AI scams on your phone: The new fake messages and calls, and how to protect yourself
Phone scams are no longer the sloppy messages full of spelling mistakes that we spotted right away. With artificial intelligence, scammers can write convincing SMS messages, impersonate banks, couriers, public services and even our own relatives. The most dangerous part, however, is that they can now copy voices, create fake video calls and pressure you into taking an action within a few seconds. This is the new world of AI scams — and every one of us needs to know how it works.

Article contents
- Why phone scams have become so dangerous
- What has changed with artificial intelligence
- Fake SMS and messages: the new generation of smishing
- Deepfake voices and fake calls
- Banking scams and one-time passwords
- The signs that should stop you immediately
- How to protect yourself step by step
- What to do if you clicked a link or gave out your details
- Frequently asked questions
Why phone scams have become so dangerous
The mobile phone has become the centre of our digital life, and I don't think anyone would disagree with that. It is where we receive messages from banks, verification codes, courier notifications, updates from public services, Viber, WhatsApp, email, push notifications and social media. This is exactly what scammers take advantage of: the phone is always right beside us, we glance at it in a hurry, and we often react without thinking.
In the past, a fake message — the kind we have all received at some point — was relatively easy to recognise as suspicious. It had odd wording, poor translation, or vague content that made no sense. Today, with the arrival of artificial intelligence, this is changing. Using AI tools, a scammer can write a message in correct Greek, make it look urgent with proper phrasing, or copy the style of a bank and adjust the text so that it seems more genuine.
The result is that the average user is not at risk because they are "naive" — they are at risk because scams have become more convincing, faster and more personalised to each person's "tastes" and preferences. The scammer no longer needs to know much about you. They can use data leaks or public information from social media and, with automated tools and AI technology, create a message that looks just real enough to make you click the link or, at any rate, respond to it.
In Greece we often see scams that impersonate banks, ELTA or couriers, gov.gr, e-EFKA, AADE, tax refunds, supposed fines, supposed account deactivation or fake payments. The same pattern exists internationally: the user receives a message asking them to click a link and is taken to a fake page that looks real. There they are asked for card details, e-banking passwords, an OTP (a 6-digit one-time code), ID details or other personal data.
AI has improved at writing and keeps improving and adapting to whatever style the scammer wants.
The message usually pressures you to act right now, with words like "expires", "is being blocked", "will be lost".
Scams can now make use of details from leaks or social media.
What has changed with artificial intelligence

Artificial intelligence did not create scams — scams have always existed. What AI did was give scammers speed, quality and scale. They can produce thousands of different messages in many languages, with fewer mistakes and better psychological targeting.
An AI tool can take a simple scenario — for example, "send a message saying there is a problem with a parcel" — and turn it into dozens of versions: more formal, more anxiety-inducing, friendlier, more bank-like, shorter for SMS, more detailed for email, more convincing for Viber. This means the attacks are no longer just mass attacks. They can be mass attacks and at the same time target many different profiles of people all over the world, in different languages, simultaneously!
The big change, however, is deepfake voices and fake calls. With a small audio sample from social media, videos, stories or public posts, a voice can be created that resembles a familiar person. This opens the door to scams of the type "I'm your son, I've had an accident", "I'm from the bank, we need to secure your account", "I'm your employer, make this payment immediately" — not from a person but from a computer whose voice sounds like a person.
This is the core of social engineering. The scammer is not necessarily trying to "attack" the bank or our phone directly. They are trying to make us open the door for them ourselves. Through various tactics such as: getting us to click a link, to give a code to approve an urgent transaction, to tell them the OTP (an instant 6-digit code from the bank), or even to install a remote-access app or transfer money "for safekeeping" to somewhere they point us to. That is why modern scams don't always look like scams — they look like ordinary communication
The 4 basic techniques used today
| Technique | How it appears on your phone | What the scammer wants |
|---|---|---|
| Smishing | SMS or message with a link from a supposed bank, courier, gov.gr, AADE, e-EFKA. | To make you click a link and give out details or passwords. |
| Vishing | A phone call from a supposed bank employee, technical support or public service. | To make you reveal passwords, an OTP, or approve a transaction. |
| AI voice cloning | A voice that sounds like a relative, friend, colleague or boss. | To make you send money or do something urgent without checking. |
| Deepfake video call | A fake video call or a synthetic image/face that looks real. | To gain trust and bypass any doubts. |
Fake SMS and messages: the new generation of smishing

Smishing is the name for deception (phishing) carried out through SMS or messages on your phone. It can arrive as a plain SMS, as a Viber message, as WhatsApp, as RCS, or even as a notification that appears to belong to a well-known service. The classic scenario is simple: you receive a message informing you that there is a problem, a pending matter or an opportunity. To resolve it, you have to click a link.
