Vercon Research
Executive briefs, incident analyses, and field notes on synthetic callers, AI-agent abuse, and the resilience of modern contact centers.
The Recent Disclosed Voice-Cloning Attack on a US Senator's Office
The disclosure that a cloned voice was used in an attempted social engineering attack against a US Senator's staff is being treated, correctly, as a national security story. It is also a preview of what every executive office, board chair, and high-trust intermediary should expect to face within the next year..
A Reading List on AI Communications Security
A Reading List on AI Communications Security is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
What to Tell Your Board About AI Voice Risk
The conversation about what to tell your board about ai voice risk tends to start in the wrong place. It starts with technology, when it should start with workflow.
Why Webform Intake Is the Most Neglected Channel
When organizations first encounter why webform intake is the most neglected channel, the instinct is to treat it as an edge case. That instinct has not aged well.
Chat Widget Abuse and the New Front Door
The reason chat widget abuse and the new front door keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
Email Spoofing Has Not Stopped Being a Problem
A practical way to think about email spoofing has not stopped being a problem is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
The Quiet Threat of SMS Pumping in Customer Workflows
The Quiet Threat of SMS Pumping in Customer Workflows is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
A Framework for Categorizing Communications Threats
The conversation about a framework for categorizing communications threats tends to start in the wrong place. It starts with technology, when it should start with workflow.
When AI Agent Logs Become Discovery Evidence
When organizations first encounter when ai agent logs become discovery evidence, the instinct is to treat it as an edge case. That instinct has not aged well.
What the Recent Change Healthcare Aftermath Taught About Communications Recovery
The Change Healthcare disruption is now far enough in the rearview to assess what worked and what did not in the communications response. The clinical and financial impact has been documented at length.
What an Executive Communications Risk Brief Should Contain
The reason what an executive communications risk brief should contain keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
Conversational Prompt Exploitation in Practice
A practical way to think about conversational prompt exploitation in practice is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
Why You Should Stress-Test Your AI Agent Quarterly
Why You Should Stress-Test Your AI Agent Quarterly is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
The Underdiscussed Risk of AI Agent Memory Across Calls
The conversation about the underdiscussed risk of ai agent memory across calls tends to start in the wrong place. It starts with technology, when it should start with workflow.
How Restoration Companies Can Harden Their First Notice of Loss
When organizations first encounter how restoration companies can harden their first notice of loss, the instinct is to treat it as an edge case. That instinct has not aged well.
Disaster Surge Plans That Account for AI Channel Failure
The reason disaster surge plans that account for ai channel failure keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
A Practical Approach to Verified Identity Manipulation Defense
A practical way to think about a practical approach to verified identity manipulation defense is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
What Insurance Carriers Should Ask Their AI Vendors
What Insurance Carriers Should Ask Their AI Vendors is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
The Limits of Voice Biometrics in 2026
The conversation about the limits of voice biometrics in 2026 tends to start in the wrong place. It starts with technology, when it should start with workflow.
Why Multi-Location Brands Need Centralized Intake Security
When organizations first encounter why multi-location brands need centralized intake security, the instinct is to treat it as an edge case. That instinct has not aged well.
The Recent Wave of Vishing Attacks on Help Desks Has Not Slowed
The pattern of help-desk intrusions that gained attention with the MGM and Caesars incidents in 2023 has not slowed. Multiple reported breaches in the last month began the same way: a phone call to internal IT support, a plausible story about being locked out, and a password reset granted on the strength of information that turned out to be public..
The IVR as an Untrusted Boundary
The reason the ivr as an untrusted boundary keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
How Surge-Aware Routing Reduces Fraud Exposure
A practical way to think about how surge-aware routing reduces fraud exposure is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
The Case for a Dedicated Communications SOC Function
The Case for a Dedicated Communications SOC Function is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
Tabletop Exercises for AI-Era Communications Incidents
The conversation about tabletop exercises for ai-era communications incidents tends to start in the wrong place. It starts with technology, when it should start with workflow.
What Happens When Your Chatbot Becomes a Witness
When organizations first encounter what happens when your chatbot becomes a witness, the instinct is to treat it as an edge case. That instinct has not aged well.
A Vendor Risk Checklist for AI Voice Providers
The reason a vendor risk checklist for ai voice providers keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
The Quiet Erosion of Trust in Inbound Phone Channels
A practical way to think about the quiet erosion of trust in inbound phone channels is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
What an AI Agent Pen Test Should Actually Cover
What an AI Agent Pen Test Should Actually Cover is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
The Recent Ransomware Disclosure at a Major Retailer Was a Communications Test
The ransomware-driven disruption at a major retailer earlier this month produced the usual coverage about closed stores and supply chain delays. The communications dimension is worth a closer look..
