Smart Speaker Scam UK

Spot the three dominant smart-speaker scam patterns in 2026 — voice-search routed to scammer support numbers, compromised third-party skills, and verbal-purchase fraud at parties / Airbnb — and how to lock voice assistants down.

Last reviewed: 13 May 2026 · ScamSupport research

How smart speakers became a 2026 scam vector

UK households now contain over 30 million smart speakers (Amazon Echo / Alexa, Google Nest / Home, Apple HomePod / Siri), used daily for voice search, smart-home control, alarms, music, and increasingly verbal shopping. Each of these capabilities is a small surface for abuse. Three dominant patterns have emerged for UK consumers:

None of these is the highest-loss category in UK scam reporting, but the trajectory is upward and the household-level controls are simple and underused. This page covers the patterns, the device-specific lock-downs, and what to do if you spot a fraudulent verbal purchase.

Three smart-speaker scam variants currently in circulation

Variant 1 — Voice-search routed to scammer customer-support number

How it presents: A user asks Alexa / Google Home / Siri for a customer-support number: “Alexa, what’s the Amazon customer service number?”, “Hey Google, find the BT helpline”, “Siri, call PayPal support”. The voice assistant returns a number sourced from web search. Scammers SEO-poison fake support pages to appear in the top results — when read out by the voice assistant, the user calls the scam number and lands in a tech-support-scam script (see our Microsoft tech-support guide).

Red flags:

  • Voice-assistant-returned support numbers are not verified. Alexa / Google Home / Siri read out numbers from web search results. They have no special verification step that flags scam numbers.
  • The number doesn’t match the company’s real published number. Real customer-support numbers are listed on the company’s own website (e.g. amazon.co.uk/contact, bt.com/contact). Cross-check before calling.
  • The script that follows is the standard tech-support scam: request to install remote-access tools, request for Amazon gift cards, request to log into online banking. Identical to Microsoft tech-support and Apple-call scams.
  • The voice assistant typically reads the number without context. “Amazon customer service is 0800-XXX-XXXX.” The user trusts the device, not realising the device just read out a top-ranked search result.

Variant 2 — Compromised third-party skill / action

How it presents: An installed Alexa skill, Google Home action, or Apple Shortcut from a third-party developer becomes a fraud vector. Either: (a) the developer was malicious from the start and the skill captures voice queries it shouldn’t (e.g. a “daily horoscope” skill listens for banking-related queries and reports them), (b) the developer was compromised and an update introduced malicious behaviour, or (c) a typosquatted skill name (“Halifax Help” vs the real “Halifax Banking”) is activated by mistake.

Red flags:

  • Skills / actions you don’t recognise installed on your device. Check installed skills in the Alexa app (Skills & Games > Your Skills) or Google Home app (Settings > Voice & Speech > Services). Disable anything you don’t actively use.
  • Skills requesting permissions beyond their stated function. A horoscope skill doesn’t need location permission or device-control permission. Review skill permissions periodically.
  • Bank-impersonation skills. Some scam skills mimic real bank names. Real UK banks (Barclays, NatWest, HSBC, Lloyds) have official Alexa skills published by the verified bank account. Check the developer name before enabling any bank-related skill.
  • Voice-recorded data is sent to the skill developer. Once a skill is activated, parts of the voice interaction can be sent to the developer for processing. Sensitive data shouldn’t be spoken to unverified third-party skills.
  • Periodic audit of installed skills: uninstall anything you haven’t used in 3+ months. The attack surface scales with installed-skill count.

Variant 3 — Verbal-purchase fraud at parties / Airbnb / shared housing

How it presents: A household has voice purchasing enabled on Alexa (or Google Assistant). A guest / visitor / Airbnb stay / party-goer speaks “Alexa, order £500 of [item]” aloud near the device. The order is placed against the household’s linked Amazon account, charged to the household’s default card. Variants: prank orders by friends, deliberate fraud orders by short-term renters, accidental orders by children.

