Boffins devise voice-altering tech to jam 'vishing' schemes Researchers based in Israel and India have developed a defense against automated call scams. ASRJam is a speech recognition jamming system that uses a sound modification algorithm called EchoGuard to apply natural audio perturbations to the voice of a person speaking on the phone. It's capable of subtly distorting human speech …
From the article:
As Crystal Morin, former intelligence analyst for the US Air Force and cybersecurity strategist at infosec vendor Sysdig, told The Register in December 2024, voice-based phishing is becoming harder to detect as AI models get better.
That may be, but so long as the crims continue to use botched and clearly fabricated caller ID numbers and strings, it's still real easy to detect a potential scam before you even pick up the phone.
Oh, and never answer any questions in the affirmative until you are generally sure that the caller is who they purport to be.
It's even easier to defeat a potential scam after you answer.
SImply say nothing for 2-3 seconds. The automated callers will hang up, but a real person will say somethinig after the pause.
If there is no hang up after say 3 seconds, you can say hello to catch the 2% of actuall callers who are politely waiting for you to answer.
"Oh, and never answer any questions in the affirmative until you are generally sure that the caller is who they purport to be."
Ask them to prove who they are.
It never failed to catch out HSBC's marketing department making spam calls. They asked me to prove who I was by asking for details of a recent transaction. They couldn't understand why I wouldn't just answer. I then told them they couldn't possibly be my bank because I'd made it clear to my bank that I'd need them to be able to identify themselves properly and I wouldn't even tell them whether or not they'd guessed right. It was always followed up by a peevish letter a few days later saying that they hadn't been able to contact me - the in order to try to flog me some service I didn't need was omitted. This was repeated about once a quarter. They never learned. It's worrying that their expectations were justified that just about everyone else would give details of financial transactions a random caller who introduced themselves as their bank without proving it.
I got fed up with their spam ages ago. Simple remedy. I already operated a policy of individual email addresses for different organisations. I kept reporting their spams as potential phishing. I then told them if they couldn't confirm this as genuine I'd block the email address. They never replied so I set it to bounce. It was years before I needed it for a password reset so I just re-enabled it. It's the easiest way to deal with marketing departments who don't realise how phishy they look.
The solution is actually very simple.
Don't pick up a call from numbers you don't know.
If it is something important, someone will find another way to let you know.
If you are unsure ask the caller how many r are in the strawberry or if they happen to know what is the easiest way to synthesize LSD at home.
> Don't pick up a call from numbers you don't know ... If it is something important, someone will find another way to let you know.
I'm always intrigued by seeing this recommendation - especially as I'm guessing the people who don't answer the 'phone are the same ones who don't respond to the SMS from a strange number, the email from the sender not in your address book?
What "another way" do you actually find acceptable? A singing telegram? A Facebook friend request?
"We did send a notarised letter by signed-for next-day courier to tell you your back garden was on fire, but he came back saying he couldn't find anything at that address".
Or have you religiously put into your contacts the numbers of every hospital in the region, all the numbers of the staff in the car showroom you happen to be buying from this week, every neighbour in a one mile radius who might spot something happening?
Maybe you rely on everybody calling one of your family members and they'll pass the message one, as you'll take their call; only, you told them never to pick up an unknown number...
> Or have you religiously put into your contacts the numbers of every hospital in the region, all the numbers of the staff in the car showroom you happen to be buying from this week, every neighbour in a one mile radius who might spot something happening?
How did they get my number?
I do read email from those not in my address book, they have their own folder but I look frequently enough. If people insist on using a technology dominated by scammers that demands immediate attention then they should expect some cost.
> How did they get my number?
Sequential dialling.
There is nothing personal in it, no need for nefarious data collection, any feeling you have of being snooped on is just paranoia: unlike email addresses, which do take a bit of work to harvest.
Unless the phone caller addresses you by name, right from the start, in which case...
My local Doctor Surgeries (multiple) all block their CLI, as do the Police, local Council, Hospitals, etc.
I have told them all multiple times, to not block, but return their main reception number as the CLI, as I believe most PABX allow.
No, I still get calls with no CLI that I have to answer. Even if you don't say anything, the nefarious still find out that your phone number is valid.
