Huh, That’s Cool · interactive

How Scams Got Scary Good

The con got an AI upgrade — the broken English is gone, the voice is your daughter's, the login page is pixel-perfect. The advice you were raised on is quietly failing. Here's the one thing that still works.

Your phone rings. The screen says it's your bank. The woman on the line is calm, professional, and a little apologetic. She knows your name, the last four digits of your card, and the coffee shop where your card was just used three minutes ago — which is strange, because you've been home all evening. Someone, she says, is draining your account right now. She's going to help you move your money somewhere safe.

There is no accent to notice. No grammar to second-guess. No misspelling, no "Dear Valued Costumer," no padlock to squint at. Everything your whole life taught you to look for is simply... not there.

That absence is the most important thing happening in modern fraud, and almost nobody is talking about it. We were handed a folk wisdom — look for the typo, check for the padlock, trust your gut — and then, very quietly, the ground underneath it gave way. This is the story of how that happened, and what you can stand on instead.

A warning before we start: this is a fire drill, not a haunted house. The goal isn't to scare you into never answering the phone. It's the opposite — to hand you a small set of reflexes so reliable that you can stay calm when the call comes. Because it will, and you are smarter than you think, and that won't be enough on its own. None of this is your fault. Let's get you some armor.

Part 1The tells were a gift — and they're gone

For thirty years, scams announced themselves. The Nigerian prince with his fortune in escrow. The lottery you didn't enter. The bank email riddled with capital letters in the wrong places and a link that went somewhere ending in `.ru`. They were clumsy on purpose and clumsy by accident, and we built our defenses on that clumsiness.

A split panel. On the left, labelled THEN: an old-fashioned scammer with a fishhook and a typo-filled note reading “Deer freind, I am a prinse — send moneys!” On the right, labelled NOW: a modern scammer beside an AI rig (a deepfake mask, a phone, a padlock) saying flawlessly, “Hi Mom, it's me — I'm in trouble and need your help right now.”
Same con, new tools. The bait that used to give itself away doesn't anymore.

Here's the uncomfortable thing about the bad grammar: it was never the point of the scam. It was a side effect — a tell, leaking out of an operation that couldn't afford good copywriters and didn't need them. The actual machinery of the con was always underneath. The typos were just the part that happened to stick out where you could see it.

And now they don't stick out anymore. A language model writes a flawless, personalized email in the time it takes to read this sentence.8 Even a short clip of someone talking — a voicemail greeting, a few seconds lifted from a TikTok — can be enough for today's tools to do a passable imitation of their voice.6 The lookalike login page is a pixel-perfect copy, padlock and all. The misspelling didn't get fixed; the entire category of "surface tell" got deleted.

A worried figure holds a book labelled “the old rules” and faces two pieces of advice struck through in red: “Look for the typo” (captioned “AI writes flawless English now”) and “Check for the padlock” (captioned “about half of scam sites show one too”).
We built our defenses on the clumsiness. The clumsiness is gone.

“Come on — this is fear-mongering. AI scams are a rounding error next to the regular kind.”

Good — hold onto that skepticism, because it's half right, and the honest version of this essay needs it. Here's the scope, stated plainly: no regulator on Earth publishes a number for "AI scam losses," because the dollars are still tracked by the con, not the tool.5 The biggest piles of money don't vanish to robot voices at all. They go to patient investment and romance scams — the single biggest category of reported losses — run by human crews, even if AI is increasingly part of their toolkit too.3 AI hasn't invented a new kind of fraud. It has made every old kind cheaper to run and harder to spot — it's a new paintbrush, not a new painting. So no, the sky isn't falling. But the floor — the set of tells you were standing on — really is gone, and that's worth understanding before the bill comes due.

And the bills are not small. In 2024, Americans reported more than $12.5 billion in losses to fraud to the FTC alone1 — and that's only what people admitted to a government agency; most fraud is never reported at all. The FBI, counting through a different door and in a way you can't simply add to the FTC's, logged over $16 billion the same year.2

Part 2The new playbook

Walk through the modern kit and you'll notice something: it's the same five or six plays in different costumes.