The usual themes used in such cases are very specific: "your parcel could not be delivered", "a customs payment is pending", "your account will be blocked", "you are entitled to a tax refund", "there is a fine", "confirmation of your details is required", "a suspicious transaction was detected". Messages of this kind are designed to cause us anxiety or a sense of haste.
The dangerous part is that the link in the message can look almost normal. It may have a name that resembles a bank or a public service but with a small change — an extra letter, a hyphen, an odd ending. On a phone screen, where space is limited, these differences are even harder to spot.
AI-generated messages make smishing more dangerous because they remove the old warning signs. They can be written with correct grammar, use an official tone, and adapt to local details. For example, a message in Greece may mention gov.gr, EFKA, AADE, a bank, a courier or a fine, because these are scenarios that sound familiar to the Greek user.
An example of a dangerous pattern
A common pattern starts with a small threat: "Your account will be restricted". Then it offers a simple solution: "Click here to confirm". Next it leads to a fake page that looks like the real one. There it asks for login details, card, PIN or a one-time code. If the user provides them, the scammer can immediately try to log into the account or complete a transaction.
This is why we must never treat the OTP — (One-Time Password) the single random security code that is generated for one-time use in a transaction — as a simple "confirmation number". The OTP is a key. If we give it to a third party, it is like giving them the ability to complete an action in our name. No bank, public service or serious company needs you to tell it the one-time code over the phone or by message.
Don't trust the link — trust the process
If the message says there is a problem with a bank, a parcel or a public service, don't click the link. Open the official app yourself, or type the address of the service yourself, and check from there whether there really is a problem — don't let panic take over when you read the malicious message.
Deepfake voices and fake calls: when the scammer "sounds" real

Moving on: phone scams are not a new phenomenon. What is changing today is that the scammer no longer needs to sound like a random stranger. With artificial intelligence tools, they can create or alter a voice so that it resembles someone we know — a company employee, a boss, or even a relative. This makes the scam far more dangerous because it doesn't strike only at our logic — it strikes at our trust as well.
The most common scenario — there has been a flood of such cases in the news — is the "urgent need". You receive a call from a number you don't know, or even from a number that looks familiar. The voice sounds like a child, a parent, a friend or a colleague, and tells you that there has been an accident, that a phone was lost, that money is needed immediately, that there is a police or medical problem. The aim is to stop you from thinking before you react.
In other cases the call comes from a supposed bank. The scammer says that a suspicious transaction was detected, that you need to "secure" the account, that they will help you cancel the charge, or that you need to confirm a code you have just received. If you panic and follow the instructions, you may give them exactly what they need: access, a confirmation code, or approval of a transaction.
How do they get someone's voice?
There doesn't always need to be a large file or a professional recording. Many people upload videos, stories, reels, TikTok, YouTube shorts or professional videos every day, where their voice can be heard. Even small samples can help voice-cloning tools create a convincing imitation. The more public audio there is online, the easier the scam scenario becomes.
This doesn't mean, of course, that we should stop talking with someone we don't know. It does mean, however, that we must understand that a voice alone is no longer absolute proof of identity. Just as we don't blindly trust an email because it carries a familiar name, we should not blindly trust a call just because it "sounds" like a familiar person.
Banking scams: the big trick with OTP, e-banking and "account security"

Banking scams are among the most dangerous because the scammer is not simply after personal details — they are after direct access to our money. The scenario usually begins with a message or a call. They may tell us that a suspicious transaction occurred, that we need to confirm our details, that our account is at risk, or that we need to transfer our money to a "safe account".
