Preventing AI-Enabled Fraud and Robocalls in Digital Communications: Infrastructure-Level Spam Control Using Capability-Validated Inbound Descriptors (CVID)

Preventing AI-Enabled Fraud and Robocalls in Digital Communications:
Infrastructure-Level Spam Control Using Capability-Validated Inbound Descriptors (CVID)

Modern digital communication infrastructure—including telephony, email, and messaging systems—is built on a structural assumption: contact identifiers such as telephone numbers, email addresses, messaging handles, and device identifiers are treated as persistently reachable endpoints.

Once such identifiers become known or exposed, any external party possessing the identifier can attempt to initiate communication with the associated user.

While this design enabled the global interoperability of communication networks, it also creates a structural vulnerability that underlies many modern forms of digital abuse and fraud.

This architectural model enables a wide range of abuse scenarios, including:

• spam and robocalls
• phishing and social-engineering attacks
• identifier harvesting by data brokers
• persistent fraud targeting
• automated mass outreach campaigns
• large-scale surveillance or profiling datasets

A central practical problem is that most digital fraud begins with the acquisition of real user identifiers, particularly:

• telephone numbers
• email addresses
• messaging identifiers
• device IDs

These identifiers are frequently obtained through:

• data breaches
• illegal data brokerage markets
• scraping of public services or websites
• application data leakage
• secondary sharing across digital platforms

Once these identifiers enter circulation, they often remain permanently reusable attack vectors, enabling repeated targeting over long periods of time.

In many fraud scenarios, the initial event is not the scam itself but the exposure of the identifier. After an identifier is obtained, it can be used for:

• phishing campaigns
• impersonation attempts
• harassment or spam
• account takeover attempts
• automated fraud targeting at scale

As long as raw identifiers remain widely exposed across digital systems, these abuse pathways remain structurally difficult to prevent.

Five Years Ago vs Today: The AI Fraud Acceleration

Approximately five years ago, large-scale telephony scams and spam campaigns generally required substantial human infrastructure, including:

• large call-center operations
• human operators conducting scripted calls
• prerecorded robocall messages
• manual targeting of victims

The operational cost of these scams was relatively high, and scaling required large organized operations.

Today, the situation has changed dramatically.

Recent advances in artificial intelligence allow malicious actors to deploy highly automated fraud systems capable of conducting massive outreach campaigns with minimal human involvement.

Modern AI tools can now:

• generate realistic human-like voice calls
• conduct interactive conversations using AI voice agents
• automatically personalize phishing messages
• analyze harvested datasets to identify high-probability victims
• operate continuously without human operators

A scam operation that previously required hundreds of human callers can now be conducted by a small group—or even a single individual—using automated AI infrastructure.

Reduced Human Requirements for Large-Scale Fraud

A particularly concerning development is that AI has dramatically reduced the human resources required to run large-scale scams.

Historically, telephone fraud required:

• physical call centers
• teams of operators
• manual victim interaction
• expensive infrastructure

Today, AI-driven voice systems can conduct thousands of simultaneous calls, generating conversational responses dynamically.

Illustrative Example

Consider a scenario in which a malicious actor obtains one million phone numbers from an illegal data broker.

Using modern AI tools, the attacker can deploy an automated system that:

• generates human-like voice calls
• conducts live conversational interactions
• dynamically adapts responses using AI models
• runs 24 hours a day without human intervention

In this scenario, a single automated system can place tens of thousands of calls simultaneously, drastically increasing the scale and efficiency of fraud operations.

The economic barrier to fraud is therefore rapidly collapsing, while the potential scale of attacks continues to grow.

The Root Structural Problem

Most current anti-spam and anti-fraud mechanisms are reactive.

These include:

• spam filtering systems
• caller authentication frameworks
• number blocking tools
• platform moderation policies
• user reporting mechanisms

While useful, these tools typically operate after identifiers have already been exposed and communication attempts have already begun.

They address symptoms rather than root causes.

The fundamental vulnerability remains the same:

raw user identifiers are widely exposed and reusable across digital systems.

As long as identifiers circulate freely, malicious actors can repeatedly exploit them.

Capability-Validated Inbound Descriptor (CVID)

The Capability-Validated Inbound Descriptor (CVID) architecture proposes a different approach.

Instead of treating contact identifiers as open communication endpoints, CVID restructures inbound communication around capability-based authorization.

Under this model:

• telephone numbers
• email addresses
• messaging identifiers

are not directly exposed as routable communication targets.

Instead, inbound communication requires a validated capability descriptor.

This capability:

• is time-limited
• is purpose-bound
• may include quota limits
• can be revoked or expired

Without such a capability, inbound communication attempts cannot reach the recipient system.

This model shifts communication control from open reachability to capability-validated access.

Identifier Virtualization

CVID architectures also support identifier virtualization.

Under identifier virtualization:

• raw identifiers remain inside trusted identity management layers
• operational systems interact only through temporary virtual identifiers

This prevents the widespread distribution of:

• phone numbers
• email addresses
• messaging IDs
• device identifiers

By limiting exposure of these identifiers, the system significantly reduces the ability of data brokers, scraping systems, and fraud operators to harvest user identifiers at scale.

Structural Fraud Prevention for the AI Era

As artificial intelligence dramatically increases the scale, realism, and automation of fraud operations, traditional reactive defenses may become increasingly insufficient.

Architectural approaches that limit identifier exposure and control inbound communication at the infrastructure level may provide stronger protection.

In simple terms, a fundamental security principle emerges:

The most effective way to prevent large-scale spam and fraud is to avoid exposing raw identifiers in the first place.

By shifting communication systems toward capability-validated inbound communication models, future 5G and 6G communication infrastructures may be able to reduce spam, robocalls, and automated fraud at the architectural level rather than attempting to mitigate abuse after it occurs.

Prevention Rather Than Post-Hoc Mitigation

A related technical proposal addressing these risks has also been submitted through the European Commission’s Have Your Say consultation on the “Fighting Online Fraud Action Plan”. The submission emphasizes that effective fraud mitigation should focus on preventive infrastructure design rather than purely post-hoc enforcement mechanisms. Current policy approaches often concentrate on detecting fraud after communication attempts or financial transactions have already occurred. However, recent consultations highlight that online fraud—particularly scams enabled by automation and artificial intelligence—is rapidly expanding and increasingly industrialised, requiring stronger preventive measures. 

The proposal therefore suggests that communication infrastructure itself should incorporate preventive controls, such as the Capability-Validated Inbound Descriptor (CVID) model described in this research note. By preventing unauthorized parties from reaching users through exposed raw identifiers in the first place, such approaches aim to reduce the opportunity for large-scale automated fraud before it occurs, rather than attempting to mitigate damage after scams have already begun.

Reference submission:
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16313-Fighting-online-fraud-action-plan/F33379775_en