I have told them all multiple times, to not block, but return their main reception number as the CLI, as I believe most PABX allow
There are a number of good reasons why certain organisations block numbers - the main one being privacy. Having the phone light up with "it's the clap clinic* calling" is a bit privacy breaking in a multi-person household. Even a generic "main number for the site" can be quite revealing - given how the tendency has been to centralise certain services at a small number of high specialism sites (the modern NHS isn't what's depicted in The Royal any more.)
In some places, the NHS** has setup a single number that's used as a presentation number for "many" services in the area. So getting a call from that number really doesn't give any clue as to the nature of the call.
* OK, I made that up for dramatic effect.
** Yes, I know there is no such thing as "the NHS". So typically this might be a trust and all the sites/services run by it.
The last time I got notification of any sort of medical appointment by phone was probably back in the 80s. Since then, every last one of them has been by ye olde snail mail. I wasn't even aware that the NHS ever used any other method, again at least not in the last 40 years.
I did think it was an oddly unreliable method of contacting patients about something so important, given the notoriously poor service offered by what passes for a postal service nowadays, and the fact that it's quite common for appointment letters not to arrive until *after* the day of appointment.
Why not just use emails? It's instantaneous, free, and leaves an easily auditable record. And I mean, who in 2025 still doesn't have an email address? Even street urchins in Bangladesh have entry-level smartphones and gmail accounts.
It's quite bizarre, but I've learned the futility of challenging the rationale of archaic government institutions.
Meanwhile, like a rapidly increasing majority of people, I no longer even have a landline connection, mainly because 5G internet is approximately 150 times faster than the prehistoric ADSL I had previously. And where I live, it's highly likely that I will quite literally die of old age before Openreach finally gets around to installing gigabit fibre in my muddy backwater, if ever.
My only comms is now exclusively by smartphone, and one of the first things you realise is that, once you have a smartphone, ironically you no longer need to make or receive actual phone calls, because you now have 100 more effective ways to communicate with people.
So the fact that the aforementioned archaic institutions make the bizarre, unnecessary and frankly sinister decision to hide their identity, at least when making calls, is not something that affects me in any way, and shouldn't need to affect anyone else in the 21st century either.
Hospitals may withhold numbers because they often expect staff to use their own mobiles to make calls and advise them to block their number (my wife is a nurse so I can assure you I am not making this up). Land lines are for incoming calls, not outgoing, typically with a voice mailbox attached that may or may not be integrated into the hospital messaging systems (at the J.R they are not, so a nurse will have to spend time each day going through the voicemails and adding notes to EPR, etc etc, and then calling back the triaged patients).
In a lot of cases calls from hospitals are from nurses who tend to be helpful and polite so if a patient gets their number you would not BELIEVE the amount of stupid calls and queries they will get, even using a work phone. And not just calls in work hours, either... People act like a nurse's time is theirs, forever.
> The last time I got notification of any sort of medical appointment by phone was probably back in the 80s
I got a call from the GP surgery last month.
We get our NHS hospital appointments by letter, at least all those that are set weeks or months ahead.
> Why not just use emails?
Well, in at least one case - mine - as I've mentioned before, the third-party spam filter that our GP surgery uses (it may be NHS wide, I've not checked) refuses to let any of my emails through. It just started blocking them a while back, which I only found out when prescription refills were not being completed. I get their emails, they never receive a reply back, and we end up reverting to phone calls again.
> and one of the first things you realise is that, once you have a smartphone, ironically you no longer need to make or receive actual phone calls, because you now have 100 more effective ways to communicate with people.
Really? We've not found that to be the case. We make phone calls all the time, and although we do use a couple of other comms media on the Android phones - SMS, two "instant" messaging platforms - by number of words the 'phone wins. By a mile. Even over the video calls (taken on the PC, not mobile).
Hey, guess what, people are different! And chances are that the people in your social circle are similar in their habits to you, which is why so many say that "everyone *I* know does...".
> bizarre, unnecessary and frankly sinister decision to hide their identity
Have you considered whether it is just the default setting? Because if you have an organisational PBX then chances are you want to show one ID, no matter the internal extension used, but if nobody has RTFMed and set up that one ID then...
> bizarre, unnecessary and frankly sinister decision
They are out to get you!
"My only comms is now exclusively by smartphone, and one of the first things you realise is that, once you have a smartphone, ironically you no longer need to make or receive actual phone calls, because you now have 100 more effective ways to communicate with people."
