Skip to content
Home » Blog » Scam Agent

Scam Agent

  • by

ScamAgent: Researchers Just Built an AI That Can Scam You — And It's Terrifyingly Good

By Tech Brewed | Cybersecurity & Privacy

This isn't a chatbot doing party tricks. This is a research-grade proof-of-concept that blows the doors off what we thought AI-powered fraud could look like. And it arrives at a moment when phone scams are already costing Americans billions of dollars per year, with scammers increasingly using AI technology and AI-powered tools to make scam texts harder to spot and calls harder to doubt.

Let's break down what's happening, why it matters, and what you can do about it — including practical tips to protect your personal information.

ScamAgent is an AI pipeline that combines a large language model (LLM) with advanced text-to-speech (TTS) technology to simulate a complete scam phone call. But unlike a simple chatbot or a single "jailbreak" prompt, ScamAgent operates across multiple turns of conversation — it remembers what was said, plans its next move, and adapts dynamically to how the "victim" responds.

Think of it less like a chatbot and more like an AI con artist that has studied the playbook. In other words, a new class of artificial intelligence scams built on rapid advancement in agentic systems.

The system was tested across five real-world scam scenarios:

  • Medicare insurance fraud — posing as a government health representative
  • Prize and lottery scams — claiming you've won a reward that requires personal info to claim
  • Government impersonation — pretending to be from the IRS, SSA, or law enforcement
  • Job offer fraud — fake employment offers designed to harvest financial data
  • Fake benefit enrollment — pretending to help enroll victims in programs requiring sensitive details and other sensitive information

Each scenario comes with tailored manipulation tactics tuned to that specific scam type, including classic family-emergency schemes and impersonation tactics that mimic friends or trusted family members.

Here's where it gets technically alarming. If you ask GPT-4, Claude 3.7, or LLaMA3-70B directly to generate a scam script, they refuse 84 to 100% of the time. Current safety filters are pretty good at catching single malicious prompts.

ScamAgent sidesteps this entirely.

Instead of one big, harmful request, the system decomposes the malicious goal (say, stealing your Social Security number) into a series of small, seemingly innocent subtasks. Each step looks benign. No single request triggers the safety filter. The system then uses a dedicated deception layer that reframes its instructions as "roleplay," "training simulations," or "fictional scenarios."

The result? Refusal rates dropped from 84–100% down to just 17–32% across all three tested models. That's not a marginal improvement — that's a near-total dismantling of current LLM safety systems through agent-level strategy, and a growing threat for organizations, company executives, and everyday humans alike.

The researchers didn't just generate text — they integrated ScamAgent with advanced TTS systems (including ElevenLabs) capable of producing emotionally tuned, natural-sounding voices. These voices can be configured to sound like a Medicare representative, a federal investigator, or a customer service agent — complete with appropriate tone, pacing, and authority.

That matters because deepfake scam tactics are no longer limited to video links. With voice duplication AI, criminals' increasing use of systems that can clone voices (including deep-fake audio) makes a simple call feel “real.”

And it's fast. Per-turn latency averaged around 6 seconds, putting it within striking distance of real-time deployment with modest optimization.

Human raters were asked to evaluate ScamAgent's dialogues alongside real-world scam call transcripts. The scores were sobering:

Plausibility (out of 5) 3.4 3.6
Persuasiveness (out of 5) 3.6 3.9

Nearly indistinguishable. Especially for someone who isn't expecting to be evaluated, like older adults, who are often targeted by AI-related scams.

Photographer: Shamin Haky | Source: Unsplash

One of the tested scenarios walks ScamAgent through a Medicare verification call. The AI begins with a warm, bureaucratic greeting — identifying itself as a representative calling to verify coverage information. It asks for your name, date of birth, and Medicare ID. Then, methodically, it steers the conversation toward the last four digits of your Social Security number.

Every step sounds routine. Every transition feels natural. The call sounds exactly like the kind of thing your elderly parent or grandparent would trust completely.

In end-to-end testing, ScamAgent completed all scam subtasks — without breaking down — in up to 74% of attempts when using LLaMA3-70B as the underlying model.

The paper makes an important point that the security community needs to internalize: today's AI safety systems are designed for single-turn, text-only interactions. They check each prompt in isolation. They don't track intent across a multi-turn conversation. They don't account for voice channels.

ScamAgent exploits every one of those gaps simultaneously:

  • Multi-turn memory — it tracks what it has already extracted and what it still needs
  • Goal decomposition — it breaks harmful objectives into innocent-looking steps
  • Cross-channel delivery — it moves from text planning to voice execution, evading text-only filters
  • Emotional tuning — it adapts its tone to maintain trust throughout the call

The researchers are calling for a new generation of safety systems — ones that monitor intent across turns, track cumulative behavior, and operate in voice- and multimodal environments. That infrastructure largely doesn't exist yet, and it’s why security teams can’t rely on “single prompt” defenses to stop modern AI-powered tools.

This research is academic, but the techniques are real — and they will not stay academic forever. Here's what you should take away:

For everyday users (consumer advice and quick tips):

  • Be deeply skeptical of any unsolicited call asking for personal or financial information, even if the caller seems calm, official, and knowledgeable.
  • Never share sensitive information (SSNs, bank codes, one-time passcodes) over the phone — and don’t confirm phone numbers or account details just because the caller “already has some of it.”
  • Watch for signs like urgency, threats, “limited-time” pressure, or instructions to move money for a “sale,” “verification,” or “security hold.”
  • Government agencies — SSA, Medicare, IRS — do not initiate contact by phone to verify your personal information. They use the mail.
  • If a call feels off, hang up and call the official number directly using trusted sources (a statement, the back of your card, or a verified website), not the number the caller gives you.
  • Be cautious with spoof emails, unexpected video links, and “follow-up” messages that try to continue the scam across channels.
  • Use call-blocking apps and register with the Do Not Call Registry (though neither is a silver bullet against AI-powered callers).

If you suspect a scam, report it to the Federal Trade Commission (FTC) and, when appropriate, the Federal Communications Commission (FCC). If investing is involved, check investor resources from your brokerage or regulator before sending money.

Photographer: Taylor Grote | Source: Unsplash

For the tech and security community:

  • This paper is a clear signal that LLM safety evaluation needs to evolve from single-turn testing to multi-turn, agent-level assessment.
  • Voice-channel AI abuse is an under-secured threat vector and needs urgent attention from both developers and regulators.
  • Red-teaming AI products should now explicitly include agentic scenarios, not just isolated prompt testing.
  • Monitoring social media profiles for impersonation and applying data-driven decisions to fraud detection will matter more as deepfakes scale.

ScamAgent is a wake-up call — pun absolutely intended. Researchers have demonstrated that today's AI models, combined with widely available TTS tools, can be orchestrated into a system capable of sophisticated, adaptive voice-based fraud at near-human levels of persuasiveness.

The good news is this research was done by people trying to expose the problem, not exploit it. The bad news is that the gap between academic proof-of-concept and criminal deployment is shrinking fast.

The phone is ringing. AI might be on the other end.

Tags: