Within the daily torrent of capital moving around the globe, criminals inject and launder illicit funds, relying on the sheer volume and complexity of the system to hide in plain sight. While AI adds exponential capacity to monitor and police this data stream, it relies on established data patterns and that creates a unique (read: critical) problem because criminals succeed through strategic novelty—outlier thinking that AI, by its very nature, cannot yet predict or replicate.

Tracing the Invisible: Financial Data Trails

Modern technology has fundamentally changed the old adage that “money doesn’t know where it came from,” because every financial activity leaves a forensic trail. 

Trillions of dollars zip around the globe annually. In the torrent of currency, a $40 Venmo to settle a bar tab looks like a smaller version of a wire transfer for a real estate deal, which is dwarfed by a billion-dollar shipment of crude oil but all these as well as the dough sent to buy the raw materials to make fentanyl look the same in the money trucks moving along the global financial highways. It’s all just money till someone stops the truck and runs the driver’s license. 

The blur of finance is slowed down with the application of AI, which slows things down enough to lift the fingerprints off bad money. Illicit funds can be identified. Even if a cousins child’s babysitter is making the payment it can be identified. The connections are as findable as we are online in the everyday sense of People Search data broker sites and the like, but more accurately, they are exposed by the hyper-dimensional OSINT that maps this ecosystem.

I talked to Jeff Williams, the CISO at Sigma360 about all this. Williams painted a picture that promises a brighter future in the dark world of dirty money and sanctions compliance. Combining transaction data with publicly available information—including device IDs, IP addresses, names of flagged individuals, shell company registrations, and global news mentions—Williams is in the business of mapping criminal networks way beyond any one government list of sanctioned players to bolster KYC and protect clients against laundering campaigns. 

The system can see patterns, trace accounts to addresses, devices, IP addresses, names, shell companies, fake merchants. They can map entire webs of relationships, who’s connected to what and how fast the money is moving. This capacity turns the financial system into a battlefield where every transactional event is a potential intelligence source. 

The Nuances of Global Blacklisting

Ironically, the global compliance architecture, enforced by agencies like the U.S. Treasury’s OFAC, demands a level of complexity that AI cannot yet execute without a human keeper running the plays. 

When it comes to integrating the sanctions lists and intelligence from other countries, added to OFAC’s rules, AI is fine. That said: Problem not solved. It would instantly spiral out of control without the agency of an experienced human looking for trouble because criminals are good at outlier thinking and AI sucks at it.

Let’s say OFAC lists an entity that owns 50% or more of a company. That person is somebody who should be sanctioned if the company is sanctioned, but who looks to see if the cousin of that person owns 1% and they own 49%? And that’s saying nothing of aggregate ownership and whole constellations of other data points.

Williams leaned into the position that If you don’t go out and look at those next-level relationships and how things map together and how they graph out, you’re going to miss things.

Strategic obfuscation is the hallmark of criminals. Imagine if the School of Hard Knocks gave out MBAs and Ph.Ds in outlier thinking; now, imagine how hard that would be to police. 

Mind the Gap

Enterprise hates compliance because it requires massive investment, but there’s no guarantee when it comes to regulatory penalties exposure. You can throw everything you have at a problem and at the end of the day get fined because you didn’t solve for it (though if you can prove you tried your best, you might not have to pay quite as much).

The basic problem with compliance is that we have somehow decided that’s the goal. We treat compliance like a hurdle we have to clear, when it should be the ground underneath our feet. 

Meanwhile there’s an aberration gap. By focusing only on achieving regulatory standards (i.e., detecting known, patterned crimes and threat actors) and trusting tech to do its thing, next-gen criminal non-patterned threat actors have an open field. 

The Capacity Ceiling of Algorithmic Security

Since AI is trained on historical patterns, it can only identify deviations that exist, and it’s bad at strategic thinking for the same reason. Aberration from the norm? Does not compute.

My takeaway from the conversation from Jeff Williams is that humans survive another day. The same systems that spot hidden crime can also generate false positives as well, which is yet another reason a human-in-the-loop model is wise. An experienced, intelligent analyst is still the essential, non-replicable component in the war on creative outlier thinking driving the finances of criminal enterprises globally.

Ethical Responsibility and the AML Future

Technological limits versus criminal innovation is a boring war minus ethical responsibility. Financial gatekeepers wrestle with both technical difficulty and the systemic tendency to choose the optimization of profits over the costly, difficult work of “perfect policing,” or whatever the closest thing to that may be.

