Inside Caller-as-a-Service: How Scam Rings Recruit Their Workers

Fraudulent phone calls have become an inescapable part of modern life, with millions of people facing fake law enforcement agents, bank representatives, or tech support scammers every day. These real-time conversations are engineered to create urgency and exert high psychological pressure, all to extract sensitive information or steal money directly. The scale of this problem is staggering: according to the FBI, U.S. citizens aged 60 and older lost $3.4 billion in 2023 alone. Another report reveals that vishing attacks surged by 449% in 2025, with the average loss per scam call reaching $3,690.

This article explores a rapidly evolving, yet often overlooked, facet of modern cybercrime: Caller-as-a-Service. Much like legitimate sales organizations, threat actors have adopted structured, business-like operating models built on specialization, scalability, and performance-driven execution. These criminal ecosystems are no longer ad hoc operations; they are composed of distinct roles and functions, with different actors handling specific stages of the attack lifecycle, from infrastructure and tooling to the final social engineering execution.

We will examine how these networks operate, including their recruitment strategies, clearly defined roles and responsibilities, and even tailored compensation models. These elements closely mirror legitimate market dynamics, resulting in a highly organized, service-driven economy that professionalizes fraud at scale, lowering the barrier to entry while simultaneously increasing both efficiency and impact.

A Structured Organized Market

The scam call ecosystem has become highly professionalized and segmented, functioning much like a legitimate business value chain. Distinct roles now exist, including malware developers, phishing kit builders, infrastructure operators, log sellers, data analysts, victim list traders, and finally, the scam callers themselves who execute the attacks. This division of labor allows each participant to specialize. For callers, whose sole focus is interacting with victims, the emphasis shifts toward recruitment quality and operational professionalism rather than technical capability.

As a result, the barrier to entry is significantly lowered. Individuals no longer need to develop malware or manage infrastructure; they can instead focus on refining communication skills, persuasion techniques, and social engineering tactics. Recruitment posts reflect this specialization, typically outlining clear requirements such as native English proficiency, familiarity with operational security (OPSEC) , and prior fraud experience. Notably, some roles require participants to remain on screen share during live calls. This requirement is particularly revealing, indicating that operators are not simply outsourcing tasks but actively supervising performance in real time. This introduces a level of quality control and operational oversight more commonly associated with legitimate call centers than with traditional cybercrime.

Such supervision serves multiple purposes: ensuring adherence to scripts, improving conversion rates, and preventing internal fraud or data leakage. Ultimately, this layered and controlled model highlights how modern fraud operations are managed with the same logic, structure, and efficiency as legitimate businesses.

Underground Recruitment Tactics

When legitimate companies want to attract potential employees, they showcase financial strength, customer testimonials, and photos of satisfied workers. In the underground, a screenshot of a high cryptocurrency wallet balance is often enough. A balance of approximately $475,000 serves as a powerful recruitment aid, designed to attract recruits. Such “proof-of-profit” visuals are commonly used in underground communities to establish credibility and demonstrate potential earnings. Whether authentic or fabricated, their purpose is to reduce skepticism and encourage participation. This tactic reflects broader trends in cybercriminal ecosystems, where reputation and perceived success play a significant role in recruitment and collaboration.

Scam Callers Compensation Models

Flare’s analysis reveals several compensation models, including fixed payments, success-based payments, and a hybrid approach that combines both. In one model, callers receive a percentage of extracted funds, with higher percentages awarded for larger payouts. In another, operators offer a fixed payment of $1,000 per successful call, supplemented by an additional percentage. Conversations between threat actors provide further insights. One operator explains that successful social engineering does not always translate into immediate monetization, so compensation is often delayed or conditioned. This distinction is important, as it indicates that the fraud process extends beyond the initial call, involving additional steps to convert access or information into financial gain. As a result, operators compensate callers for successful engagement while retaining control over downstream monetization processes. Participants don’t simply accept terms; they ask questions, compare offers, and weigh compensation before committing. It is a dynamic indistinguishable from any legitimate job market.

Scam Callers Job Requirements, Roles and Responsibilities

Much like job postings on LinkedIn, underground operators craft well-defined and highly targeted recruitment ads. These postings are far from generic and clearly outline the required traits, responsibilities, and experience for each role, reflecting a level of maturity typically associated with legitimate organizations. For scam callers, the emphasis goes beyond technical capability. Candidates are expected to demonstrate strong soft skills, including clear communication, emotional intelligence, and advanced psychological manipulation techniques. At their core, these roles revolve around the ability to build trust, create urgency, and persuade victims into actions that lead to financial loss or account compromise.

A notable pattern is the preference for native English speakers, indicating deliberate targeting of specific geographic regions. This highlights the importance placed on cultural alignment and linguistic fluency to maximize success rates. When combined with real-time supervision and performance feedback, these operations resemble structured sales floors, where social engineering is not only executed but continuously refined and optimized for higher conversion.

Shift Toward Industrialized Social Engineering

The convergence of recruitment, supervision, structured incentives, and modular workflows reflects a broader shift toward industrialized fraud operations. This model mirrors developments seen in ransomware-as-a-service (RaaS) and initial access brokerage, where specialization and division of labor drive efficiency. However, in this case, the primary attack vector is human interaction, making it both accessible and difficult to detect.

Implications for Defenders and Individuals

These threats reflect a clear shift toward structured, scalable fraud operations, posing growing challenges for both organizations and individuals. The decentralized nature of these ecosystems makes disruption inherently difficult. Removing individual callers has limited impact, as critical components (victim data, operators, and monetization channels) are distributed and resilient. At the same time, the reliance on compromised data sources reinforces a key reality: upstream breaches directly fuel downstream fraud. Compounding this is the increasing level of professionalism. With elements such as real-time supervision, defined workflows, and structured compensation models, these operations are becoming more consistent, efficient, and harder to detect.

To counter this, defenders should prioritize stronger identity verification mechanisms, behavioral anomaly detection, and user awareness focused on real-time social engineering scenarios. For individuals, it is important to understand that fraudulent calls are rarely random; they are often part of coordinated, data-driven campaigns. Be cautious of unsolicited calls that create a sense of urgency, request sensitive or financial information, or pressure you into immediate action. Even if a caller appears credible, never share passwords, verification codes, or financial details over the phone. If something feels off, the safest approach is simple: hang up and contact the organization directly through official channels. Finally, enabling multi-factor authentication (MFA) can significantly reduce the impact of compromised credentials, adding a critical layer of protection against account takeover.