Scams Don't Exploit Ignorance. They Exploit Being Human.

Last week, I traveled to St. Paul, Minnesota to give a talk about scams at SecretCon.

It is hard to get up on stage and tell people that the oft-repeated security advice–some of which I've been sharing for over a decade–does not protect them against scams, but that's exactly what I did. It's not that long ago that I realized some of the advice I had been giving to people wanting to prevent scams won't protect them from scams. But the alternative is to give people tools that won't actually work, creating false confidence.

I see people do this all the time. They don't like surveillance capitalism and some of the poor privacy practices held by large corporations, so they switch to small, independent companies. Some of these tools are great. Some of them have really bad UX and are difficult to use. The tradeoff can be worthwhile if there's a real benefit, but often I wonder whether there really is one.

You can move from a company with invasive privacy practices to one with a beautifully written privacy policy and still end up less protected if that company cannot secure your data. It turns out that attackers don't care about your privacy.

There are absolutely small organizations doing excellent work here, and I deeply respect them. I also deeply respect organizations that offer affordable security audits and assist with incident response. But if security controls aren't in place, the privacy policies start to feel a little theoretical. Some of us love playing with independent tools, and some people really struggle here. It has become harder for me to tell people that the move is for them and all of their friends and family members and colleagues to leave tools that are usable and familiar for ones that are harder to navigate when there's no guarantee the switch materially protects them from the threats they actually face.

Scams, of course, can circumvent security controls. Freezing your credit won't stop you from authorizing a transaction to a scammer. The same false-confidence trap is at work: the move that feels safer isn't always the one that protects you.

Scams are endemic. This is not a secret. I have gotten scam education emails from almost every organization I've done business with. In 2025, Americans reported losing a record 15.9 billion dollars to fraud. The year before, it was twelve and a half billion. The year before that, ten. The line only goes one way. Every year awareness campaigns get bigger, security tooling improves, more people adopt "best practices," and still the losses continue to rise.

I do think education helps. Most people have stories about the scam they avoided because they paused for a moment, searched a suspicious link, or contacted someone through another channel. Those interventions matter. But it is also very easy to hear stories about people being scammed and assume they were uniquely careless or gullible (I say after listening to the Unicorn Girl podcast).

The thing is that scams don't exploit ignorance. They exploit being human. And once you take that seriously, you stop asking how someone could possibly fall for a scam and start asking who built the infrastructure that makes scams this easy to run, this scalable, and this profitable.

During the talk, I shared stories about times I was scammed or almost scammed myself. I'm in good company alongside industry luminaries like Cory Doctorow and Troy Hunt. This is proof that spending years working in cybersecurity education does not magically exempt you from being manipulated under the right circumstances.

In my talk I spoke about how we need to stop blaming those targeted for being human, for having a moment of unearned trust. Understanding how scams work might help you in the moment, but it won't stop the next billion scam ads from running. It won't shut down scam compounds in Myanmar. And it won't regulate the tools capable of cloning your loved one's voice for $5 a month.

What You Can Actually Do

No matter how much I emphasize the systemic nature of scams, I get asked to share practical prevention advice, which is understandable. People want something concrete they can do. So yes: use credit cards when possible. Have a family code word. Slow down around urgency. Learn about the different scam families and the manipulation techniques scammers, and others, use.

But honestly, one of the biggest things I recommend is sleep, which seems wildly underrated right now. Every day I see some new hustle-culture post insisting people should work constantly, sacrifice weekends, optimize every waking hour. There are definitely times when I've given up my evenings and weekends because I had to finish projects. I'm doing this right now! But I can't imagine adopting this as a regular practice. It just feels too good to sleep and to be well-rested.

When you start to sleep enough consistently, and surround yourself with really good people both personally and professionally, you establish a baseline of what safety feels like. Pressure feels wrong faster. Whether it comes from a scammer, an ad, a manager, or a friend, your nervous system notices when somebody is trying to manipulate you into acting against your own interests.

But if your baseline is chronic exhaustion, stress, isolation, and toxicity, scam tactics may not stand out from everyday life. Urgency stops feeling unusual. Pressure stops feeling suspicious. That makes manipulation harder to identify.

This is not about blaming tired or overworked people for being targeted. It is just true that people function better when they are rested, supported, and psychologically safe. Also, as a bonus, you can bike longer, lift heavier, and generally feel more alive.

The Real Fixes Are Structural

Still, we should be honest about the limits of individual strategies. A family code word will not stop platforms from running billions of dollars of fraudulent ads. Sleeping enough will not dismantle transnational criminal networks or shut down physical scam compounds. The real solutions here are structural.

I want to see platforms held financially accountable for the scam ads they profit from. I want real advertiser verification tied to legal identities and locations. I want victims to have meaningful recovery pathways on instant-payment rails. The U.K. now requires banks to reimburse most authorized-payment fraud. The U.S. does not.

I increasingly think part of the answer will involve building better systems and tools that help people navigate trust online in ways that don't rely entirely on individual vigilance and perfect decision-making. There are some genuinely interesting ideas emerging here that make verification and fraud detection much more usable. I plan to write more about that in the future.

But ultimately, the people who should answer for this are the scammers running these operations, the platforms profiting from them, and the regulators allowing it to continue. Not the people being targeted.