A board titled “The Modern Playbook” with five plays and icons: Voice clone (“Grandma, I'm in jail”), Deepfake (the fake-CFO video call), Pig-butchering (slow romance, fake trading app), Phishing (“your package is held”), and Takeover (“move it to a safe account”).
Different costumes, one engine — and the biggest losses aren't the robot voices.

There's the voice clone: the grandchild who calls from jail, crying, needing bail money before dawn — except it isn't the grandchild, it's a few seconds of their voice run through software.6 There's the deepfake video call, which sounds like science fiction until you learn that in early 2024 a finance worker at the engineering firm Arup joined a video meeting with his CFO and several colleagues, and wired about $25 million on their instructions. According to Hong Kong police, every other person on that call was a digital fake.7

There's pig-butchering — the ugly industry name for a slow romance or friendship that blooms over weeks, drifts toward a "can't-miss" crypto opportunity, shows you real-looking gains on a fake trading app, even lets you withdraw a little to prove it's real, and then takes everything. There's phishing and its text-message cousin: the held package, the unpaid toll, the lookalike web address where a `paypa1` wears a number where the letter should be. And there's the account-takeover call from the start of this essay — the spoofed bank number, the "move your money to a safe account," the request to read back the code that was just texted to you.

Try the first one yourself. Here's an email of the kind that lands in millions of inboxes. Tap anything that looks off to you — and notice what you reach for.

This lands in your inbox. Tap anything that looks off — and notice what you reach for.

Email⚠ SIMULATION
FromPayPal Service
Subject
Toyou

We noticed unusual sign-in activity on your account. or your account will be permanently closed.

When in doubt, don't tap anything. Open a new tab and type the address in yourself.

A safe, fake example. Nothing here is real — it cannot send, charge, or log in.

0 of 5 red flags found
You found all four — and notice that <strong>none of them were typos.</strong> They were structure: a faked sender, manufactured urgency, a disguised link, a button that wants you to act now. That's the shape that doesn't change, no matter how polished the words get.

“Fine, but everyone knows only naive or elderly people actually fall for these.”

This is the most comforting myth in the whole subject, and it's wrong in a way the data is blunt about. Younger adults — people in their twenties — report losing money to fraud more often than people over seventy.4 (When older people are caught, they tend to lose more per incident, which is its own tragedy.) The reason smart people fall is that these scripts aren't aimed at your intelligence at all. They're engineered to overwhelm it — to hit you with panic and a ticking clock so that you act before you can stop and think. Sophistication is no armor against a manufactured emergency; the con is built precisely to make sure you never get to use the careful part of your mind. That's also why the defenses at the end of this essay are reflexes, not judgment calls: they have to be decided in advance, while you're calm, because in the moment you won't be.

Part 3Stop reading the costume. Learn the shape.

So if the surface tells are gone, and the scammers are good, and even sharp people get taken — is the lesson just "be afraid"? No. The lesson is that we were looking at the wrong layer the whole time.

Here is the most important claim in this essay. Strip away the typos, the accent, the cheap logo — strip away every surface detail AI can now perfect — and underneath, every scam has the same skeleton. It has to, because the con can't function without it.

A flowchart of three connected boxes: “1. Unexpected contact — they reach out to you, on a channel they chose” → “2. Urgency or secrecy — act now · tell no one · don't hang up” → “3. The ask — money, codes, or access, or ‘move to a new app’.”
Strip away the costume and every scam has the same skeleton. The con can't work without it.

An unexpected contact, arriving on a channel they chose, not you. A manufactured urgency or secrecy — act now, don't tell anyone, stay on the line. And an ask: for money, for a code, for access to your screen, or to move the conversation onto some new app where the rules are theirs. That's it. That's the shape.

The consumer-protection people have known this for years. The FTC boils every scam down to four signals: a scammer pretends to be someone you trust; says there's a problem or a prize; pressures you to act right now; and tells you to pay in a specific, irreversible way — gift cards, wire transfer, crypto.9 Notice what's not on that list. "Has a typo." "Looks unprofessional." Those were never the load-bearing beams. They were just the paint.