That last phrase is one of the most suspicious of all. No bank will ask us to transfer our money to another account in order to protect it. No bank will ask us for our full e-banking password, our card PIN, or the one-time code we have just received on our phone. If someone asks us for such details, they are certainly not protecting us — they are most likely trying to manipulate us.
The OTP, that is, the one-time code the bank sends us, is one of the most frequent points of attack. Many of us think it is a simple confirmation number. In reality this code can approve a login, the addition of a device, a change of details or a transaction. If we give it to a scammer, they can complete an action that appears as though it was done by us.
How a typical banking scam is set up
Usually the first step is a fake message or a call that creates fear. "A suspicious transaction was detected." "Your account will be locked." "Confirmation is required." The second step is to lead you to a fake page or to keep you on the line with the scammer. The third step is for you to type in details or say a code. The fourth is for the real damage to be done: logging into the account, transferring money, charging the card or changing details.
With AI this scenario becomes more convincing. The message can be well written, the voice can sound calm and professional. The scammer usually has ready answers to objections. We may hear phrases like "don't worry, this is the safe procedure" or "if you hang up we won't be able to stop the transaction". This is pressure they are trying to put on us, not assistance.
The remote-access trick

Another dangerous scenario is when they ask you to install a remote-access app, supposedly to help you. They may present themselves as technical support, a bank, an accountant or a security company. If you give them access to your screen, they can see what you are doing, guide you into opening e-banking, or obtain personal information they shouldn't have.
Remote access is a useful tool when it is used by someone we genuinely trust. But when a stranger asks for it through an unsolicited call, it is extremely dangerous — especially if the call is related to a bank, a refund, a supposed virus on the device, or "account security".
| What they tell you | What it may mean | What you should do |
|---|---|---|
| "Tell me the code you received" | They want the OTP for a login or transaction. | End the communication. We never give out an OTP. |
| "Transfer the money to a safe account" | They are trying to make you send the money yourself. | Don't make any transfer. Call the bank from an official number. |
| "Install this app for a check" | They may be asking for remote access. | Don't install anything from a stranger. |
| "Don't hang up, it's urgent" | They are pressuring you so you won't think. | Hang up. A real bank doesn't threaten you like this. |
| "Click the link to cancel the transaction" | It may be a phishing page. | Open the bank's official app yourself. |
The signs that should stop us immediately

Let's sum up all the signs that hide a scam, so that we can recognise and avoid most modern scams even if the message is well written and convincing and the voice sounds real.
The first sign is time pressure. The scammer wants to make us act before we think rationally. With phrases like "You have 10 minutes", "The account is being blocked", "The transaction is being completed now", "If you don't do it immediately, you will lose the money". These phrases are designed to bypass our judgement and reasoning.
The second sign that it is a scam is the request for secret details. Passwords, PINs, OTPs, card details, e-banking credentials, ID numbers and personal data are never given out just because someone asked for them by message or phone.
The third sign is bypassing the normal procedure. If a bank, service or company has an app, an official website and known communication channels, there is no reason for it to ask us to enter through a strange link, or to suggest to us that this is the only solution — something like that is highly suspicious.
| Dangerous | Example | Correct reaction |
|---|---|---|
| Urgent tone | "If you don't act now, you lose access" | You stop and check through an official channel. |
| Request for an OTP | "Tell me the six-digit code" | You never tell it. You end the communication. |
| Strange link | A domain that looks like a bank but isn't exactly the same. | You don't click. You type the official address yourself. |
| Remote access | "Download an app so we can help you" | You don't install apps from an unknown call. |
| Secrecy | "Don't tell anyone, it's a security procedure" | Suspicious. Legitimate procedures aren't based on secrecy. |
| Change of IBAN or payment | "Send the money to a new account" | Confirmation through a second, independent channel. |
The 30-second rule
If you receive a message or call that stresses you out, don't reply immediately. Take 30 seconds. Read the message again. Look at the link. Think about whether the procedure makes sense. Ask yourself: "Why is it asking me for this? Why now? Why through this channel?".
