Proactive detection of voice phishing networks using call log analysis and machine learning

Detailed structure of voice phishing criminal organizations

Call center (TM/order house)

Within the voice phishing criminal network, there exists a central entity commonly referred to as a “call center,” “telemarketer (TM),” or “order house.” These entities serve as the operational core of the crime, where perpetrators directly contact victims via telephone and employ various deceptive tactics to defraud them. These call center actors can be regarded as the masterminds of voice phishing operations.

The deceptive methods used to trick victims over the phone can be categorized into four major types:

• Loan refinance type: Victims are deceived into believing they can receive low-interest loans if they first repay their existing loans.

• Investigation impersonation type: Victims are falsely informed that their bank account or phone number has been used in a crime and are urged to cooperate with an investigation to prove their innocence.

• Threat type: Involves coercion through methods such as “body cam phishing” to exploit victims’ vulnerabilities and extract funds.

• Other types: Include impersonation of buyers, compensation for leaked personal information, romance scams, and fraud on second-hand trading platforms.

These call centers often collaborate with various specialized criminal subgroups to maximize their success rate, increase illicit profits, and evade law enforcement detection. Key collaborating groups include:

• Illegal personal information trade organizations: Illegally collect and trade personal data to help identify potential victims.

• Caller ID spoofing organizations: Manipulate outgoing phone numbers to appear as if they are from trusted financial institutions or government agencies, thereby gaining the victim’s trust.

• Malicious app development and distribution organizations: Install malware on victims’ smartphones to steal personal information or remotely control the device.

• Money laundering organizations: Clean the criminal proceeds by routing them through complex channels to hinder traceability.

These call centers operate by outsourcing each of these functions to the aforementioned groups, collectively executing the complete voice phishing scheme.

Illegal personal information trade organizations

To successfully carry out voice phishing crimes, perpetrators require access to victims’ personal information, such as phone numbers, financial status, occupation, and age. This information enables criminal organizations to analyze the psychological and economic characteristics of potential victims and design tailored scam scenarios accordingly. For instance, individuals with heavy debt burdens are more susceptible to “loan refinancing” scams, while university students with limited social experience may be more vulnerable to tactics involving impersonation of law enforcement agencies.

Illegal personal information trade organizations play a pivotal role by collecting such sensitive data through illicit means, including hacking into financial institution servers and corporate websites. These groups then sell the acquired personal information to voice phishing call center organizations.

Once obtained, the call centers utilize the information to identify suitable targets and select the most effective deception strategies, thereby enhancing the efficiency and precision of their criminal operations.

Caller ID spoofing organizations

Due to widespread public awareness campaigns by investigative and financial institutions, victims have become increasingly cautious and tend to avoid answering international or internet-based calls. In response, caller ID spoofing organizations manipulate phone numbers using various illegal techniques. These include installing unauthorized signal repeaters (relay devices) within the country or utilizing remote call tools such as TeamViewer to disguise the origin of calls.

These organizations are tasked with converting international or VoIP-based phone numbers into domestic mobile numbers, thereby deceiving recipients into believing the calls originate from within Korea. This manipulation is particularly effective against the elderly and individuals unfamiliar with modern information technology, as they often rely on caller ID as a key indicator of the caller’s identity. By exploiting this psychological vulnerability, voice phishing perpetrators are able to conduct their crimes with increased precision and sophistication.

Malicious app development and distribution organizations

Malicious app development and distribution organizations are responsible for creating applications used in voice phishing crimes and disseminating them through SMS, messenger links, or other digital channels. These apps are often disguised as legitimate applications, such as those of financial institutions, or mimic ordinary utility apps to deceive victims into installing them without suspicion.

Once installed, these malicious apps are designed to give perpetrators extensive control over the victim’s device. The use of such apps has become a core tactic in recent voice phishing schemes. If a victim clicks on a link sent by the phishing call center and installs the app, several dangerous functions are triggered: call logs and contact information may be manipulated, personal data such as contact lists and photo albums can be leaked, and even the victim’s real-time location may be exposed. This results in the complete compromise of the victim’s mobile device.

Through remote control of the infected phone, the call center can delay the moment the victim realizes the fraud, thereby increasing the total monetary damage per incident. This sophisticated method significantly enhances the effectiveness of voice phishing crimes.

Criminal proceeds laundering organizations

Known as “laundering houses,” these criminal organizations play a central role in concealing and laundering the proceeds of voice phishing crimes to evade law enforcement tracking. Their primary function is to provide means for receiving illicit funds obtained from victims.