Here's why this matters so much right now: the paint is exactly what AI improves, and the skeleton is exactly what it can't touch. A scammer who doesn't contact you out of the blue, doesn't rush you, and doesn't ask for money or codes isn't running a more sophisticated scam. They're not running a scam at all. And that's also why this advice won't go stale in a year: the costume gets a new coat of paint every season, but the skeleton can't change, because the moment a con drops the pressure or the irreversible ask, it stops making money. Learn to see the structure, and the quality of the costume stops mattering.

One clarification, because it matters: this does not mean every urgent message is a scam. Your kid really might be stranded somewhere. It means that unexpected urgency, from an unexpected contact, pushing you toward an immediate, irreversible payment, is the shape to recognize. A real emergency survives a sixty-second pause to hang up and call back. A scam almost never does.

And the hardest case for all of this is the slowest one. Pig-butchering doesn't feel like a scam, because it's engineered not to: the wrong-number text that turns into a friendly chat, the chat that becomes weeks of warmth, the new friend who just happens to be doing well on a crypto app and offers to show you how. By the time anyone mentions money, the "unexpected contact" feels like your closest confidant and the "urgency" is dressed up as opportunity. So the recognition has to move to the front of the story: the flag was never the eventual ask — it was the very first beam, the unsolicited message from a stranger that started the whole thing. The durable rule is blunt: never put money into an investment that someone who contacted you introduced you to, no matter how long you've known them or how real the gains look on the screen. The shape is still there. It's just stretched across two months instead of two minutes.

Try it again — but this time, watch for the shape, not the spelling.

Now a text message. The tells here aren't about spelling — watch for the shape.

Text message⚠ SIMULATION

USPS: We couldn't deliver your package — an unpaid fee of $1.99 is required to release it. or it will be returned.

Unexpected sender + a ticking clock + a tiny payment on a lookalike link. That's the shape — no typo required.

A safe, fake example. Nothing here is real — it cannot send, charge, or log in.

0 of 3 red flags found
Every flag was structural — an unknown number, a manufactured deadline, a lookalike address. You didn't spot a misspelling. You read the skeleton.

Part 4When there's nothing to spot

Let's push this all the way to the wall, because that's where you'll actually meet it.

First, the padlock. You were told a little lock icon meant a site was safe. It never meant that — it only ever meant the connection was encrypted, which is a different thing entirely. (We took a whole tour of this in another essay: the lock seals the envelope, but says nothing about who's waiting at the other end.) By 2018, roughly half of phishing sites already had that padlock, because anyone can get one for free.10 The lock is not a safety guarantee — it only means your connection to that site is private, not that the site is honest. The tell is the address bar.

You tapped a link and a familiar login page opens. Is it real? Tap what tells you.

Web browser⚠ SIMULATION

Sign in to continue to your account

Email: you@gmail.com

Password: ••••••••••

The lock and the logo can both be faked in minutes. The web address is the one thing they can't perfectly fake.

A safe, fake example. Nothing here is real — it cannot send, charge, or log in.

0 of 1 red flags found
The page was flawless — and beside the point. The only thing that mattered was the address bar, where “google” was just a word sitting in front of someone else's domain.

Now the hard one. Go back to that bank call. The caller ID says your bank because caller ID can be faked by anyone with the right software — it's a sticker, not a passport.13 The voice is calm and competent. The facts she has about you are real, bought cheap from a data breach. There is, genuinely, nothing on the surface to catch. No typo. No accent. No padlock. Nothing.

A ringing phone whose caller ID reads “YOUR BANK ✓” (captioned “spoofed — anyone can fake this”), with a speech bubble: “This is fraud protection. Your account is compromised — move your money to a safe account now, and read me the code we just texted.” A worried figure looks on. A red dashed box reads “the shape, lit up: an unexpected call · urgency, no time to think · asks for money + a code.”
No typo. No accent. No padlock to check. Nothing on the surface — but the shape is all here.

And yet — look what lights up the moment you stop reading the costume. An unexpected call. Urgency, no time to think. An ask for money and a code. The skeleton is glowing right through the perfect skin. You couldn't catch this one by spotting a flaw, because there isn't one. You catch it by recognizing the shape.