These 30 seconds are often enough to break the psychological pressure. Scammers rely on an immediate reaction. If you delay, check and confirm, you take away their main weapon.
Stop — Check — Confirm
Don't respond to pressure. Don't click a link out of fear. Don't give out passwords because someone sounds convincing. End the communication and check with an official source.
How to protect yourself step by step from AI phone scams

Protection from the new AI scams is not based on a single tool. It is not enough just to have antivirus, nor is it enough for someone to say "I can spot these things". Modern scams are built to deceive even careful people, especially when there is pressure, fear or haste. That is why what is needed is simple, clear thinking.
The basic rule is: don't react through the channel the stranger used to contact you. If you receive an SMS from a supposed bank, don't click the link. If someone calls you saying they are from the bank, don't continue the procedure on that same call. If you receive a message from a courier, don't open the page from the link. Go yourself to the official app or the official website.
1. Lock our phone properly
The first level of protection is the phone itself. We use a strong screen lock, ideally biometric authentication together with a strong PIN. We naturally avoid easy passcodes like 0000, 1234, birth dates or numbers someone could guess. If someone gains physical access to our phone, they can see SMS messages, email, notifications and confirmation codes.
It is also a good idea to limit the display of sensitive notifications on the lock screen. There is no need for the entire content of an SMS from a bank or app to be visible when our phone is locked.
2. Enable account protection
For email, social media, e-banking and important services, we enable two-factor authentication wherever it is available. Ideally we use an authenticator app instead of SMS when the service supports it. SMS is better than nothing, but it is not the strongest solution, especially in cases of SIM swap or social engineering.
Also check the devices connected to your main accounts. If you see an unknown device or an unknown location, disconnect it and change your password immediately.
3. Never give out an OTP, PIN or passwords
This is perhaps the most important point in the whole article. The OTP (One-Time Password is a unique random security code generated for a single use) is not a simple number. It is an approval. It can allow entry into an account, the addition of a new device, a change of details or the completion of a payment. If someone asks us to tell them the code we received on our phone, the communication must be considered suspicious and dangerous.
4. Always check the link before you click
On a phone it is easier to be fooled because the screen is small and often the full address is not visible. A fake domain can look very much like the real one; it may have hyphens, extra words, a different ending or a small change in a single letter.
The best practice is not to click at all on links that ask for details. For couriers, as we have said, we open the official app or website; for a bank, likewise, the official e-banking app; and the same for a public service — we enter through gov.gr by typing the address ourselves.
5. Don't install apps just because a stranger asked you to
If someone calls us and asks us to install an app for a "check", a "refund", "account protection" or "technical support", WE STOP. And we think about this: remote-access apps can be legitimate, but in the hands of a scammer they become very dangerous for our security.
Especially if, during the call, they ask us to open e-banking, enter passwords or approve something, we end the communication immediately.
6. Make sure our phone and apps are always up to date
Updates are not only for new features. They often fix security gaps, which is why we keep Android or iOS up to date, as well as our apps: the browser, banking apps, email and messaging apps — everything.
We also download apps only from the Google Play Store or the Apple App Store. We avoid APK files from unknown websites, especially if they were sent to us by message.
| Protective measure | Why it helps | Priority |
|---|---|---|
| Don't click links from SMS for banks/services | Drastically reduces the risk of phishing. | Very high |
| Don't give out an OTP or PIN | Prevents approval of transactions or third-party logins. | Very high |
| Use of an authenticator app | More secure than simple SMS confirmation. | High |
| A security phrase within the family | Helps against AI voice cloning and fake emergency scams. | High |
| Device and app updates | Close known security gaps. | High |
| Checking connected devices | Detects a possible account breach. | Medium to high |
What to do if you clicked a link or gave out your details
If you did it by mistake, the worst thing you can do is get anxious and wait. Scams work because people panic, feel ashamed, or hope that "nothing happened". But in banking and digital scams, time matters. The faster you react, the more chances you have to limit the damage — immediately close all windows and programs and shut down your computer.
If you just clicked a link
If you clicked a link but didn't enter any details, close the page immediately, along with anything else that opened. Don't download a file, don't install an app, and don't grant permissions. If the page asked you to install something, refuse. Then check your phone for strange apps that were recently installed. Restart your device.