So it’s time for a rhetorical question: What ever happened to doing the right thing and having that be reason enough to do it?

When it comes to ensuring and governing legit transactions, computational power alone cannot win the day. The ultimate capacity needed to defeat sophisticated criminal deviation is the cognitive ability and moral will of the human analysts, transforming compliance from a regulatory hurdle into a proactive–Spy vs Spy–commitment to security.

Author of Big Breaches and former CISO of LifeLock, Daswani and I started with early days: The click farms where he got his start in the catch-and-kill world of early cyber before leaning into a discussion of the challenges we face today. 

My takeaway? Cybersecurity today succeeds or fails on the correct calibration of the CISO’s paranoia. In the age of AI, where personally identifying information (PII) and the data collected from our digital lives (both publicly available and sold by data brokers of all stripe) is the key to fraud, survival depends on right-sized paranoia. Every moment of attention online is a potential, “mission critical” security breach waiting to happen, which is why the CISO mindset matters.

The wisdom driving this paranoia dates back to Daswani’s early work at Google combating click fraud—in particular an industrial-scale click operation that triggered a Code Yellow emergency. The strategic fix: Make fraud more difficult. The problem: wherever there are humans there is vulnerability. 

For Neil Daswani, the journey from combating click fraud to protecting personal information revealed a chilling reality about our collective vulnerability. The compromise of foundational data, Daswani notes, didn’t stop with the Equifax breach (when half the country’s SSNs were stolen). A subsequent, breach at an organization called National Public Data resulted in the theft of every American’s Social Security number.

This PII—your name, phone number, address, and digital fingerprint along with your SSN—is the raw material used by cybercriminals because your Social Security number doesn’t come with multi-factor authentication or password protection (though you can get a PIN code from the IRS). Our PII exists as a fixed, unchangeable dossier used by criminals to create a convincing pretexts for fraud.

This terrifying inevitability of data loss is why the identity protection industry has had to evolve. Since prevention is not 100% effective against massive, ongoing data leaks, recovery has become an essential pillar of defense. 

Daswani explains that a significant advancement has been the advent of identity theft insurance. This progression, first championed by LifeLock, includes stolen funds reimbursement insurance, acknowledging that because breaches are inevitable, victims need a guaranteed way to become financially whole again after they have been targeted by crime built on compromised PII.

But back to the kinds of behavior that keep bad things from happening…

AI provides the latest evolution in human vulnerability. Generative AI turbo-charges social engineering, creating virtually flawless phishing messages and hyper-realistic deepfakes as well as workable pretexts and other modes of attack making it increasingly difficult, if not impossible, to discern what is real and what is fake, a factor that drives exploits such as wire fraud and romance scams. Since money and information are often willingly given in these scenarios, traditional defenses fail.

The pragmatic solution for high-value transactions is to remember this: AI can’t shake your hand. 

For any significant financial transaction, the best defense is to meet in person or verify the recipient through a strong, non-digital, and secondary channel. If a voice or face on a screen is asking for money, you must rely on a defense that AI cannot breach.

The rapid, unchecked advancement of AI brings us to the question of systemic security and the need for a regulatory guardrail system for AI. 

Daswani advocates for smart regulation, using the analogy of the German Autobahn. It is the fastest highway in the world because it has well-engineered lanes and user guardrails. Smart regulation, he argues, allows industry to move faster, not slower, by forcing companies to build stable, secure infrastructure from the start.

Ultimately, the blueprint for modern cybersecurity needs to solve for technological guardrails that are missing. AI can exploit that vacuum. Until effective oversight exists, survival depends on the adoption of the CISO worldview, which means accepting the fact that our data is in the wind. 

The way forward is to get busy compromising the raw material of fraud—your publicly exposed PII—thereby neutralizing the threat actor’s primary weapon and establishing a necessary defense perimeter for survival.

On the criminal side of the continuum, there is the obvious scarcity of resources—actual money, actual food, actual opportunity. On the victim side, there is often a lack of community, lack of connection, lack of social circle, and lack of support (technical, emotional or both).

Cybercrime emerges here as an inevitable result of fundamental human needs going unmet. The scammer is driven by financial lack, while the scammed is often seeking emotional fulfillment. Scammed and scammer meet in the commonality of scarcity.