The Underrated Risk of Voicebot Outbound Campaigns
The conversation about the underrated risk of voicebot outbound campaigns tends to start in the wrong place. It starts with technology, when it should start with workflow.
The Recent Ferrari Deepfake Attempt and the Discipline of the Skeptical Question
The reported attempt to impersonate Ferrari's CEO using a cloned voice is notable not because it succeeded, which it did not, but because of how it was caught. The executive on the receiving end asked the caller a question only the real CEO could answer, the impersonator stalled, and the call was terminated..
Voice Cloning Has Crossed an Affordability Threshold
When organizations first encounter voice cloning has crossed an affordability threshold, the instinct is to treat it as an edge case. That instinct has not aged well.
Designing Fallback-to-Human in AI-First Workflows
The reason designing fallback-to-human in ai-first workflows keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
The Compliance Case for AI Intake Logging
A practical way to think about the compliance case for ai intake logging is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
Why Contact Center QA Programs Miss Fraud Indicators
Why Contact Center QA Programs Miss Fraud Indicators is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
Cross-Channel Pivots: How One Email Becomes a Voice Attack
The conversation about cross-channel pivots: how one email becomes a voice attack tends to start in the wrong place. It starts with technology, when it should start with workflow.
When AI Agents Promise Things They Cannot Deliver
When organizations first encounter when ai agents promise things they cannot deliver, the instinct is to treat it as an edge case. That instinct has not aged well.
The Difference Between AI Safety and AI Security in Customer Channels
The reason the difference between ai safety and ai security in customer channels keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
What a Modern Communications Threat Model Looks Like
A practical way to think about what a modern communications threat model looks like is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
The Financial Services Wire-Verification Conversation
The Financial Services Wire-Verification Conversation is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
How Home Services Companies Get Targeted by Lead Fraud
The conversation about how home services companies get targeted by lead fraud tends to start in the wrong place. It starts with technology, when it should start with workflow.
What the Snowflake-Linked Customer Breaches Say About Vendor Communications Risk
The string of breaches traced back to Snowflake-customer credential compromises last year is settling into a clear lesson about vendor communications risk. The breaches themselves were not, technically, Snowflake's fault.
Legal Intake Lines Are an Underestimated Attack Surface
When organizations first encounter legal intake lines are an underestimated attack surface, the instinct is to treat it as an edge case. That instinct has not aged well.
Healthcare Intake and the New Class of AI Risks
The reason healthcare intake and the new class of ai risks keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
The Insurance Industry's Quiet Vishing Problem
A practical way to think about the insurance industry's quiet vishing problem is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
Designing Escalation Paths That Survive Surge Events
Designing Escalation Paths That Survive Surge Events is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
Why Verified Caller Frameworks Still Leave Gaps
The conversation about why verified caller frameworks still leave gaps tends to start in the wrong place. It starts with technology, when it should start with workflow.
The Quiet Risk of Voicemail-to-Text in Intake Workflows
When organizations first encounter the quiet risk of voicemail-to-text in intake workflows, the instinct is to treat it as an edge case. That instinct has not aged well.
How to Prepare Contact Centers for AI-Era Abuse
The reason how to prepare contact centers for ai-era abuse keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
AI Impersonation Across Phone, Email, and Chat
A practical way to think about ai impersonation across phone, email, and chat is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
Lessons From the Recent Wave of AI-Generated Voice Scams Targeting Families
The wave of AI voice-cloning scams targeting families, in which a cloned voice of a child or grandchild calls claiming to be in trouble and asking for money, has been treated as a consumer-protection story. It is also a preview of what enterprise contact centers will face at scale..
Why Traditional Cybersecurity Misses Voice Risk
Why Traditional Cybersecurity Misses Voice Risk is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
Intake Fraud in Restoration and Emergency Services
The conversation about intake fraud in restoration and emergency services tends to start in the wrong place. It starts with technology, when it should start with workflow.
Securing Franchise Communication Networks
When organizations first encounter securing franchise communication networks, the instinct is to treat it as an edge case. That instinct has not aged well.
