The Complete Guide to Spam Calls in 2026

In July 2025, Sharon Brightwell of Dover, Florida picked up a call from a sobbing woman who said she'd been in a car wreck. The voice was her daughter's. A man came on the line, identified himself as a lawyer, and asked for $15,000 in cash for bail. Brightwell sent the money. Her daughter hadn't been in any accident. The voice was a clone, built from public social media audio in seconds.

What spam call traffic actually looks like in 2026

US consumers received 52.5 billion robocalls in 2025, an average of about 4.4 billion a month, per the YouMail Robocall Index. That's almost flat year over year, which sounds like good news until you look at the legal-versus-scam mix: scam and telemarketing calls climbed from 2.14 billion a month in 2024 to 2.56 billion through September 2025. The category responsible for most of the harm is still growing.

Reporting trails the volume badly. The FTC received 2.6 million Do Not Call complaints in fiscal 2025, and robocalls were the majority of them. Against 52.5 billion calls in the same window, that's roughly one report per 20,000 calls. Most people have stopped flagging them.

Enforcement is happening, and it's lagging. Since the Do Not Call Registry was created in 2003, the FTC has filed 173 lawsuits against 570 companies and 449 individuals and collected nearly $400 million, the lifetime total over two decades. In a more aggressive single action, in August 2025, the FCC effectively shut down 1,388 phone companies it said were routing illegal traffic. Both numbers are real, and both are dwarfed by 4.4 billion calls a month. Most of the traffic originates outside US jurisdiction and routes through carrier chains that make prosecution slow and expensive. Sending a million calls costs pennies. Prosecuting a case takes months.

The calls themselves break into a handful of shapes:

Robocalls. Automated dialers playing recorded messages, or IVRs routing through menus. Some are legal: political messages, doctor's office appointment reminders. Most that reach consumer phones are not.

Live scam calls. Humans running scripts from overseas call centers. IRS impersonation, fake Microsoft tech support, the grandparent scam, romance scams that move from a dating app to your phone. A live caller can improvise and apply pressure, which is what makes the category dangerous.

AI voice scams. Microsoft's VALL-E research showed that three seconds of audio is enough to produce a clone family members can't reliably distinguish from the real person. The category barely existed in 2022. The Brightwell case is one of dozens reported in 2025 alone.

Neighbor spoofing. Caller ID faked to match your area code and local exchange. The point is to trade on familiarity. In 2026, a local prefix on an unknown number tells you nothing.

Silent-hangup calls. You answer, the caller hears you say hello, the call drops. The hello is the point of the call: confirmation that the line is alive, sold on to other operations as a validated lead.

Across all of these categories, the underlying numbers rotate constantly. Commercial spam operations cycle through thousands of fresh numbers a month, specifically because that's how database-based defenses get beaten.

Why the defenses people already run don't catch this

Most phones today have some combination of carrier-level spam filtering, an OS label (Samsung Smart Call, Google Caller ID & Spam), and a third-party app (Hiya, Robokiller, Truecaller). They work the same way underneath: match the incoming number against a database of known spam. The model fails in two documented directions.

Fresh numbers slip through. Robokiller's own support documentation concedes that "new or spoofed numbers may bypass filters temporarily." Temporarily here means the days or weeks of user reports a new number needs before it gets labeled.

You aren't being protected from the active campaign, only from last month's.

Legitimate callers get blocked. Robokiller maintains a public Blocklist Exception request form because the blocks are wrong often enough to warrant a dedicated intake. The reviews are concrete: one Trustpilot reviewer reported their sister, doctor, and father's hospice nurse all being blocked; another cancelled service after the app repeatedly blocked their doctor's office. Hiya publishes a support article titled "Help! My Numbers are Being Flagged as Spam, but My Calls are Legitimate," which exists because legitimate small businesses regularly land on user-reported spam lists. One Truecaller user reported publicly that across six to nine months the app flagged exactly two calls as spam, and both were legitimate. One was Verizon Sales returning the user's own inquiry.

