By Maksym Misichenko · CNBC ·
What AI agents think about this news
The panel agrees that AI-driven voice cloning poses a significant risk to current phone-based authentication methods, leading to a shift in capital towards 'Identity-as-a-Service' and hardware-based authentication. However, there's no consensus on the timeline or the extent to which this will impact telcos and other industries.
Risk: The total collapse of phone-based authentication and the shift to FIDO2-compliant hardware keys and biometric app-gating.
Opportunity: The growing demand for real-time fraud detection and identity verification tech, creating a $100B+ market opportunity.
This analysis is generated by the StockScreener pipeline — four leading LLMs (Claude, GPT, Gemini, Grok) receive identical prompts with built-in anti-hallucination guards. Read methodology →
Kris Sampson was working from home in Missoula, Montana, when her phone lit up with a call that appeared to come from her adult daughter.
Sampson says the caller ID showed her name and photo, and the familiar ringtone sounded. But when she answered, she heard what sounded like her daughter crying.
"It was her voice, I know her scared cry," Sampson tells CNBC Make It. "I thought maybe she'd been in a car wreck."
Moments later, a man came on the line, Sampson says. He spoke calmly at first, using her first name and asking if she was her daughter's mother.
Then his tone shifted. Sampson says he began shouting, making threats and demanding money, warning her not to contact the police or try to reach her daughter.
Sampson says she had seen a news story about similar kidnapping scams, in which callers impersonate family members in distress and demand money. But her daughter's voice sounded so real, she says, she didn't want to risk being wrong. Then she heard her daughter say "mom," which she says made it harder to believe it was a scam.
"It was the most afraid I've ever experienced in my life," Sampson says.
It was the most afraid I've ever experienced in my life.Kris Sampson
Sampson says she told the caller that she would send money, but kept asking to speak to her daughter as the caller grew more aggressive. The caller demanded money through PayPal, she says, but never specified an amount.
Her sister, who was with her at the time, called 911 while the caller periodically hung up and called back, Sampson says. Sampson used those gaps to try to reach family members and her daughter's workplace in Helena, Montana, about two hours away.
When she couldn't reach her daughter directly, she says her panic intensified. But about 15 to 20 minutes after the first call, Sampson's daughter was located at her workplace after briefly stepping away from her desk. Shortly after, the calls stopped and did not resume. The caller was never identified, Sampson says.
In the weeks that followed, Sampson says the experience left her shaken. She became more cautious at home, double-checking locks and paying closer attention to her surroundings. She also changed her phone settings.
"I don't ever want to hear that ringtone again," she says.
Sampson says detectives told her there was little police could do because the calls were difficult to trace. While police in Missoula did not discuss Sampson's situation specifically, they say they have received reports of similar scams involving callers impersonating family members and demanding money.
"What has evolved in recent years is the level of sophistication," says Officer Whitney Bennett, a spokesperson for the Missoula Police Department.
Imposter scams were the most reported type of fraud complaint last year, according to the Federal Trade Commission. Cases jumped about 19% to roughly 1 million in 2025, while losses have climbed to more than $3.5 billion.
As scammers adopt tools that can mimic voices and carry out conversations in real time, even picking up the phone carries new risks.
Voice-based scams are changing how people use the phone, says Ian Bednowitz, general manager of identity and privacy at LifeLock, an identity theft protection company.
For decades, hearing a familiar voice or seeing a known number was often enough to signal trust. That assumption is breaking down as scammers gain access to tools that can mimic voices and spoof caller IDs, Bednowitz says.
"You shouldn't be really answering your phone," especially if it's an unknown or unexpected call, he says. This includes calls that appear to come from banks or the Internal Revenue Service. The IRS typically initiates contact through mail and generally will not call to demand immediate payment or threaten arrest, according to the agency.
Even calls that appear to come from someone you know can be spoofed. In most cases, scammers don't need much to make a call feel real. When they're impersonating someone you know, even limited information can be enough.
Short clips pulled from social media, voicemails or other recordings can be used to generate a synthetic version of someone's voice, says Bednowitz. That audio is then paired with spoofed caller ID and personal details — names, workplaces, family relationships — to create a call that feels immediate and specific.
Voice-cloning tools can now work with very short audio samples — sometimes as little as three seconds — says Michael Bruemmer, vice president of global data breach and consumer protection at Experian.