Red flags:

  • Voice purchasing is on by default in many Alexa setups. Households may not realise this is enabled. Check Alexa app > More > Settings > Account Settings > Voice Purchasing.
  • No voice-print verification by default. Standard Alexa voice purchasing accepts any voice, not just the account-owner’s. Anyone in the room can trigger a purchase.
  • Children can trigger expensive purchases. Highly-publicised cases include kids ordering £100+ toys by asking Alexa, or pets / TV adverts triggering purchases by repeating the wake word.
  • Airbnb / holiday rentals. Hosts who leave smart speakers active for guests are exposed to verbal-purchase fraud by short-term renters. Either disable voice purchasing on guest-area devices, or disconnect them entirely from the host’s shopping account.
  • Disable voice purchasing entirely if unused. Most households don’t actually use the feature. Setting it to off (or requiring a 4-digit PIN) eliminates the entire variant.

How to lock down each smart-speaker platform

Amazon Alexa

  1. Disable voice purchasing (Alexa app > More > Settings > Account Settings > Voice Purchasing > toggle OFF). Or set a 4-digit confirmation PIN required before each purchase.
  2. Enable Voice Profile recognition so only registered voices can make purchases (Alexa app > More > Settings > Your Profile & Family > Voice ID).
  3. Review installed skills regularly (Alexa app > More > Skills & Games > Your Skills). Disable unused or unfamiliar skills. Check permissions on remaining skills.
  4. Disable always-listening on shared / public-facing rooms. Press the mute button physically on the Echo device when guests are over.
  5. Set up household purchasing PIN (Alexa app > Settings > Voice Purchasing > PIN). Recommended even if you keep voice purchasing enabled.

Google Home / Nest

  1. Disable verbal payments if not used (Google Home app > Settings > Payments). Without this enabled, payment-requiring purchases cannot complete via voice.
  2. Voice Match ensures only enrolled voices get account-tied responses (Google Home app > Account Settings > Voice Match). Without it, anyone’s voice triggers actions tied to the primary account.
  3. Audit installed Actions (Google Home app > Settings > Voice & Speech > Services). Remove unfamiliar entries.
  4. Per-device microphone mute via the physical switch on Nest devices when guests are present.

Apple HomePod / Siri

  1. Disable “Listen for Hey Siri” if not needed (Settings on iPhone > Siri & Search > Listen for “Hey Siri” > toggle OFF). HomePod requires this to be enabled but you can disable on bedroom devices.
  2. Recognise My Voice ensures HomePod responds to personal-data queries only for your voice (Home app > HomePod settings > Recognise My Voice).
  3. Disable Personal Requests on shared devices (Home app > HomePod settings > Personal Requests > OFF). Without this, anyone could ask Siri to read your texts / set reminders / etc. via the household HomePod.
  4. Apple Pay via Siri requires Touch ID / Face ID on a paired device. Verbal-only purchases without device confirmation aren’t possible — Apple’s design choice limits this variant on HomePod.

If you’ve been a victim of a smart-speaker scam

  1. Fraudulent verbal purchase (Variant 3): open the Amazon / Google Shopping account, find the unauthorised order in order history, cancel it if still cancellable. For delivered orders: file a return / dispute via the platform’s normal flow. Amazon’s “I didn’t place this order” refund flow typically refunds within 48 hours.
  2. Tech-support scam triggered by voice-search number (Variant 1): follow our Microsoft tech-support scam recovery flow — the script is identical regardless of which support brand was impersonated.
  3. Compromised skill or data exfiltration (Variant 2): uninstall the suspect skill, change passwords on any accounts whose details may have been spoken near the device. Audit recent Amazon / Google Home order history for unauthorised activity.
  4. If banking credentials were spoken aloud near a compromised skill: change banking passwords immediately. Notify your bank.
  5. Report Alexa-related fraud to Amazon at amazon.co.uk/gp/help/customer/contact-us. Report Google Home fraud at support.google.com/googlehome. Report Apple HomePod / Siri-related issues at support.apple.com.
  6. For substantial losses: report to Report Fraud on 0300 123 2040.
  7. Use the PSR Claim Wizard for bank transfers / Chargeback Generator for card payments as the standard recovery routes.

Related scam guides

Use the Scam Message Scanner →