calls: no audio at all, followed by a disconnect after a few seconds. These are number-validation probes — the bot is confirming your line is active and answered by a human before adding you to a targeted call list.

Hybrid Human-AI Calls

A human operator supported by an AI system in real time. The AI listens, suggests responses, surfaces background dossiers on the target, and flags when to escalate or disengage. From the target's perspective this is indistinguishable from a normal human call.

Red Flags — What to Be Suspicious About

Voice & Audio

  • Slight robotic cadence or unnatural rhythm — pauses that don't follow conversational flow.
  • Overly perfect pronunciation with no hesitation, filler words ("uh", "um"), or breath sounds.
  • Audio artefacts: subtle clicks, digital distortion, or a faint sterile background.
  • Inconsistent background noise — sounds that loop or abruptly change.
  • Emotional tone that doesn't match the content (e.g., calmly discussing an "emergency").
  • Voice sounds familiar but slightly "off" — could be a cloned voice of a known person.
  • Unusually fast speech with perfect recall of names, dates, and account numbers.

Conversational

  • Urgency and pressure: "You must act RIGHT NOW or your account will be closed/frozen/deleted."
  • Threats of legal or criminal consequences to force immediate compliance.
  • Unusual payment requests: gift cards, wire transfers, cryptocurrency, or money orders.
  • Asking you to keep the call confidential or not inform colleagues.
  • Refusal to provide a verifiable call-back number or employee ID.
  • The caller already knows personal details but still asks to "confirm" them — classic pretexting.
  • Resistance to pausing the call: "We can't hold the line, you'll lose your spot."

Caller ID & Technical

  • Number matches a well-known institution but you were not expecting contact from them.
  • Caller ID shows "Potential Spam," "Scam Likely," or a generic geographic label.
  • Number is a sequential variant of a known number (+1 digit, one digit transposed).
  • Call arrives outside normal business hours from a supposedly official source.
  • Voicemail asks you to call back a different number than the one that called.
  • The line goes silent or plays filler audio while "connecting to a representative" — sign of an automated dialler.
  • Silent calls: the line connects, nothing is said, and the caller hangs up after a few seconds. This confirms your number is live. Hang up immediately and do not call back.

Discovery Call Tells

  • Caller claims to be a vendor, recruiter, or consultant but cannot name a specific contact who referred them.
  • Questions feel like an org-chart mapping exercise: roles, reporting lines, team sizes, office locations.
  • Interest in who owns specific systems (email, HR, finance, security tools).
  • Questions about processes and procedures rather than actual products or services.
  • Caller seems unfazed when told you cannot help — they may have already got what they needed.
  • Multiple employees separately report a similar "survey" or "research" call in the same week.

Common Attack Scripts

"Your Account Has Been Compromised"

What the Caller SaysWhat Is Really Happening
"We've detected suspicious activity on your account."Opening hook — creates immediate alarm.
"To protect you, I need to verify your identity first."Reversal: makes you feel they are helping you, not attacking you.
"Can you confirm your account number / SSN / date of birth?"Harvesting credentials under the guise of verification.
"We'll send you a one-time code — please read it back to me."OTP interception to bypass your real bank's 2FA on a live fraudulent login.
"Don't log in yourself — our security team needs to handle this."Preventing you from discovering the fraud in real time.

Internal IT Helpdesk Impersonation

  • "Hi, this is [Name] from the IT security team. We've detected unusual login activity on your account."
  • "I need you to install a small diagnostic tool so we can investigate. Here's the link…"
  • "Can you confirm your current password so we can reset it to something more secure?"
  • "Our records show your MFA is about to expire — I'll walk you through re-enrolling right now."
ℹ️ Key Rule: Legitimate internal IT teams never ask for your password over the phone, and do not cold-call to install software. When in doubt, hang up and call back on the official internal number you independently know is correct.

AI Voice-Cloned Executive Call

Using audio from earnings calls, podcasts, or social media, attackers generate real-time voice clones of senior executives to authorise fraudulent transactions.

  • "Hey, it's [CEO name]. Sorry for calling direct — don't want this going through email."
  • "We're closing a deal today and I need you to wire [amount] to this account immediately."
  • "Our legal team has signed off but it's sensitive — don't mention it to [CFO name] just yet."
  • "I'm about to go into a meeting but text me when it's done."

The request for secrecy isolates the victim, the urgency short-circuits verification protocols, and the out-of-band follow-up (text instead of email) avoids paper trails.

How to Respond

The PAUSE Framework

P
Pause. Stop and slow down. Urgency is a manipulation tactic. No legitimate caller will close your account in 60 seconds.
A
Ask questions. Request the caller's full name, employee ID, and department. Legitimate callers answer easily. Bots and fraudsters stall or escalate.
U
Unmatch the script. Say something unexpected — a wrong name, a wrong detail. AI/bot systems may trip up; human social engineers may pause.
S
Seek verification. Tell the caller you will hang up and call back on a number you independently verify. A legitimate institution will always support this.
E
Escalate internally. Report the call to your security team or manager — especially if workplace or financial data was involved.