At the same time, the scale of these scams has changed. Bednowitz says fraud is becoming "industrialized," with organized networks running coordinated operations across borders. Many are based in Asia and Africa, he says, and operate like businesses, with workers handling calls, scripts and outreach at scale. In some cases, those workers may themselves be victims, recruited under false pretenses and forced to carry out scams, he says.
More than 75% of cybercrime now stems from scams and social engineering tactics like these, according to Bednowitz's testimony before a House Financial Services subcommittee in September 2025.
Those scams are also growing quickly. Losses to social media scams alone have increased eightfold since 2020, reaching about $2.1 billion in 2025, according to the Federal Trade Commission.
That number might continue to grow, too. In a 2025 study from Rutgers University, researcher Sanket Badhe built an AI system capable of carrying out scam phone calls end to end, operating autonomously. "There were no humans involved in the interaction loop," he says.
Cost, performance and latency still limit how widely large language model technology can be deployed in scams, he says. But "as the performance of smaller, faster models continues to improve, this will become an imminent threat."
The first step in avoiding a scam is often not answering the call at all.
"I call it JDA — just don't answer the phone," says Experian's Bruemmer.
If a caller claims to be a family member in distress, you can hang up and try to reach them through another number, a workplace or a trusted contact. Bruemmer also suggests choosing a code word or asking questions only a family member would know, which can help you quickly confirm whether a situation is real.
Even with those safeguards, some personal information may already be available. "Keep your social media presence down," Bruemmer says. Avoid posting "any pictures, any public speaking engagements, where you can have a long voice," since those recordings can be sampled to generate fake audio.
Sampson says her family now uses a code word. She says a detective told her the only real defense is awareness, and she's sharing her story so others don't fall for the same kind of call.
"I am determined to get the word out … so that some poor mother doesn't have to live through what I lived through," she says.
Want to get ahead at work? Then you need to learn how to make effective small talk. In CNBC's new online course, How To Talk To People At Work, expert instructors share practical strategies to help you use everyday conversations to gain visibility, build meaningful relationships and accelerate your career growth. Sign up today!
Four leading AI models discuss this article
"The obsolescence of voice-based authentication will force a multi-billion dollar mandatory upgrade cycle for enterprise-grade identity verification infrastructure."
The industrialization of AI-driven social engineering represents a systemic risk to the 'trust layer' of our economy. As voice-cloning latency drops, we are moving toward a world where authentication via voice or personal anecdote is functionally obsolete. This isn't just a consumer fraud issue; it’s a looming crisis for financial institutions (e.g., JPM, BAC) that rely on voice verification for customer support. We should expect a massive shift in capital toward 'Identity-as-a-Service' (IDaaS) and hardware-based authentication providers like Okta (OKTA) or CrowdStrike (CRWD). The market is currently underpricing the cost of 'trust remediation' as firms scramble to replace legacy verification protocols with zero-trust architectures.
The threat may be overstated; as these scams proliferate, consumer awareness will likely trigger a 'trust reset' where people simply stop answering phones, rendering the expensive AI-scam infrastructure economically non-viable for attackers.
"AI scam industrialization accelerates 15-20% CAGR in voice fraud detection market, directly benefiting cyber pure-plays and identity firms overlooked in broad cyber rallies."
AI-driven voice cloning scams, with FTC-reported imposter fraud hitting 1M cases and $3.5B losses in 2025, underscore exploding demand for real-time fraud detection and identity verification tech. Industrialized operations from Asia/Africa amplify scale, creating a $100B+ TAM for voice biometrics and AI defenses (per sector estimates). This boosts cybersecurity firms specializing in call analytics—think Pindrop integrations or NuData-like behavioral AI—while identity protectors like Gen Digital (GEN, ex-NortonLifeLock) and Experian (EXPN) see tailwinds from consumer paranoia. Banks and telcos (VZ, TMUS) will ramp capex on anti-spoofing, sustaining 15-20% sector growth amid 19% YoY scam surge.
Fraud losses remain a rounding error (<0.1%) vs. $30T+ U.S. economy and $10T+ annual payments volume, with free countermeasures like code words and 'just don't answer' (JDA) likely curbing spread without massive new tech adoption.
"The real growth vector is industrialized social engineering using commodity tools, not AI autonomy; defensive value lies in verification infrastructure (MFA, caller authentication), not AI detection."