This intersection of want—one for material wealth, the other for human contact—is the powerful engine driving a multi-billion-dollar global fraud machine.

We often examine the architecture of this crime phenomenon on “What the Hack?” and this week is a doozy. “Jackals of Trust: A Short History of Cybercrime” features cybercrime expert Gary Warner, Director of Threat Intelligence at DarkTower. We talked about the secret world of Nigerian cybercrime, one dominated not by disorganized thugs, but highly educated professionals who fuse computer science, spiritual ritual, and anti-colonial ideology to pursue a luxury economy built on exploiting loneliness, the explosion of personal information online and vulnerable digital non-natives.

The individuals running the most effective financial frauds are not the products of desperation alone, but the result of a system where education outpaces opportunity. Major West African crime syndicates, known as confraternities, mandate high educational standards. They are often run by graduates of a college program, according to Warner. 

“Many of them have western college degrees from computer science programs,” he told me, “and they often work in organizations that give them unique access and understanding. So, for example, we have members of the confraternities working in banks, working for healthcare companies, working in government agencies…”

This professionalism represents something you’ve heard us talk about on “What the Hack?” It’s the “corporatization of digital theft,” a strategic operation where technical skill is weaponized against global infrastructure. They learn the financial system from the inside, enabling large-scale Business Email Compromise (BEC) and high-end money laundering.

The motivation for these syndicates extends beyond simple greed, rooted in a potent ideological and spiritual framework. These confraternities operate as cultist organizations with formal hierarchies and chief priests. 

This belief system sanctions their criminal actions through ritual. Members engage in what they call a “money blessing,” a ceremony where members of the confraternity bring a sacrifice—which can range from money and alcohol to animals or even humans—to a shaman. This ritual is believed to cause a spiritual blessing to be placed upon their crimes, increasing their success in luring victims.

The spiritual justification is closely tied to a powerful political ideology that views crime against Western entities as a form of justifiable restitution. Drawing on Nigeria’s complex post-colonial history, many members believe they are owed for the theft of natural resources by colonial powers. This ideology provides a powerful, internal rationale: committing crimes against the West is therefore not viewed as theft, but rather as “taking back what has been stolen from us.”

The massive wealth generated underscores the brutal economic imbalance. For a young person in a rural area living on a $2-a-day wage, the criminal’s promise to teach them how to make $4,000 a day is a life-changing proposition for their entire family. The only solution to this cycle, according to Warner, is economic development, as cybercrime blooms where there is high-speed internet, high education, and nonexistent employment.

For those at the top, the wealth rapidly spirals into obscene excess, transforming survival into simple greed:

GARY WARNER: “These guys are moving the kind of wealth where, uh, you have a birthday party and you all go buy Lamborghinis. Or you might give someone a $300,000 watch as a appreciation, or a Rolls Royce. These are extremely wealthy people and it’s all based on crime.”

This lavish spending is directly funded by a wide spectrum of victims who fall on an even broader spectrum of vulnerability. A victim is exploited not because they are financially weak, but because they are lonely. In the commonality of scarcity, the victim’s desperate hunger for human connection directly finances the criminal’s ascent to material excess. This devastating exchange is the true heart of global cybercrime.

I call it “information fraud” to differentiate it from the “white collar crime” label, even though that’s how these property snatchers are categorized (alongside identity thieves) by the FBI. Translating stolen personal data into the seizure of physical property through simple ruses like forgery and other administrative trickery requires a special kind of moral turpitude–so in that regard “white-collar crime” fits, but the bar for entry is lower than most white-collar crimes.

I spoke to Del Denney, Director of Business Development at the Land Trust Company, to get a better understanding of this insidious phenomenon, focusing on the systemic vulnerabilities that have rendered your property deed surprisingly exposed and what you can do about it.

The Shocking Efficacy of Administrative Larceny

Home title fraud is alarming because it exploits a fundamental principle of real estate law: the reliance on public documentation. Individuals with a knack for research and Criminal syndicates using sophisticated data-mining techniques—often involving bots and AI—identify properties whose owners are listed on the public deed to that property.

The most compelling proof that literally any property can be imperilled would probably be the successful leveraging of Elvis Presley’s legendary estate Graceland. We are all inherently exposed and the criminal’s strategy is simple: file forged paperwork with an overwhelmed county clerk’s office. The system accepts the documentation, forcing the true owner to undertake the months-long, expensive legal maneuvers to prove a crime occurred and undo the damage.