Safe Responses

  • "I'm not comfortable providing that information over the phone. I'll call the official number on my statement."
  • "Can you give me your employee ID and I'll call back through the main switchboard to confirm?"
  • "I'm going to check with my IT team before proceeding. Can I have your direct number?"

Things to Avoid

  • Do not confirm personal details "just to verify" — even partial data can be exploited.
  • Do not repeat back one-time codes from SMS or email under any circumstances.
  • Do not stay on the line while the caller "transfers you."
  • Do not download software or click links from an unverified caller.

Testing Whether You're Speaking to an AI

  • Ask an open-ended, unexpected question: "What's the weather like where you are?"
  • Introduce a false premise: "I spoke with your colleague Sarah yesterday." See if they confirm it.
  • Go silent for 4–5 seconds. AI systems frequently attempt to fill silence with prompts.
  • Ask the same question twice, phrased differently. Consistent answer = likely AI.
  • Ask them to repeat back something you said five words ago — basic bots often cannot.

Information Never to Share on an Inbound Call

🚫 Personal — Never Share
  • Full Social Insurance Number / Passport number / Driver's licence number
  • Online banking passwords or PINs
  • One-time passcodes (OTPs) received via SMS or authenticator app
  • Full credit or debit card numbers, CVV codes, or expiry dates
  • Mother's maiden name, place of birth, or childhood address (common security question answers)
  • Medical record numbers or provincial health card numbers
🚫 Workplace — Never Share
  • Active login credentials for any work system
  • Internal VPN details, server addresses, or network configurations
  • Names of security tools, vendors, or systems in use
  • Upcoming M&A activity, product launches, or strategic plans
  • Names and contact details of employees in security, finance, or executive roles
  • Physical access procedures: badge types, alarm codes, visitor processes

Organisational Best Practices

Verification Protocols

  • Establish a mandatory call-back policy for any phone request involving financial transfers, credential changes, or access modifications.
  • Create a "code word" or out-of-band verification system for executive-level urgent requests.
  • Require wire transfer authorisations over a defined threshold to be confirmed via at least two separate channels.
  • Enforce a clear policy: no one at your organisation will ever ask for a password over the phone.

Staff Training & Awareness

  • Run regular simulated vishing exercises, especially targeting finance, HR, and IT helpdesk staff.
  • Train staff to recognise emotional manipulation tactics: urgency, fear, flattery, and appeals to authority.
  • Provide clear reporting pathways — employees should never feel embarrassed to report a suspicious call.
  • Share real-world examples internally to make the threat feel concrete rather than abstract.

Technical Controls

  • Restrict public availability of employee direct-dial numbers; use generic reception numbers externally.
  • Audit and limit the organisational information publicly accessible on LinkedIn, the company website, and press releases.

Incident Reporting

  • Log all suspected vishing or discovery calls: timestamp, caller number, conversation content, and what (if anything) was disclosed.
  • Report immediately to your security operations team if credentials, OTPs, or sensitive data were shared.
  • File a report with the Canadian Anti-Fraud Centre (CAFC) at antifraudcentre.ca or 1-888-495-8501.
  • Notify legal and compliance teams if customer or regulated data may have been exposed.

What's Coming — The AI Arms Race

Emerging CapabilityImplication
Real-time multilingual voice cloningAttackers can impersonate individuals in any language without prior audio in that language.
Emotion-adaptive AISystems that detect your emotional state and adjust tactics — more empathetic when you hesitate, more urgent when you comply.
Cross-channel coordinated attacksA vishing call followed immediately by a spoofed email "confirming" the call to reinforce legitimacy across two channels.
AI agents with memoryBots that remember prior interactions and reference them in future calls: "As I mentioned last week…"
Deepfake video callsExtension of voice cloning into live video conferencing — used in at least one documented large-scale fraud case in 2024.
Aggregated OSINT targetingReal-time aggregation of social media, news, and breach data to personalise attacks on the fly during the call itself.

Quick Reference

✅ Safe Steps During Any Suspicious Call
  • Slow down — breathe, do not react to urgency.
  • Ask for name, employee ID, and department.
  • Do not confirm any personal details "to verify."
  • Do not read back OTP codes under any circumstances.
  • Say: "I'll call back on the official number." Then do it.
  • Hang up if the caller refuses or escalates pressure.
  • Report the call to your security team or manager.
🚫 Never Do These on an Inbound Call
  • Never share a password, PIN, or OTP.
  • Never install software at a caller's direction.
  • Never authorise a wire transfer based on a phone call alone.
  • Never confirm internal org details, vendor names, or employee lists.
  • Never trust caller ID alone as proof of identity.

Canadian Resources

  • Canadian Anti-Fraud Centre (CAFC) — antifraudcentre.ca — report fraud and cybercrime; 1-888-495-8501
  • Canadian Centre for Cyber Security (CCCS) — cyber.gc.ca — guidance on social engineering, vishing, and organisational security
  • CRTC — crtc.gc.ca — report unsolicited or harassing calls; oversees Canada's telecom and robocall rules
  • Competition Bureau Canada — competitionbureau.gc.ca — report deceptive telemarketing and fraud schemes
  • Get Cyber Safe (Government of Canada) — getcybersafe.gc.ca — public awareness resources on phishing and social engineering