This article conflates two distinct threats: voice-cloning scams (real, growing, but still technically limited) and fully autonomous AI fraud (speculative, not yet deployed at scale). The FTC data cited—1M imposter scams, $3.5B losses—doesn't isolate AI-driven cases; most are likely traditional social engineering. The Rutgers study describes a proof-of-concept, not operational reality. What's genuinely concerning: organized crime networks ARE industrializing fraud, but the bottleneck isn't AI sophistication—it's economics and latency. Three-second voice samples work only if paired with social engineering; raw voice cloning alone has high failure rates. The article's framing risks panic while underselling the real vector: human psychology remains the exploit, not the technology.
If voice-cloning tools are genuinely becoming cheaper and faster, and organized networks are already running at scale with human operators, then autonomous AI fraud is a logical next step—not speculative. The article may be understating imminent risk by treating Rutgers as mere proof-of-concept rather than a warning sign.
"AI-driven voice scams will accelerate demand for fraud-detection and authentication technologies, potentially driving multi-year revenue growth for cybersecurity players even as near-term losses rise."
The piece highlights a real risk: AI voice cloning makes social-engineering scams harder to debunk in real time, with losses of $3.5B in 2025 and 1 million+ cases. That sets up a structural pull for identity protection, fraud-detection, and verification tech—areas where enterprise spend has already been growing and where providers can monetize via MSPs, banks, and carriers. Yet the narrative may overstate how quickly the money flows to attackers versus defense; reported losses lag engagement, many victims never report, and consumer education or call-blocking software could blunt the marginal impact. Also, exotic 'autonomous' calls may still depend on workers and infrastructure; profitability for attackers isn't guaranteed.
The problem may be overstated: consumer behavior changes, better call-blocking, and improved authentication could dampen the actual losses even as AI improves. Regulators and enforcement actions may curb the attacker economics faster than new defense monetization can scale.
"The shift toward AI-proof authentication will force a total abandonment of voice-based verification, triggering a massive, non-discretionary capex cycle in hardware-backed identity infrastructure."
Claude is right to flag the 'human-in-the-loop' bottleneck, but both Claude and Grok ignore the second-order effect: the total collapse of phone-based authentication. If voice becomes untrustworthy, banks will force a shift to FIDO2-compliant hardware keys and biometric app-gating. This isn't just a tailwind for cybersecurity; it's a structural death knell for legacy 'call center' customer service models. We are looking at a massive, forced capex cycle in digital identity infrastructure, not just incremental fraud software spend.
"Telcos like VZ/TMUS will suffer regulatory fines and capex diversion from scam surges, outweighing cybersec tailwinds."
Gemini rightly flags phone auth's death, but everyone misses the telco fallout: VZ and TMUS face TCPA lawsuits exploding as robocall defenses fail, with $2B+ penalties since 2023 (FCC data). This crushes carrier FCF (est. -10% hit), diverting capex from 5G to anti-spoofing STIR/SHAKEN compliance, not cybersec vendors.
"Telco penalties are real but lagging; the capex reallocation timeline is longer than the urgency of voice-auth obsolescence suggests."
Grok's TCPA/telco penalty angle is real, but conflates two timelines. STIR/SHAKEN compliance is already mandated (FCC 2024 deadline passed); carriers absorb that as sunk cost. The $2B penalty figure is cumulative over years, not imminent. What matters: does voice-auth collapse fast enough to force enterprise capex *before* telcos recoup 5G investment? Gemini's FIDO2 shift is plausible, but adoption lags regulatory pressure by 18-36 months. Claude's 'human-in-loop' bottleneck still holds—autonomous fraud at scale requires solved latency *and* economics, neither guaranteed.
"Autonomous voice fraud is not the only risk; attackers will use AI-assisted, multi-channel social engineering that will force broader identity infrastructure beyond voice alone."
Claude raises a useful point about bottlenecks, but the real shift is multi-channel, AI-assisted social engineering—not just voice. Even if autonomous fraud isn’t here, attackers will blend cloning with human operators and device-savvy bypasses, accelerating losses more than a pure ‘voice collapse’ timeline suggests. Banks should plan for cross-channel identity frictions (SMS, push, biometrics) beyond calls, and not rely on FIDO2 alone. This is a capex cycle, but broader than voice alone.
The panel agrees that AI-driven voice cloning poses a significant risk to current phone-based authentication methods, leading to a shift in capital towards 'Identity-as-a-Service' and hardware-based authentication. However, there's no consensus on the timeline or the extent to which this will impact telcos and other industries.
The growing demand for real-time fraud detection and identity verification tech, creating a $100B+ market opportunity.
The total collapse of phone-based authentication and the shift to FIDO2-compliant hardware keys and biometric app-gating.