They secure bank accounts used for withdrawing stolen funds by exploiting individuals in financial distress. These accounts are obtained through various methods, including coercing people into opening new accounts and selling them, purchasing pre-existing accounts, or deceiving individuals into handing over their active accounts and banking cards under the pretense of offering low-interest loans. The acquired accounts are then linked with phishing call centers and used as deposit channels for fraudulent proceeds.

After the victim’s money is deposited, the laundering house employs diverse money laundering techniques to safely transfer the funds back to the call center. Major laundering methods include underground remittance (hawala), proxy purchasing, coin mixing, and overseas account transfers. These techniques are specifically intended to evade the account-tracing mechanisms of investigative agencies.

• Underground remittance involves withdrawing an equivalent amount of foreign currency from a foreign remittance account once funds are deposited in a domestic account. Perpetrators often claim they were merely conducting foreign exchange transactions to avoid legal consequences.

• Proxy purchasing entails buying gift cards or duty-free goods with the stolen money and then delivering them, thereby obscuring the money trail.

• Coin mixing is a cryptocurrency technique that blends multiple users’ coins to obscure the origin of specific funds, making it a common tool in illicit laundering schemes.

• Overseas account transfers are carried out by repeatedly withdrawing cash through ATMs and then remitting the cash to a designated foreign account, thus creating a complex and difficult-to-trace money flow.

These sophisticated laundering processes significantly hinder efforts by law enforcement agencies to trace and recover criminal proceeds.

Detailed stages of voice phishing crime

Bait and advertisement

This stage is closely linked with illegal personal information trading organizations. Based on illegally obtained personal data, perpetrators design customized advertisements tailored to the victim’s name, age, and financial circumstances. For example, if a person has previously applied for a loan, they may receive a text message claiming that their existing loan can be refinanced at a lower interest rate. This type of targeted message simultaneously piques the victim’s interest and builds trust.

Various types of bait messages—such as fake foreign payment approval notifications, bank account registration prompts, or low-interest refinancing offers—are sent via SMS or email to potential victims. The goal is to lure recipients into responding voluntarily. Once a victim responds, their contact information and other personal details are collected and sold to the phishing call centers. This stage essentially serves to recruit targets for the crime and initiate the fraudulent interaction.

Approach

Once a victim responds to an advertisement or message, a fraudulent call center—operated by the voice phishing syndicate—makes contact with the victim. During this process, caller ID spoofing organizations are also involved. Using burner phones or illegal private VoIP converters, these organizations alter the outgoing phone number so that a call originating from an overseas location appears to be from a local financial institution or government agency. This manipulation facilitates initial contact with the victim under a false pretense of credibility.

Deception

After establishing initial trust, the call center operatives send the victim fake documents—disguised as official government notices or financial institution forms—via messenger apps. These documents are used to induce the victim to install a malicious application (malware). At this stage, an app developed by the malicious app production and distribution group is deployed. Once installed, the victim’s phone becomes compromised: incoming and outgoing numbers are altered, and sensitive personal information such as contact lists, photo albums, and real-time location is leaked.

Once the perpetrator has full control over the victim’s smartphone, further deceptive actions are executed. The fraudsters employ psychological pressure and confusion to prevent the victim from realizing the ongoing scam. The primary types of deception tactics include:

• Debt refinancing scams: luring the victim with offers to consolidate or refinance existing loans at lower interest rates.

• Impersonation of investigative agencies: claiming the victim’s name or bank accounts have been used in criminal activity and must be verified.

• Threats and blackmail: using methods such as “body cam phishing” to extort money.

• Miscellaneous fraud schemes: such as impersonating buyers, compensation for leaked personal information, romance scams, and online marketplace fraud.

Fraudulent transfer

At the final stage, the criminal syndicate extracts money from the victim through various means, including bank transfers, in-person withdrawals, gift card purchases, or cryptocurrency transactions. This is where the money laundering organization becomes involved.

They ensure the stolen funds are spread across multiple accounts—often registered under different names—and laundered to hinder law enforcement tracking. One frequently used tactic is to move funds through a series of domestic accounts before eventually transferring the money overseas. This complex layering process is designed to disguise the illicit origins of the proceeds, making it appear as legitimate income and obstructing official investigations.

Data example

Table 5 shows an example of sample call log data of numbers used by voice phishing organizations. Each call log entry included several key fields. The dataset included outgoing number (caller), incoming number (recipient), the start date and time of the call, and the call duration. Additionally, the logs included the name of the telecom company (mobile carrier) associated with the outgoing number, as well as the address of the cell tower that was connected during the call. It is important to note that the cell tower address reflects the network’s point of connection, not the caller’s actual physical location.

