"US elderly citizens (60+) lost $3.4B in 2023," the FBI reports — a stark marker of how profitable and persistent phone-based fraud has become.
A Structured Organized Market
Fraudulent phone calls are no longer the work of lone operators improvising scripts. According to the reporting, the scam economy now resembles a segmented business: malware developers, distributors, phishing-kit builders, infrastructure operators, log sellers, data analysts, victim-list traders and scam callers each occupy a defined place in the value chain. That division of labor lets participants specialize — callers need not write malware or run infrastructure; they focus on persuasion, psychology and conversation.
The result is a lower barrier to entry and a more efficient, scalable operation. The reporting describes this evolution as a shift toward an industrialized social-engineering model that mirrors ransomware-as-a-service and initial-access brokerage in its emphasis on specialization and measured, performance-driven execution.
Underground Recruitment Tactics and Proof-of-Profit
Underground recruitment mirrors legitimate hiring practices, the source says, but with criminal hallmarks. Operators post targeted ads that outline experience and soft skills — native English proficiency, familiarity with operational security (OPSEC) and prior fraud experience. Some roles even require recruits to remain on screen share during live calls, a practice used to supervise and validate performance in real time.
Recruiters in these communities use simple credibility signals to attract applicants. A screenshot of a cryptocurrency wallet balance of approximately $475,000 is cited as a common "proof-of-profit" visual intended to reduce skepticism and lure candidates. Whether authentic or fabricated, such imagery plays the same role as corporate testimonials in legitimate hiring: establishing perceived financial strength and opportunity.
Compensation Models and Downstream Monetization
Compensation is deliberately structured. Flare’s analysis shows three primary models: fixed payments, success-based payments, and hybrids. One advertised fixed model pays $1,000 per successful call; others give callers a percentage of funds extracted, with larger payouts earning higher splits. Conversations among threat actors reveal additional nuance: success on a call does not always translate to immediate payment, because converting access or information into money often involves further steps. As a result, operators may delay or condition payout, retaining control of downstream monetization.
Participants in the underground do not passively accept offers. The source reports that candidates ask questions, compare offers and negotiate terms — dynamics indistinguishable from ordinary labor markets in form if not in legality.
Operational Supervision: Screen Share, Scripts, and Quality Control
Requiring live screen share and continuous supervision signals a move toward call-center discipline. Supervisors enforce scripts, provide feedback to improve conversion rates, and guard against internal fraud or data leakage. That supervision elevates social engineering into a repeatable, optimizable operation: calls become measurable outputs rather than one-off scams.
Because these operations rely on exposed credentials and victim lists sourced from underground markets, quality control is essential to turn stolen data into usable outcomes. The decentralized architecture — different actors owning data, infrastructure and monetization channels — also makes disruption of single callers less effective.
What this means for technologists, defenders, and end users
- Technologists and security teams: The reporting recommends prioritizing stronger identity verification mechanisms and behavioral-anomaly detection to spot real-time social-engineering activity that standard controls miss. Monitoring upstream leak sources can blunt campaigns before they reach victims.
- Defenders and enterprises: Because operations rely on compromised data, the source suggests proactive responses such as resetting credentials and alerting users when stolen lists or credentials are detected. Flare is cited as providing early visibility into recruitment activity, leaked data and victim lists across dark web forums, Telegram channels and marketplaces.
- End users and the general public: Fraudulent calls are rarely random, the report warns. Be alert to calls that create urgency, request sensitive information or pressure immediate action. Never share passwords, verification codes or financial details over the phone; hang up and contact the organization through official channels. Enabling multi-factor authentication (MFA) is also recommended to reduce the impact of compromised credentials.
The portrait that emerges is of an ecosystem that professionalizes persuasion: recruitment, compensation, supervision and modular workflows turn a human voice into a repeatable attack vector. With vishing reported to have increased by 449% in 2025 and an average loss per scam call of $3,690, the human element — and the markets that supply it with stolen data and operational support — are now the central battlefield.
For organizations and individuals alike, the implication is clear: technical controls matter, but so does upstream visibility and user education. Tools and services that monitor underground markets for leaked credentials, victim lists and recruitment signals can give defenders precious time to reset credentials and warn potential victims before a campaign matures. As the scam economy adopts the structures of legitimate business, defenses must match that organization with targeted verification, anomaly detection and proactive intervention.