The Anatomy of the Target

These deed and title fraudsters operate on the principle of maximum return for minimum effort. Their methods are efficient, relying on public records to find the easiest mark—a property where ownership is clear and the likelihood of immediate detection is low.

Del Denney explained that the perpetrators will often target vacant land, second homes, or properties owned by elderly individuals who may not be monitoring their mail or the public record actively. This “trawling and trolling” approach means anyone with a publicly recorded name is a potential victim, affecting everything from suburban homes to high-net-worth estates.

“What the Hack?” Episode 223 detailed how perpetrators, ranging from local opportunists to international actors, identify and exploit vulnerable property records.

Reclaiming Legal Obscurity

The central solution proposed by Del Denney is not a technological fix, but a time-tested legal shield: the land trust.

The land trust serves as a legal shield by removing the individual’s name from the public record. The deed is held by a trustee entity, ensuring that public searches hit an intentional, legal informational dead end.

To learn how a Land Trust works to remove your name from public view and raise the cost of targeting you, see the clip below:

By eliminating the clear association between an individual’s name and their physical asset, the trust immediately deters the casual, automated searches utilized by scammers. It raises the “cost of targeting” the property to a level criminals are unlikely to pay. 

The trust also acts as a legal layer, extending protection beyond theft. When set against the potentially devastating financial costs associated with recovering a stolen title, the annual fee for a land trust service is an affordable premium for peace of mind.

This week’s Tinfoil Swan talks about your findability quotient. The ready availability of your data online is the scammer’s most critical asset.

To be more secure, the goal is to increase the friction and reduce the ammunition for Information fraud through a multi-layered approach:

• Use a land trust to obscure ownership of your real estate.
• Monitor local real estate markets and credit reports diligently.
• Consider subscribing to a personal information removal services to scrub PII from the data broker ecosystem–all those people search sites–cutting off the criminals’ supply chain for identity theft.

The conclusion is as ever inexorable: in the context of pervasive information fraud, privacy is not a luxury; it is a fundamental principle of personal security.

Documenting our every move and action, our service providers have a front row seat to our daily lives. To have any measure of privacy online, there is a lot we can learn from the mistakes criminals make.

My conversation on “What the Hack?” with Heather Barnhart, the Digital Forensics and Incident Response Curriculum Lead at the SANS Institute, was a stark reminder of this. While Heather’s expertise extends to actual crime scenes—from analyzing Osama Bin Laden’s digital media to establishing the digital part of the case against University of Idaho quadruple murderer Bryan Kohberger cobbled together from his phone—Barnhart’s fundamental lesson is applicable to all of us: Private life with a smartphone is an illusion.

The Digital Witness: Not Just for Criminals

Let’s be clear: your phone isn’t a crime scene unless you’re a criminal. But it is a data goldmine for anyone willing to pay to target you because your smartphone records your “pattern of life.” 

Pattern of life data is how the digital giants double dip on your status as customer, how advertisers retarget you across platforms, and, potentially, how social engineers trick you after identifying you online through public-facing people search sites, dark web repositories of breached data and ready-to-exploit data sets.

Consider the Bryan Kohberger case. His mistake wasn’t some complex encryption failure; it was a deviation from his normal pattern, which was typical for a homicidal sociopath (i.e., super predictable). The giveaway in his case: turning off his phone for four hours while the battery fully charged. The absence of data at a critical time became the most damning evidence. 

For the non-criminal, this principle still holds: predictability is a vulnerability. The more your phone’s data confirms a routine, the easier you are to target with marketing or a scam, not to mention the approaches it makes possible for stalking and-or social engineering.

Barnhart’s own experience with a stalker—an early-career harassment that she couldn’t trace because of a burner app—shifted her focus. That experience opened her eyes to the fact that we’re all potential targets.

The Generational Divide and the Vulnerability of Politeness

If digital resilience is a behavioral shift, then the easiest and most powerful change is to recognize where our personal habits fail us.

The primary defense against social engineering is the willingness to say No.

For Parents: The rule is absolute: “Nothing good ever happens after dark” with a child and a device. This rule defeats the primary conditions for sextortion and other online pressures—isolation and late-night vulnerability.

