Savi’s app aims to protect consumers from realistic AI scams like kidnappers demanding ransom
Digital Frontier EditorialJuly 7, 20265 min read
Key Takeaways
AI has collapsed the cost of sophisticated social engineering, putting nation-state attack tools in the hands of street-level scammers
The Coughlin brothers watched their mother nearly pay ransom for a fake kidnapping — voice-cloned from three seconds of social media audio
Savi Security launches its consumer app Tuesday with $7 million in seed funding, betting that enterprise-grade detection can be productized for phones
No regulatory framework exists to penalize platforms hosting cloned voices or spoofed caller IDs at scale
The scammer knew which Walmart. He knew the daughter's voice. He knew the mother's number. Two years ago, Patrick Coughlin's mom answered a call from her own daughter's caller ID — and heard her daughter scream.
Five minutes later, the family confirmed the daughter was safe at work. The kidnapping never happened. The voice was synthetic. The caller ID was spoofed. The Walmart location came from a public Facebook check-in.
Coughlin was senior vice president of security products at Cisco. He had spent his career defending governments and Fortune 500 companies against exactly this caliber of intrusion. Now it had arrived on his mother's iPhone.
That is the story the cybersecurity industry doesn't want to tell: the asymmetric economics have flipped. Three seconds of audio. A few dollars of cloud compute. A teenager in a basement can now execute attacks that required nation-state resources five years ago.
Savi Security, the startup Coughlin founded with his brother Ryan, launches its app Tuesday on iOS and Android. Seven million dollars in seed funding led by Acrew Capital. The pitch: bring enterprise-grade threat detection to the consumer device.
It is a necessary bet. It is also an insufficient one.
The democratization of deception
Voice cloning services advertise openly. ElevenLabs, PlayHT, Respeecher — legitimate tools for creators, repurposed for fraud. Caller ID spoofing remains trivial; the FCC's STIR/SHAKEN framework covers only a fraction of call paths. Data brokers sell movement patterns, family relationships, employment history for pennies per record.
The kidnapping scam that targeted the Coughlin family required research. Today, that research is automated. Large language models scrape social media, correlate data broker files, generate personalized scripts in milliseconds. The marginal cost approaches zero.
This is not a vulnerability. This is a business model.
Cybercrime follows ROI. When enterprises hardened their defenses — multi-factor authentication, zero-trust architectures, dedicated SOC teams — attackers moved downmarket. Consumers have no SOC. They have no zero-trust architecture. They have a phone number, an email address, and a growing archive of biometric data scattered across platforms that refuse to secure it.
What an app can and cannot fix
Savi's approach is pragmatic. The app analyzes incoming communications — calls, texts, emails — for anomaly patterns. Voice print verification. Caller ID reputation. Linguistic markers of social engineering. Contextual risk scoring based on the user's actual contacts and habits.
If your "bank" texts from a short code that hasn't been used in six months, Savi flags it. If your "daughter" calls from a VoIP gateway in a country she's never visited, Savi flags it. The processing happens on-device where possible; the cloud component handles heavier model inference.
This is smart engineering. It raises the attacker's cost. It forces them to burn fresh infrastructure, fresh voice models, fresh research per target.
But an app cannot fix the supply chain. It cannot stop data brokers from selling your mother's Walmart visits. It cannot force carriers to authenticate caller ID end-to-end. It cannot compel Meta or TikTok to watermark or restrict voice clips uploaded to their platforms.
Savi treats symptoms. The disease is structural.
The regulatory vacuum
Congress has held hearings. The FCC has issued fines. The FTC has published guidance. None of it has produced a liability framework that makes platforms financially responsible for the misuse of biometric data they host.
Post a fifteen-second Reel narrating your vacation? Your voice is now in the training set. No consent mechanism exists. No opt-out functions. The platforms argue Section 230 immunity; the courts have not ruled on whether synthetic media generation constitutes "content" or "tooling."
Until that changes, every consumer defense is rear-guard action.
The uncomfortable truth about consumer security
Enterprise security works because organizations accept friction. They mandate hardware keys. They tolerate false positives. They pay six-figure salaries to analysts who investigate alerts at 3 AM.
Consumers will not tolerate friction. They will disable protections that block legitimate calls. They will ignore warnings that interrupt their flow. They will choose convenience over security every time — until the kidnapping call arrives.
Savi knows this. The brothers built consumer products at Apple and Spotify. They understand that security must be invisible until it screams.
But invisibility requires trust. Trust requires transparency about false positive rates, data handling, model limitations. The launch announcement offers none of that. Marketing pages promise "AI-powered protection" — the same phrase used by every snake-oil vendor in the App Store.
A necessary product in a broken market
Download the app. It costs nothing yet; monetization comes later. The onboarding flow takes three minutes. The threat model is real.
But do not mistake a consumer app for a solution. The kidnapping scam worked because the entire trust infrastructure — caller ID, voice recognition, location privacy — has been hollowed out by companies that profit from its erosion.
Savi puts a finger in the dike. The water keeps rising.
The Coughlin brothers deserve credit for building something. The industry deserves scrutiny for making it necessary.