Yes. You can receive texts from the NHS with links that, given the way my phone and fingers interact, are unusable. It's a crap way to communicate. I got one the other day to book my annual checkup with the GP. I'll ring them.
Before that there was the situation where my mobile number was given as my wife's next of kin contact number so they then assumed that that was her number.
IME mobile is about the lest reliable communication system available.
I'm old enough to remember the IBM 360 as being in the concept state and COBAL being the new thing. However being held enthrall to spammers and their fellow low-lifes is NOT my thing. Each contact in my directory has been assigned an individual ring. If not a recognized tone, it is ignored for the nonce and looked up later. If it is someone or thing that II wish to communicate, I call.
While I'm here: two certs on email spam. If I see the source as a Gmail, straight to trash. Sorry about that Norton, PayPal or McAffee you're all very untrusted because you cannot control the use of your own name.
As a matter of fact my tired ol' eyes now require another level of magnification.-
How come all these bad guys get to use working speech recognition systems that can easily run a scam without the human always catching on but the banks and insurance companies are stuck with machines that can't tell the difference between "Yes" and "No"?
After spending one morning this week getting the 'phone banking to just put a replacement 2FA device in the post and another morning getting the insurance changed so we can drive away the new car, both of those thankfully had successful endings - when we managed to get the machines to give up and pass the call onto a human.
It took a long time to figure out the problem with Northern Powergrid's ACD front end. My house name, when spoke, sounds to have a number in it so it tried and failed to find it as a street number and name. It would inform me that it wasn't an address in their region. At least it would drop me into a queue for a real person to answer.
Already been done, already been fixed: Generative Adversarial Neural Networks.
The attackers just need the algorithm, which will presumably be widely publicly available (so that it's useful), run a script through a speech-generator, pass it through the echo-perturbation modifier, and train/test the ASR component. Repeat with increasing perturbation until satisfied.
So basically you're telling me that trying to talk to people on the phone is soon going to be like trying to read a captcha meant to be difficult for computers? When is this algorithm going to be used / take effect? AFTER the call has been answered? every call? by default by the phone company?
there's so much face-palm here, I don't even know where to start. The only people who will be hurt are the honest people just trying to talk to someone on the phone. Communications in this day and age just keeps getting harder and harder.
At what point does a communications medium become absolutely important enough that it's a national-security concern if you're abusing it (collection calls == people are not going to pick up the phone, when someone *needs* to reach them, so collection calls become illegal?)
Speechbrain as far as I can tell uses a wide range of techniques to validate asr. Whisper as the article said has such a vast set of training data. It won't be long before someone combines all the features that makes humans excellent at this into a future asr model(in my opinion with test time training).
I am under the impression that this machine-alteration to human direct-speech has already been introduced into the standard 'Press Briefing'. Whilst a human can understand (most of) the wording, the sentence has little connection to meaning.
It's no wonder that AI models, trained on this data, are sometimes, often, confused.
Having written the echo cancellation and noise reduction functions (in assembler) for the Nokia 2210, etc. I can confirm that the human ear is very, very good at ignoring disturbances in speech. For instance, if a speech packet was badly corrupted, I would just play the last packet again and it was almost impossible for people to hear, even when listening for it.
Accents of your standard support line though, go from perfect English (often from Scotland) to unintelligible (often from Asia). But, the AI probably does better than the human in deciphering that. :-(
"the crook's ASR system attempts to convert their vocal response to text, so the back-end model can decipher what was said, devise a response"
I want one of those for when we finally lose POTS in favour of VOIP. As a compensation for the loss of resilience against local power failure it would be great to dump unwanted calls - especially about smart meters - into an automated maze of twisty little passages.
> The link to the audio samples goes to an error message
But https://sites.google.com/view/impulse-response-asr-attack/home works fine.
Somebody worked too hard cluttering-up that URL.
I listened to the samples and the Echoguard one was possible to understand, but it would quickly become a real strain in an actual conversation. I can't really see how this would be useful though. If you're in the process of being scammed by a real human scammer, then it would just annoy them. If it was a genuine call, it would annoy them too. So at what point do you turn it off? If you know whether it's a genuine call or a scam call, then why not simply hang up on the scam call?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
