A new open-source tool called ScamBuster is taking an unconventional approach to email phishing defense: rather than simply blocking scam messages, it fights back. The AI-driven system autonomously responds to phishing emails in character — adopting believable victim personas to engage attackers in extended conversations, gathering intelligence on their methods while occupying their time with fake leads that go nowhere.
The project, described as an "AI-powered scam engagement system," is designed to operate at scale, allowing organizations and law enforcement agencies to monitor active phishing operations from the inside.
How ScamBuster Works
At its core, ScamBuster is a large language model (LLM) pipeline wired to an email handling system. When it receives a suspicious message — flagged either by existing spam filters or manually routed from a honeypot address — it follows a multi-step process:
-
Threat classification: The system analyzes the inbound message to determine whether it is a phishing attempt, advance-fee fraud, credential-harvesting scheme, or another category of scam.
-
Persona generation: ScamBuster creates or retrieves a pre-configured victim persona appropriate to the scam type. For a business email compromise attempt targeting an accounts payable team, it might adopt the role of a distracted financial assistant. For a romance scam, an elderly persona fitting the attacker's apparent targeting profile.
-
Engagement loop: The AI engages in natural conversation with the attacker, expressing interest in the scheme, asking plausible questions that slow the attacker's progress, and feeding false information — fake names, addresses, and "payment details" that waste the criminal's time and resources.
-
Intelligence collection: Throughout the engagement, ScamBuster logs all attacker communications, including infrastructure details (email headers, domains, phone numbers, payment accounts requested), language patterns, and the specific fraud script being used.
-
Reporting: Collected data is structured into reports suitable for sharing with law enforcement, anti-fraud databases, or internal security teams.
The Strategic Value: Flipping the Economics of Phishing
Phishing operates on a numbers game. Attackers send millions of messages because the cost per email is near zero — they only need a tiny conversion rate to profit. ScamBuster disrupts this economics by raising the cost on the attacker's side: every fake victim that ScamBuster plays out is time an attacker spends that could have been spent targeting a real victim.
At scale, if even a fraction of phishing attempts are intercepted and engaged by AI systems like ScamBuster, the economics shift measurably. Attackers must spend more time per conversion, their infrastructure gets documented and reported more rapidly, and the fraud scripts and payment methods they use are exposed before they can be widely deployed.
This is sometimes called "scambaiting" in the security community — a practice with a long history among individual enthusiasts who manually engage scammers to waste their time. ScamBuster automates and professionalizes the approach, making it viable for organizations rather than requiring hours of individual effort.
Intelligence Gathering at Scale
Beyond disruption, intelligence collection is ScamBuster's potentially most valuable contribution for law enforcement and threat intelligence teams.
Each engagement generates structured data:
- Email infrastructure: Return-path addresses, originating mail servers, spoofed sender domains.
- Phone numbers and messaging accounts: Many phishing operations escalate to WhatsApp, Telegram, or voice calls — ScamBuster captures these identifiers.
- Payment account details: Advance-fee and BEC scams request wire transfers or cryptocurrency. Wallet addresses and bank account numbers collected by ScamBuster can be cross-referenced with existing fraud databases.
- Script analysis: The specific language, urgency tactics, and social engineering approaches used reveal information about the attacker group's methods and potentially their origin.
Aggregated across many engagements, this data can reveal patterns that link separate scam campaigns to common infrastructure or operator groups — the kind of operational picture that is difficult to build from passive monitoring alone.
Open Source Design
ScamBuster is designed as an open-source system, reflecting a philosophy that effective anti-fraud tooling should be accessible to organizations, nonprofits, and law enforcement agencies without large vendor budgets. The architecture is modular:
- LLM backend: The system is designed to work with multiple AI providers, allowing deployers to use locally hosted models or cloud-based APIs depending on their privacy requirements and budget.
- Email integration: Standard IMAP/SMTP interfaces allow it to connect to honeypot inboxes or redirect suspicious mail from existing infrastructure.
- Intelligence export: Built-in support for exporting collected data in formats compatible with threat intelligence sharing platforms and law enforcement reporting templates.
The project's availability on open-source platforms means the security community can audit its logic, contribute improvements, and adapt it to specific regional fraud patterns — a significant advantage over closed commercial alternatives.
Limitations and Considerations
ScamBuster is not without caveats:
Attacker adaptation: Sophisticated phishing operations are increasingly using AI detection — systems that probe whether they are engaging with a human or a bot. ScamBuster's effectiveness will depend on how convincingly its personas hold up under scrutiny, and this is likely to become an arms race.
Legal landscape: "Engaging" with a scammer by feeding them false information occupies ambiguous legal territory in some jurisdictions. Organizations deploying ScamBuster should seek legal guidance on whether their engagement activities cross any lines related to fraud, computer misuse, or electronic communications laws in their relevant jurisdictions.
Resource considerations: Maintaining extended multi-turn conversations at scale requires LLM inference capacity. For high-volume environments, this may represent a meaningful compute cost — though still far less expensive than the damage a successful phishing attack causes.
False positive risk: If ScamBuster engages legitimate (non-malicious) emails that are misclassified as phishing, the resulting conversation could cause reputational or operational issues. Careful tuning of the initial classification layer is essential.
Reception and Outlook
The security community's response to ScamBuster has been largely positive, with researchers noting that active defense tools that impose costs on attackers represent a necessary complement to purely passive defenses. Traditional anti-phishing approaches — filtering, user training, MFA — reduce how often attacks succeed but do nothing to make running phishing campaigns more expensive for the operators.
Tools like ScamBuster, if deployed at sufficient scale and integrated with law enforcement reporting pipelines, could contribute meaningfully to that cost imposition — not eliminating phishing, but making the economics less favorable for the criminals running these operations.
For organizations dealing with high volumes of targeted phishing (particularly BEC attempts against finance teams or executive impersonation campaigns), ScamBuster represents a novel and potentially high-value addition to the defensive toolkit — one that turns attackers' own communication channels into intelligence collection opportunities.