For Older Adults: Disproportionately targeted by AI deep-fake and financial scams, older people may be more culturally conditioned to be polite and deferential. Saying “no” to a stranger, especially one impersonating a representative of a big company like, say, Microsoft, feels rude. But in the digital world, politeness is a vulnerability.

Three Low-Effort Steps to Starve the Witness

The key is to minimize the data trail without becoming a hermit. Heather Barnhart says we need low-effort, high-impact actions to starve the digital witness we all carry around with us in our pockets. Here are three essentials:

• Log In and Purge: Regularly check your Google Account (or Apple) and delete all old, unused devices that still have access. Every device is an open door to your data.
  
• MFA is a Must: Turn on Multi-Factor Authentication (MFA) for every sensitive account. It is the single greatest return on investment for your time.
  
• Establish a safe word: Create an AI Deep-Fake safe word with your family. If they call in distress and can’t provide the code, it’s a criminal. This simple hack immediately defeats the most sophisticated voice-cloning threats.

Finally, for your own digital hygiene, embrace a simple act of rebellion: Turn your phone off. Periodically going dark breaks your predictable pattern of life, making you less valuable to data brokers and harder to trace for criminals. You don’t need a forensics expert. You just need to stop doing everything Big Data expect you to do, and maybe float a decoy from time to time.

The early Internet promised connection. There was a vision of a vast, open digital commons where information flowed freely, unburdened by gatekeepers. The design of this digital world was utopian. But not everyone saw it that way. A hacked version of that promise started taking shape, not a dystopia exactly, but not awesome either. It turned the connected commons into a common marketplace driven by a new direct-marketing engine: the spam economy.

Maybe there are no “bad players,” per se. But there was a shift from connecting people to connecting people to transactions. Every click, every moment of presence, became data for sale. 

Enter Seth Godin, who tried to make it otherwise. Godin is the patron saint of attention well deserved, inventor of permission marketing, bestselling author, and the Jerry Garcia of good advice who thinks everything is marketing. Good, bad and indifferent–he also believes much of what reaches our inboxes falls under the rubric of a broken promise. And the reason it’s there in the first place is because the people sending it should have to pay postage. That’s how direct marketing worked before the Internet, and Godin argues that’s the way it should have continued to work. 

But at its core, Godin’s anti-spam playbook isn’t a marginal business tactic; it’s a demand for the market to honor its contract with consumers: Listen to me, and I’ll say something worth hearing. 

The Digital Attention Tax

Nothing is free online. We pay a digital attention tax—a toll levied every time we encounter an irrelevant ad or an unsolicited piece of marketing slop. (Worth noting: Massachusetts Rep. Jake Auchincloss has floated the idea of an actual attention tax to fund local journalism and literacy programs. That’s not this.) 

The attention tax Godin talked about is not just about wasted time; it’s the cognitive overhead. The spam economy is how platforms monetize our presence because the bar for entry, while not zero, doesn’t include the considerable expense of postage. But whether we’re talking about actual spam email or the participatory spam of doom scrolling or (egad) pop-up ads and retargeting, our attention is not earned; it is stolen. The “slop loop” is the mechanism of this theft, a system built on intrusion, surveillance, and targeting, not opting-in or consent.

And because the internet took the dystopian route to utopia, this tax is now the unavoidable price of entry into the digital space, making everything we do online fundamentally transactional. Our data has become a liability. The constant bombardment lowers the ethical bar for everyone, creating a race to the bottom in which marketers believe that they must be increasingly loud and intrusive just to survive.

Godin’s elegant solution blew my mind, that we don’t need to block the noise, but rather demand value in exchange for enduring it. Instead of stealing attention (or buying it), Godin urges us to earn it with a product or story so original and so compelling, that we’ll gladly pay the tax of our undivided attention. 

The High Cost of Mediocrity

To Godin’s eye, the corruption and the resulting attention tax force a radical truth: mediocrity is not affordable. 

The “digital slop loop” mentioned in the episode notes is the death spiral of non-original, easy-to-replicate marketing that results in more user enervation than sales. The way to win in a world where the available pool of attention is finite but the volume of noise is infinite, is to play a different game.

Godin argues that to thrive these days, a business must accept a demanding, even punishing assignment: to be original.

Originality is the necessary, high cost of entry. It is the practical difficulty of consistently delivering a product or service so distinct that it cannot be automated, easily copied, or bought cheaply. You earn attention with exceptional quality. Anything less will be ignored in our noisy marketplace. 