How to Audit an AI Voice Agent Before Deployment
The reason how to audit an ai voice agent before deployment keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
The Executive Case for Communications Resilience
A practical way to think about the executive case for communications resilience is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
Social Engineering Against Virtual Agents
Social Engineering Against Virtual Agents is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
Prompt Injection Risks in Customer Intake
The conversation about prompt injection risks in customer intake tends to start in the wrong place. It starts with technology, when it should start with workflow.
How AI Receptionists Can Be Manipulated
When organizations first encounter how ai receptionists can be manipulated, the instinct is to treat it as an edge case. That instinct has not aged well.
The Hong Kong Deepfake Wire Transfer and What It Changes
The Hong Kong case in which a finance employee transferred roughly $25 million after a video conference populated entirely by deepfake participants has been treated as a curiosity. It should be treated as a turning point.
Building a Communications Security Program
The reason building a communications security program keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
Why Omnichannel Fraud Is Hard to Detect
A practical way to think about why omnichannel fraud is hard to detect is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
Synthetic Identity Attacks in Service Businesses
Synthetic Identity Attacks in Service Businesses is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
The Problem With Trusting Caller ID
The conversation about the problem with trusting caller id tends to start in the wrong place. It starts with technology, when it should start with workflow.
AI Agent Red Teaming for Voice and Chat Systems
When organizations first encounter ai agent red teaming for voice and chat systems, the instinct is to treat it as an edge case. That instinct has not aged well.
Contact Center Resilience During Disaster Surge Events
The reason contact center resilience during disaster surge events keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
How Fraudsters Exploit Emergency Intake Workflows
A practical way to think about how fraudsters exploit emergency intake workflows is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
Human-AI Handoff Failure in Customer Service
Human-AI Handoff Failure in Customer Service is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
Why SMS, Email, Chat, and Voice Must Be Secured Together
The conversation about why sms, email, chat, and voice must be secured together tends to start in the wrong place. It starts with technology, when it should start with workflow.
Deepfake Callers and the Future of Identity Verification
When organizations first encounter deepfake callers and the future of identity verification, the instinct is to treat it as an edge case. That instinct has not aged well.
Voice Denial of Service: The Next Contact Center Threat
The reason voice denial of service: the next contact center threat keeps showing up on executive risk registers is that it sits at the intersection of three things organizations are not yet good at: AI governance, contact center operations, and identity verification. Each of those is a discipline of its own.
The T-Mobile SIM Swap Settlement and the SMS Trust Problem
The settlement T-Mobile reached over its handling of SIM-swap fraud is a useful occasion to revisit a question that the security industry keeps deferring: how much trust should any system place in an SMS message or a phone number?.
The Hidden Risk of AI-Only Customer Intake
A practical way to think about the hidden risk of ai-only customer intake is to ask what your contact center looks like to a sophisticated attacker on a Tuesday morning. The attacker is not trying every door.
How Contact Centers Become Attack Surfaces
How Contact Centers Become Attack Surfaces is one of those topics that is easier to describe than to defend against. The description fits in a paragraph.
Why AI Voice Agents Create a New Security Perimeter
The conversation about why ai voice agents create a new security perimeter tends to start in the wrong place. It starts with technology, when it should start with workflow.
What Is Synthetic Caller Injection?
When organizations first encounter what is synthetic caller injection?, the instinct is to treat it as an edge case. That instinct has not aged well.
What the Internet Archive Breach Tells Us About Communications Trust
When attackers compromised the Internet Archive earlier this month and replaced its front page with a taunt, most analysis focused on the credential exposure. The communications side of the incident is just as important.
The MGM and Caesars Vishing Playbook, One Year Later
It has been about a year since social engineers walked into MGM and Caesars through the help desk, using nothing more sophisticated than a convincing phone call. The intrusions cost hundreds of millions of dollars and reshaped how casino operators think about identity verification on internal support channels..
What the CrowdStrike Outage Revealed About Communications Surge Capacity
The CrowdStrike update that took down millions of Windows machines on July 19 produced a second-order effect that is still being underestimated: every affected organization's contact center received its annual call volume in a single morning. Airlines, hospitals, banks, and retailers all hit the same wall at roughly the same hour..
The Ascension Health Outage Was a Communications Continuity Failure
The Ascension incident this month has been covered primarily as a clinical-systems event, with attention on diverted ambulances and paper charting. Less attention has gone to what happened to the communications layer.
Air Canada and the New Liability of Hallucinated AI Intake
The Civil Resolution Tribunal ruling against Air Canada this week is being read narrowly as a consumer-protection decision. It deserves a wider reading.
82 entries · archive runs from Feb 2024 to Mar 2026.