Exploratory analysis

Here, we explore the patterns of voice phishing calls by comparing them to the normal users’ calls. For each figure, we add the description of the pattern.

Figure 5 compares the distribution of outgoing and incoming call volumes between voice phishing phone numbers and general phone numbers. In the case of voice phishing numbers, approximately 82% of total calls are outgoing, clearly indicating a unidirectional communication pattern. This abnormally high outgoing call ratio suggests that call center-based criminal organizations operate by proactively initiating calls to a large number of potential victims. It reflects a structured criminal setup where perpetrators follow pre-written scripts to repeatedly contact victims and execute the fraudulent act.

In contrast, general phone numbers show a more balanced distribution between outgoing and incoming calls. Normal daily communication assumes two-way interaction and does not exhibit an excessive skew toward one direction. This distinction implies that the ratio of outgoing to incoming calls can serve as a significant feature variable for identifying voice phishing numbers.

Figure 6 illustrates the distribution of phone calls by day of the week for voice phishing numbers and general phone numbers. Voice phishing calls exhibit a strong concentration on weekdays (Monday through Friday), with 96% of all calls occurring during this period. Notably, the highest call volumes are observed on Tuesdays, Wednesdays, and Thursdays, while there is a sharp decline in activity on weekends. This pattern suggests that voice phishing organizations primarily operate during weekday business hours, deliberately targeting time frames that align with the working hours of financial institutions or public agencies to gain the victim’s trust.

In contrast, general phone calls show a more even distribution across all days of the week, without excessive concentration on specific days. While call volume tends to be slightly higher on Fridays, overall, both weekdays and weekends maintain a consistent pattern, clearly distinguishable from that of voice phishing calls.

These findings indicate that day-of-week calling patterns can serve as a key feature for detecting voice phishing numbers. In particular, the unusually concentrated weekday call patterns may act as a major clue for identifying illegal activities involving unauthorized private VoIP converters. The results also suggest the potential for designing preventive strategies that block such illegal communication methods based on these temporal patterns.

Figure 7 presents the distribution of voice phishing and general phone calls across daytime and nighttime hours. In the case of voice phishing calls, approximately 92.2% occurred during daytime hours, with relatively few calls made at night. This suggests that criminal organizations strategically time their calls to align with the working hours of victims, often impersonating financial or government institutions to increase credibility and the likelihood of response.

On the other hand, general phone calls are more evenly distributed between daytime and nighttime, showing no significant concentration in a specific time window. This pattern reflects normal calling behavior and contrasts sharply with the heavily time-skewed nature of voice phishing activity.

These differences imply that call time patterns can be a key variable for detecting voice phishing. In particular, the abnormal concentration of calls during daytime hours may serve as a crucial signal for early identification and blocking of voice phishing phone numbers.

Figure 8 visualizes the distribution of call durations for voice phishing and general phone calls using density functions. The density function normalizes the area under each distribution to 1, allowing intuitive comparison of the relative distributional shapes between the two groups regardless of sample size differences. In the graph, the solid line represents voice phishing calls, while the dashed line denotes general calls.

The distribution of voice phishing calls shows a peak density at around 22 s, followed by a steep decline. This indicates that most voice phishing calls terminate within a short time, reflecting a strategy by call center-type criminal organizations to quickly deceive the victim before suspicion arises or the call is disconnected. In fact, approximately 34.0% of all voice phishing calls end within 10 s, and around 55.3% conclude within 30 s.

In contrast, general calls peak at approximately 39 s and tend to have longer durations, suggesting that typical phone calls involve more extended, two-way communication rather than unilateral deception. These findings imply that call duration is a meaningful variable in identifying voice phishing numbers. In particular, repetitive short-duration calls (under 30 s) clearly distinguish voice phishing behavior from normal call patterns and may serve as a strong basis for early detection and blocking of suspected phishing numbers.

Figure 9 compares the number of unique contacts made within a week between voice phishing and general phone numbers. On average, voice phishing numbers contacted 89.6 unique individuals per week, indicating a remarkably high level of outreach. In contrast, general phone numbers contacted an average of 14.8 individuals per week, which is significantly lower. This stark contrast highlights the strategic approach of voice phishing organizations, which attempt to reach as many potential victims as possible within a short time frame. The pattern reflects a call center-style operation, where the same scripted message is used to contact hundreds of unidentified individuals, leading to this abnormally high distribution of contact volume.