These failure modes interact badly with the design choice the service makes.

Label-only services (carrier filters, OS-level filters, free Hiya) show "Potential Spam" on the screen but let the phone ring. The label is a hint. Even when the system correctly identifies a scam, the notification still interrupts you, and the decision is still yours.

Block-first services (Robokiller, Truecaller Premium Auto-Block, paid Hiya, carrier "enhanced" protection) silently drop the call when the database says spam. When they're wrong, you get no ring, no voicemail, and no notification at all. Your doctor's new office line calls, the database guesses spam, and you never know the call existed.

AI voice cloning made both failure modes worse at once. Autodialers can now place scripted scam calls at scale that sound like a known person, so the calls that do get through carry higher consequence than they did three years ago. The database model was already losing the rotation race. Now it's losing the rotation race and the credibility race together.

What it looks like when the caller has to identify themselves instead

VoxGuard is an active call screening service. It answers unknown numbers before your phone rings. The app plays a short prompt that includes a phrase you set during installation and asks the caller to repeat the phrase back. Three failed attempts end the call.

That single step does most of the work, because most of the categories above can't pass it. A robocall is a recording; it cannot process incoming audio or respond to a real-time instruction. Bulk live scam operations are paid per connect, so when a call adds an off-script step, a measurable share of operators drop to stay on rate. Silent-hangup dialers never intend to speak, so they fail validation and the number stops being worth selling on. AI voice clones are typically set up to deliver a scripted emotional plea start to finish, not to pause mid-plea and respond to a prompt.

1 An unknown number calls you Saved contacts skip everything and ring through 2 VoxGuard answers first In the network, before your phone gets involved 3 “Please say [your phrase]” Spoken aloud to the caller · three tries ✕ Recordings talk over it and run out of tries ✕ Silent dialers hang up no hello, no lead to sell 4 They say their name and reason In their own voice · recorded and transcribed 5 You decide, from the lock screen Listen · Approve · Decline · two minutes, then voicemail Your phone rings only if you approve, showing the caller's real number
The screening flow, end to end. The caller does the work; you get the result.

A caller who repeats the phrase is asked next to state their name and reason for calling, in their own voice, in five to sixty seconds. The statement is recorded, auto-transcribed, and pushed to your phone as a heads-up notification with the caller's number, the audio, and the transcript. You can Listen, Approve, or Decline from the lock screen. If you take no action within two minutes, the call goes to voicemail.

A transcript pulled from internal testing, verbatim: "I'm calling about your car's extended warranty." You read it, you decline, your phone never rings.

VoxGuard Call Detail screen showing audio waveform and transcript 'I'm calling about your car's extended warranty' with Approve and Decline buttons
The Call Detail screen: audio clip, transcript, two choices.

People you already know skip all of this. Saved contacts ring through normally on every call. Setup includes a one-time carrier forwarding step the app walks you through for your specific carrier.

The phrase is per-user customizable for one specific reason: if every user shared a phrase, a single pre-recorded compliance response would pass every user's screening. Different phrases per user closes that workaround.

The other consequence is the one list-based services struggle with: the calls those services accidentally block don't get blocked here. A doctor on a new office line, a school substitute, a recruiter calling from a number you've never seen: VoxGuard has no list to falsely include them on. They go through the same screening step as anyone else, you hear who they are in their own voice, and you decide.

The honest scope

VoxGuard is Android-only and $4.99/month, with a 7-day free trial cancellable through Google Play. It doesn't keep a spam list, by design. It doesn't read contact names or emails, only phone numbers, and only so the people already in your contacts can ring through without screening. Approved calls aren't recorded; the only audio the app handles is the short statement an unknown caller makes during screening.

A decade ago, "is this number known to be spam?" was the right question for the technology of the time. In 2026, the question with the cleaner answer is whether a real person is on the line, willing to identify themselves. Real callers can do that in a few seconds. Most of what's filling your phone today, by design, can't.

Try VoxGuard →


Sources