If you entered passwords
Change the password immediately from the official app or official website. If you use the same password elsewhere, change it there too. Check the connected devices, disconnect unknown connections, and enable or refresh two-factor authentication.
If you gave out card or e-banking details
Contact your bank immediately using the official number found on the card, in the app or on the official website. Ask for a check, for the card to be blocked where necessary, and for suspicious transactions to be cancelled. Don't use a phone number that was sent to you by SMS or email.
If you gave out an OTP
Assume that the scammer may have completed, or may be trying to complete, an action. Log into the bank's official app immediately, check transactions, cards, limits, devices and notifications. Contact the bank without delay.
If you installed a remote-access app
Disconnect the phone from the internet, remove the app, change your passwords from another secure device, and inform the bank if you opened e-banking while the app was active. If you are not sure what was installed, ask a technician for help.
| What happened | Immediate action | Afterwards |
|---|---|---|
| You clicked a link | Close the page, don't download anything. | Check for new apps or strange notifications. |
| You entered a password | Change the password from the official site/app. | Disconnect unknown devices. |
| You gave out card details | Call the bank from an official number. | Ask for the card to be blocked/replaced if needed. |
| You gave out an OTP | Inform the bank immediately. | Check transactions, devices and limits. |
| You installed a suspicious app | Turn off the internet and remove it. | Change passwords from a secure device. |
The takeaway: AI makes scams more convincing, not invincible
Artificial intelligence has changed the level of digital scams. Fake messages are written better, calls sound more real, and deepfake techniques make image and voice less reliable as proof of identity. This, however, does not mean we are defenceless.
The best defence is not to rely on first impressions. A message may look correct. A voice may sound familiar. A page may look official. But the right question is not "does it look real?". The right question is: "does it follow the normal and safe procedure?"
If something/someone asks for money, passwords, an OTP, access to your device or immediate action, stop. Don't respond in a panic. End the call. Don't click the link. Log into the official app yourself. Call the official number. Ask someone you trust.
Frequently asked questions about AI phone scams
Can someone really copy my relative's voice with AI?
Yes, it is technically possible. If a voice sample is available from a video, social media or another public source, voice-cloning tools can create a convincing imitation. That is why a voice should no longer be considered absolute proof of identity.
What do I do if someone calls me saying they are from the bank?
Don't give out any details and don't say any passwords. Hang up and call the bank yourself using the official number found on the card, in the app or on the official website.
Is it safe to click links from courier SMS messages?
Better not to, especially if the message asks for a payment, card details or a login. Open the courier's official page yourself or use the official app.
What is smishing?
It is phishing through SMS or messages on your phone. The scammer sends a fake message that looks like it comes from a bank, courier, public service or well-known company, aiming to make you click a link and give out details.
What is vishing?
It is a scam carried out through a phone call. The scammer pretends to be a bank employee, a technician, a public official or another trusted person, aiming to extract passwords, an OTP or money.
Can I give my OTP to a bank employee?
No. We never give the OTP to anyone. If someone asks for it, the communication is suspicious.
If I clicked a link but didn't enter any details, am I at risk?
The risk is lower, but not zero. Close the page, don't download anything, don't grant permissions, and check whether any strange app was installed.
What is the simplest rule for protection?
When there is pressure, money or passwords involved, stop. Don't respond through the message or the call. Confirm through the official app, official website or a known number.
Sources and useful links
| Source | What it covers |
|---|---|
| FBI — Annual Internet Crime Report | Data on the most common categories of cybercrime complaints, such as phishing/spoofing, extortion and personal data breaches. |
| FTC — AI voice cloning scams | A warning about scammers who use AI to copy relatives' voices in fake emergency scams. |
| ENISA — Threat Landscape | An explanation of basic social engineering techniques, such as phishing, smishing, vishing, spear-phishing and scareware. |
| European Payments Council — Payment Threats and Fraud Trends | An overview of payment threats, social engineering, fraud enablers and current scam trends. |
| CyberAlert — Cybercrime Division | A Greek source of information and reports on electronic crime incidents. |