It’s no secret that social meda can be a hostile environment, but for older adults who rely on social media to maintain their personal and professional communities that situation can spell a very real danger–both psychologically and financially.

The $3.4 Billion Cost of the Golden Rule

In 2023, scams targeting individuals aged 60 and older cost victims over $3.4 billion in losses, according to the FBI’s Internet Crime Complaint Center. The average loss was nearly $34,000. These soaring losses are the direct result of a perfect storm: a lucrative target pool meeting a systemic void created by the tech giants.

Tony Bongiovanni is the father of Brianne Smith, my colleague at DeleteMe. He’s an older adult who experienced this reality firsthand, and he told me about it in Episode 220 of our podcast (yes we really have one) called “What the Hack?” 

This story begins when Tony’s Facebook account is disabled and his digital lifeline—a Facebook account with more than 4,000 followers linked to a professional band page—disappears. His reaction: Get help.

He contacted the platform’s official number. An automated message said no human support was available for account issues. “Nobody answers the phone,” Tony told me. Nobody, that is, at Meta. User desperation opens the scammer’s funnel.

When you hit that dead-end, desperation is born, and that desperation is what fuels the entire scam ecosystem.

The Systemic Funnel for Fraud

The moment Tony searched for help, he was already targeted. The “customer support” number that put him in touch with an actual human being came by way of a sponsored Google ad—a fraudulent post served up by the search engine itself because someone paid them to do it. 

This is the “system” at work: No human assisted support + sponsored search ads = a dragnet for scammers.

The scammers know that when a heavy user like Tony loses his community, his special interest page, and his memories, he will be willing to comply with nearly any request to recover it. This willingness to ignore the risks and trust is precisely what scammers exploit. 

There’s another factor with older adults, which is a corollary of trust, and that’s manners. Both these traits—inherent trust and ingrained politeness—are markers for exploitability. Scammers exploit the fact that most people are too nice to hang up on them. This isn’t biology; it’s social engineering coupled with scammer lead generation created by a general disregard for user safety on the large social platforms. 

The Anatomy of the Costly Transaction

The scammer on the line followed a standard, high-loss imposter blueprint. They asked him to verify himself by downloading a screen-sharing app and uploading photos of his driver’s license. The final step: a series of rapid financial trades. Tony lost nearly $5,000 in minutes.

The Necessary Paranoia

The responsibility for this epidemic falls squarely on the platforms that monetize user data yet refuse to provide a basic safety net. But the solution, as painful as it is, falls to the individual, because the ultimate takeaway from this story is that the golden rule does not exist online.

If you get an unexpected call, text, or pop-up, there’s one rule you follow: No matter who they claim to be, Meta, Amazon, or the FTC, if they ask you to download an app, share your ID, or send money to “protect” an account, you must hang up immediately. 

Be rude. Be paranoid. The financial security of your lifetime savings depends on your ability to reject the instinct to trust.

Tom O’Malley was this week’s guest on What the Hack? because he’s been fighting cybercrime since there was such a thing. Tom is a former federal prosecutor who traded chasing drug cartels for hunting cybercriminals, diving into the deepest swill of scams—from ham-fisted fraudsters to the bizarrely effective  “gold bar scam.” In “3 Ways to Not Lose Everything,” Tom shares the practical, hard-won defense strategies he developed after his data was breached in one of the worst ever breaches.

Tom’s journey started with a breaking story on the news: his own top-secret clearance personnel file was stolen in the massive Office of Personnel Management hack of 2015. The OPM serves as the U.S. federal government’s human resources department. The 2015 breach compromised the sensitive personal and background investigation records of approximately 21.5 million people, including current, former, and prospective federal employees, contractors, their spouses, and family members. Information like SSNs, fingerprints, and detailed security clearance forms.

Because of Tom’s work with organized crime and drug enforcement, his file contained incredibly sensitive, personal data. The government’s solution at the time: offering free credit monitoring for a few years. Tom was underwhelmed.

Relying solely on credit monitoring is, he said, “like having a burglar alarm in your house and not locking the doors and then you just get alerted the fact that stuff has been taken from your house and you may never get it back. You need to lock it.” Credit monitoring, in essence, is a notification system; it tells you after a new account has been opened in your name. It doesn’t prevent the crime from happening in the first place.