On the other hand, general phone usage typically involves communication within a limited social network, such as family and acquaintances, naturally resulting in a smaller number of unique contacts. These findings suggest that the number of unique contacts per week is a powerful discriminative feature in detecting voice phishing numbers. The structural behavior of repeatedly contacting a large and unspecified population in a short time span is a distinct characteristic of phishing operations and can be effectively utilized for early detection and prevention.

Figure 10 compares the distribution of mobile network operators for voice phishing numbers and general phone numbers. Voice phishing numbers were most frequently registered with MVNOs (Mobile Virtual Network Operators), followed by KT, LGU+, and SKT. This pattern contrasts sharply with the national subscriber distribution reported by the Ministry of Science and ICT in 2021, which indicated SKT (41%), KT (25%), LGU+ (21%), and MVNO (14%) as the respective market shares.

In contrast, the distribution for general phone numbers closely mirrors government statistics, with SKT as the most common carrier, followed by KT, LGU+, and MVNO. This discrepancy indicates a clear preference by voice phishing organizations for MVNO services, which are less commonly used by general consumers. MVNO lines are cheaper, have more flexible subscription requirements, and are often used as a means to evade traceability. These characteristics make them particularly attractive for criminal activities such as voice phishing.

These findings suggest that carrier information serves as a key classification criterion in detecting voice phishing numbers. Moreover, they highlight the necessity of developing proactive monitoring and control systems specifically targeting MVNO lines.

Visualization of coefficient distributions in model

The graph above visualizes the distribution of each variable’s coefficient in the final logistic regression model (Model 8), based on 1000 bootstrap replications. Each plot illustrates the density and central tendency of the regression coefficients, allowing for an intuitive assessment of whether the coefficients are stably estimated in a statistically significant direction (positive or negative) (Fig. 11).

For example, the coefficients for variables such as ‘MVNO’, ‘LGU+’, ‘Daytime call ratio’, and ‘Day of the week score’ exhibit clearly defined central values and approximately normal distributions in a specific direction. This supports their role as key predictors in identifying voice phishing phone numbers.

Interaction model results

The results indicate that the interaction model shows a slightly improved log-likelihood compared to the main-effects model. However, the reduction in AIC is marginal (\(\Delta\)AIC \(\approx\) 0.74), and the likelihood ratio test is not statistically significant (\(p > 0.05\)). These findings suggest that the inclusion of interaction terms does not substantially improve model performance (Table 6).

Model validation and generalization analysis

To further evaluate the robustness and generalization performance of the proposed models, we conducted stratified five-fold cross-validation. The dataset was divided into five folds while preserving the class distribution, and each fold was used as a validation set once.

Table 7 summarizes the average performance and standard deviation across the folds for each model. The results show consistently high performance with low variance, indicating stable generalization.

In addition, learning curve analysis was performed to examine how model performance evolves as the size of the training data increases. As shown in Fig. 12, both training and validation scores converge as the number of training samples increases, suggesting that the models do not suffer from overfitting.

Sensitivity analysis under class imbalance

The class ratio indicates the proportion of normal phone numbers to voice phishing phone numbers. A ratio of 100:1 reflects a highly imbalanced scenario that closely resembles real-world conditions. The results demonstrate that Random Forest maintains stable performance across all imbalance levels, while Gradient Boosting shows moderate degradation. In contrast, the performance of the MLP model deteriorates significantly under severe imbalance, particularly in terms of precision and F1-score (Table 8).

Sampling and evaluation procedure for machine learning models

Algorithm I1: Bootstrap-based sampling and evaluation procedure

Input:

• Voice phishing dataset (YF)

• Non-criminal dataset (NF)

• Class ratio \(r \in \{1:1, 10:1, 100:1\}\)

• Number of iterations \(B = 1000\)

Procedure:

1. 1.

   For each iteration \(b = 1, 2,…, B\):

   1. (a)

      Randomly sample voice phishing phone numbers from YF such that the ratio between voice phishing and normal samples equals r (sampling without replacement)

   2. (b)

      Assign label 1 to voice phishing samples and label 0 to NF

   3. (c)

      Combine sampled YF and NF to construct dataset \(D_b\)

   4. (d)

      Shuffle dataset \(D_b\)

   5. (e)

      Split \(D_b\) into training (70%) and validation (30%) sets using stratified sampling

   6. (f)

      Apply preprocessing (standardization and encoding)

   7. (g)

      Train machine learning models and evaluate performance metrics

Output:

This procedure ensures reproducibility and robustness of the machine learning experiments under varying class imbalance conditions.