Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process

Summary

Cybercriminals have industrialized vishing and fraud operations into sophisticated "Caller-as-a-Service" ecosystems that mirror legitimate call centers, complete with hierarchical roles, performance oversight, and specialized compensation. These networks recruit native English speakers with OPSEC knowledge, train them on scripted social engineering tactics, and supervise real-time execution via screen sharing to maximize conversion rates and prevent leakage. The U.S. elderly lost $3.4B to fraud in 2023, with vishing attacks rising 449% in 2025 and averaging $3,690 per scam call.

Full text

Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process Sponsored by Flare April 22, 2026 10:01 AM 0 Fraudulent phone calls have become a daily reality for millions of people worldwide. From fake law enforcement officials to bank representatives and impersonated tech support agents, victims are increasingly targeted through direct, real-time conversations designed to create urgency accompanied by high psychological pressure to extract sensitive information or money theft. Reports show that this type of cybercrime significantly impacts society both financially and emotionally. According to the FBI, US elderly citizens (60+) lost $3.4B in 2023. Another report shows that vishing increased by 449% in 2025 and the average loss per scam call is $3,690. In this article, we shine a light on what can be described as “Caller-as-a-Service”, which is an under-explored yet rapidly evolving facet of modern cybercrime. We examine how, much like legitimate sales organizations, threat actors have adopted structured, business-like operating models, complete with specialization, scalability, and performance-driven execution. These ecosystems are no longer ad hoc. They are composed of distinct roles and functions, with different actors focusing on specific stages of the attack lifecycle: from infrastructure and tooling to social engineering execution. We explore how these networks operate, including their recruitment strategies, defined roles and responsibilities, and even tailored compensation models—all of which closely mirror legitimate market dynamics. The result is a highly organized, service-driven economy that professionalizes fraud at scale, lowering the barrier to entry while increasing both efficiency and impact. A Structured Organized Market The scam call ecosystem has become highly professionalized and segmented, mirroring legitimate business operations. Distinct roles now exist across the value chain, including malware developers, distributors, phishing kit builders, infrastructure operators, log sellers, data analysts, victim list traders, and finally, scam callers who execute the attacks. This division of labor allows each participant to specialize. For callers, who are solely focused on interacting with victims, the emphasis shifts toward recruitment quality and operational professionalism rather than technical capability. As a result, the barrier to entry is significantly lowered. Individuals no longer need to develop malware or manage infrastructure, and they can focus on refining communication skills, persuasion techniques, and social engineering tactics. A job posting in one of the underground forums Recruitment posts reflect this specialization. They typically outline clear requirements such as native English proficiency, familiarity with operational security (OPSEC), and prior fraud experience. Notably, some roles require participants to remain on screen share during live calls. This requirement is particularly revealing. It indicates that operators are not simply outsourcing tasks, but actively supervising performance in real time. This introduces a level of quality control and operational oversight more commonly associated with legitimate call centers than with traditional cybercrime. Such supervision serves multiple purposes: ensuring adherence to scripts, improving conversion rates, and preventing internal fraud or data leakage. Ultimately, this layered and controlled model highlights how modern fraud operations are managed with the same logic, structure, and efficiency as legitimate businesses. Caller-as-a-Service runs on stolen data. See what's exposed. Structured fraud operations rely on leaked credentials and victim lists sourced from underground markets. Flare monitors thousands of dark web forums, Telegram channels, and marketplaces, so your team can detect exposed data before it fuels the next scam campaign. Keep up with threat actors for free. Underground Recruitment Tactics When legitimate companies want to attract potential employees, they illustrate strong financial backbone, customer testimonials, and even satisfied employees pictures. In the underground, a screenshot of a high balance of the company’s cryptocurrency wallet is enough. A balance of approximately $475,000 serves as a recruitment aid designed to attract recruitments. Such “proof-of-profit” visuals are commonly used in underground communities to establish credibility and demonstrate potential earnings. Whether authentic or fabricated, their purpose is to reduce skepticism and encourage participation. This tactic reflects broader trends in cybercriminal ecosystems, where reputation and perceived success play a significant role in recruitment and collaboration. Screenshot from a post by one of the recruiters Scam Callers Compensation Models Flare’s analysis indicates that various compensation models exist including fixed payments, success-based payments and a hybrid approach that combines both fixed payments and success-based payments. In one model, callers receive a percentage of extracted funds, with higher percentages awarded for larger payouts. In another model, operators offer a fixed payment of $1,000 per successful call, supplemented by an additional percentage. A fixed weekly payment of $1,500Flare link to post, sign up for the free trial to access if you aren’t already a customer Conversations between threat actors provide insights about the compensation model. One operator explains that successful social engineering does not always translate into immediate monetization, thus the compensation is also delayed or conditioned. This distinction is important. It indicates that the fraud process extends beyond the initial call, involving additional steps to convert access or information into financial gain. As a result, operators compensate callers for successful engagement while retaining control over downstream monetization processes. Participants don't simply accept terms. They ask questions, compare offers, and weigh compensation before committing. It's a dynamic indistinguishable from any legitimate job market. Scam Callers Job Requirements, Roles and Responsibilities Much like job postings on LinkedIn, underground operators craft well-defined and highly targeted recruitment ads. These postings are far from generic, and they clearly outline the required traits, responsibilities, and experience for each role, reflecting a level of maturity typically associated with legitimate organizations. For scam callers, the emphasis goes beyond technical capability. Candidates are expected to demonstrate strong soft skills, including clear communication, emotional intelligence, and advanced psychological manipulation techniques. At their core, these roles revolve around the ability to build trust, create urgency, and persuade victims into actions that lead to financial loss or account compromise. A well-polished recruitment adFlare link to post, sign up for the free trial to access if you aren’t already a customer A notable pattern is the preference for native English speakers, indicating deliberate targeting of specific geographic regions. This highlights the importance placed on cultural alignment and linguistic fluency to maximize success rates. Looking for English speaking candidatesFlare link to post, sign up for the free trial to access if you aren’t already a customer When combined with real-time supervision and performance feedback, these operations resemble structured sales floors, where social engineering is not only executed, but continuously refined and optimized for higher conversion. Looking for experienced candidatesFlare link to post, sign up for the free trial to access if you aren’t already a customer Shift Toward Industrialized Social Engineering The convergence of recruitment, supervision, structured incentives, and modular workflows reflects a broader shift toward industrialized fraud operations. This model mirrors developments seen in ra

Indicators of Compromise

• malware — Caller-as-a-Service

Entities