This fundamental flaw is what drove Tom to action. He knew better tools existed to protect himself, and he wanted to make them widely accessible. That was the impetus behind Frozen Pie, a website that provided direct links to the credit bureau pages where individuals could freeze their credit for free thus bypassing the expensive upsells for monitoring services. A credit freeze, unlike monitoring, is a proactive lock on your financial identity, preventing new lines of credit from being opened in your name. It’s the most powerful defense against new account identity theft.

In the new economy of fraud, the first step to almost any scam is the scammer making contact. To fight sophisticated schemes like the Gold Bar Scam—where criminals panic victims into buying gold bars for “government” couriers—the core advice is simple: Don’t answer the phone if it’s not someone in your contact list.

If a call is truly important, they’ll leave a voicemail. The same goes for unexpected texts: Never click a link you weren’t expecting or reply to messages asking to “unsubscribe” or “delete,” as this only confirms your number is active. Government agencies and banks do not make the kind of urgent requests scammers employ. Breaking the initial connection is key to defending against fraud.

The threat of losing generational wealth impacts entire families, and as AI makes imposter scams more convincing from voice clones to deepfake calls a multi-layered, family-wide defense is critical.

The ultimate advice, especially for protecting vulnerable family members, is for every family to establish a safe word.

Imagine a scammer uses AI to clone a family member’s voice, calling with an urgent plea for money. Instead of an immediate, instinctual response to help, the only defense needed is: “What’s the safe word?” If the caller doesn’t know it, it’s a scam. 

Final Thoughts: Lock Down Your Life

You can dramatically reduce your “attack surface” by constantly thinking about security. Establish clear communication protocols with the people closest to you, and lock down your digital life with a credit freeze and a family safe word. It’s not just about protecting your assets; it’s about preserving your peace of mind and generational well-being.

A quick favor: What the Hack? was nominated for a Signal Award in the Thought Leadership category! Help us win by voting. (You are required to enter an email address–Privacy Pro Tip: Use DeleteMe email masking if you don’t want to share your real email address.)

While professional athletes and high-profile judges go to considerable lengths to have their personal information scrubbed from the internet, most people are exposed to some extent, and the frass from our digital lives—our clicks, our purchases, our locations—fuels an industry many people don’t even know exists: namely, the data broker business.

Velasquez joined me this week to peel back the various considerations that are top-of-mind for her when it comes to online data, big data, and our data (she’s careful to make distinctions), revealing a complex ecosystem where we can be helped by one company while another collects, packages, and sells our most intimate digital details to the highest bidder. 

The conversation on this week’s episode went beyond the typical warnings about hackers and scams to explore the uncomfortable truth that not all data brokers are equal.

The Wild West of Our Personal Data

The firms that traffic in our information come in many forms, but collectively, they’ve built a multi-billion-dollar industry on a simple premise: use everything we do online, from our loyalty card swipes to our search history and even our physical location, as grist for their marketing mills. 

All this data is collected by companies that aren’t exactly household names. Stitched together in various ways for a variety of use cases, a detailed and salable portrait of who you are, what you like, and—to malicious actors—when you’re most vulnerable is then converted into scalable businesses. 

So while it used to be that identity thieves Dumpster-dived for discarded documents (and that still happens), the true scale of modern data-related crime is largely digital. 

Navigating the spectrum

Velasquez argues that the business of our personal information exists on a spectrum. The “ugly” end of it is obvious: sites that publish home addresses and other sensitive information, creating a ready-made dossier for stalkers, abusers, and other malicious actors. These uses, she argues, should be banned outright, and in the meantime consumers should take evasive measures.

Then there’s the “bad,” companies like Meta and Google, which collect vast amounts of granular data to sell to advertisers. While not an immediate threat to personal safety, it can be and regardless is exploitative. 

As for the “good,” Velasquez pointed to the legitimate and beneficial role our data can play in fraud detection.

Regulation and Individual Action

The current situation is a kind of digital Wild West, where a lack of strong, enforceable regulations allows unscrupulous players to thrive. Even when fines are issued, they’re often absorbed as a mere cost of doing business for larger companies.

Any lasting solution will need to be nuanced, but in the meantime, the burden of protection falls on the individual. But what should you do about the kinds of fraud that public-facing personal details make possible in the here and now? 

Velasquez offered some sage advice:

• If you didn’t initiate the contact, don’t engage. This simple rule can prevent many scams from getting off the ground.
• Use multifactor authentication (MFA) on all accounts. The best option is a physical security key, which is virtually unhackable remotely.
• Freeze your credit. This is a powerful, proactive step to prevent thieves from opening new accounts in your name.

Ultimately, protecting our digital identity is a two-front war. It requires stronger regulation and enforcement on the industry side, but it also demands that we, as consumers, become more vigilant. Our data is everywhere, and it’s up to us to understand the risks and take action to ensure that our digital lives remain our own.

This week’s episode features Academy Award-winning filmmaker Dan Sturman and an imperfect storm of mistaken identity, amateurish social engineering, and the real-world effects of your data being out there for anyone to grab.

This story begins with two people named Dan Sturman—one with enemies, one without–and it ends with the wrong Dan Sturman being targeted by hackers. It’s a classic false positive, where an online result seems to match a person but is actually a misidentification. In the world of personal data removal, we see it all the time.

What’s In an Email Address?

Dan Sturman’s story is a cautionary tale about digital visibility. He’s a guy who, thanks to a very sweet early-adopter friend, scored his own name as an gmail address back in the mid aughts when the email service was still in beta mode, no numbers, just his name. And there’s something to the “I got here first” vibes of a one or two name handle–otherwise hackers wouldn’t spend so much time trying to hijack them. 

Well, that beautiful OG handle is exactly what put Dan Sturman in a hacker’s sites.

When hackers decided to go after the other Dan Sturman—the one with the big title at a well known gaming company, they did what any hacker does: They Googled him. But the Dan Sturman who popped up, with his OG public-facing, early-adopter email–the kind of email address you’d expect from a tech-savvy dude was the filmmaker. 

And then these bad actors (emphasis on bad, read: inept) fell for what I’m going to call a scammer-facing false positive. Hackers and marketing people can have a similar feel, which was the case here. The first calls and emails were from real people doing real jobs making real offers—jet charters, investment opportunities. But the wrong Dan Sturman even got a call about a sapphire necklace that was ready for pickup at Tiffany’s. 

Then the messages took a turn for the darker. There were spoofed calls from his own sister’s number and texts threatening to go after his family. And just like that, Dan Sturman the filmmaker was the unwitting stand-in for someone else’s enemies.

The Power of Social Engineering and Digital Obscurity

As our resident security guru DeleteMe Reuben Moretz explained, this is a classic case of attackers who were not very good at their “job” using a form of mimicry to build trust so they could then effectively strike their victim, which brings us to the most important part of the story.

While Dan the filmmaker was out in the open, the other Dan Sturman was a digital cipher. It’s impossible to find his email, his phone number, or his address. My experience (and presumably that of his would-be attackers) began to make more sense when Dan Sturman the filmmaker reached out to Dan Sturman the tech guy’s company: Three of their executives had been swatted, but the other Dan wasn’t a target of the threats. 

The reason: His personal information wasn’t online and as I heard the other Dan Sturman tell his story I had a not-so-sneaking suspicion this was no accident. Dan Sturman the Ghost was hard to find in a way that doesn’t happen by chance. It’s the product of a ton of vigilant work, or a subscription to an effective service. 

So what’s the takeaway here? Visibility has its costs, but so does obscurity. If you disappear completely, you can’t control your own story. But if you’re too visible, you become a potential stand-in, a false positive for someone else’s problems. The only real defense is to be aware. To watch your alerts, to trust your gut when a call seems off, and to remember that the most powerful tool you have sometimes is just knowing when not to click or to hang up or not pick up at all.

Stay safe out there, and let’s keep fighting the good fight.

Take Control

While it’s impossible to completely disappear from the internet, you can take steps to manage your digital footprint:

• Audit your online presence: Search for your name on Google and other search engines to see what’s publicly available.
• Adjust privacy settings: On social media and other accounts, review and tighten your privacy settings to limit who can see your information.
• Use strong, unique passwords: A password manager can help you create and store complex passwords for all your accounts.
• Be mindful of what you share: Before posting, consider if the information could be used against you.
• Remove unwanted data: Services like DeleteMe specialize in removing your personal information from data brokers, helping you regain some control over your digital identity.

By understanding how your data is collected and used, you can make more informed decisions and protect yourself in the digital world.