This is also where two things that feel like safety checks turn into the scam itself, so let's be honest about them. "Move your money to a safe account" is a sentence no real bank will ever say — if a caller says it, the call is a scam, full stop.12 And "read me the code we just texted" defeats your two-factor security, because the code is the second factor; reading it aloud hands it over in real time, and modern phishing kits can relay it to the real website while you're still talking.11 So the rule is small and absolute: never read a code to anyone, ever. Not to your bank, not to tech support, not to anyone who contacted you.

Here's the hard one — the call from the very start. There is no typo to find. Tap the red flags anyway.

Incoming call⚠ SIMULATION

“This is the fraud department.

“For your security,

“And

No typo, no accent, no padlock. Every red flag here is structural — which is exactly why it's the dangerous one.

A safe, fake example. Nothing here is real — it cannot send, charge, or log in.

0 of 4 red flags found
Nothing on the surface gave it away, because there was nothing on the surface. You caught it by the shape: an unexpected call, urgency and secrecy, an ask for money and a code. Hang up. Call back on the number on your card.

Part 5It shouldn't all be on you

Now, a fair objection, and the sharpest one in the whole subject:

“This is victim-blaming dressed up as education. You're teaching grandma to spot red flags while the banks, the phone companies, and the platforms — who actually have the power to stop this — get a pass. And the 'spot the scam' game is exactly the advice that's failing.”

This is correct, and it deserves a real answer, not a dodge. So: yes. The deepest fix for fraud is not in your hands, and pretending otherwise is a kind of blame-shifting. The phone companies' caller-ID authentication still doesn't cover calls handed off from overseas — which is where a lot of the spoofed ones originate. The banks could put far more friction in front of instant, irreversible transfers, and mostly don't. The platforms could pull the scam ads they profit from, and in the US — unlike the UK — no federal law yet requires them to. These are the people standing next to the river; you're just one person learning to swim.

A balance scale. On one side, “You” — a few reflexes, slowing down. On the other, “Banks · telecoms · platforms” — stop caller-ID spoofing, stop instant irreversible transfers, pull scam ads.
Recognition is your half. The other half belongs to the institutions with the real power — it's “and,” not “or.”

And this is starting to change by law, not goodwill. Since October 2024, UK banks have been required to refund most victims of bank-transfer scams — up to £85,000 a claim — which moves the loss off the individual and onto the institution better placed to prevent it.14 In its first year, the regulator reported about 88% of in-scope losses being paid back. That's a different model: not "be more careful," but "make the people with the power bear the cost." It's early, and the banks fought the details — but it's the right direction.

But here's why this isn't an either/or. That reform isn't finished, it isn't everywhere, and it won't be in time for the call you might get tonight. Recognition and regulation aren't rivals; they're the two halves of the same fix. You wear a seatbelt and you demand safer roads. So learn the shape — not because it's all on you, but because it's the half that's in your hands while the other half catches up.

And does learning it even work? Modestly, yes — and only if we teach the right thing. The research on "inoculation" — showing people the technique of a manipulation before they meet it — finds it measurably builds resistance, though most of that research is on spotting misinformation rather than holding firm on a high-pressure phone call, and the effect is moderate and fades if you never refresh it.15 It's a seatbelt, not a force field. Crucially, what doesn't travel is teaching specific costumes ("watch for the robotic voice") — that just breeds false confidence, so that when a costume you weren't trained on walks in, you wave it through. Which is the whole reason this essay is about the skeleton and not the skin.

Part 6You got an upgrade too

So here is your armor. Not a checklist of tells to memorize — those expire. A few reflexes, structural and durable, that work even when there's nothing to spot.

The first one is the master key, the single reflex that survives every upgrade: never act on the channel that contacted you. A call, a text, an email comes in asking you to do something urgent? Hang up. Don't call the number they gave you — call back on a number you already trust: the one printed on your card, on your statement, on the real website you typed in yourself. The scammer's whole advantage is the channel they control. Step off it, and the spell breaks. (One subtlety the slicker operations exploit: they can keep the line open after you think you've hung up, so the "bank" you dial is still them. If it's serious, call back from a different phone, or wait a couple of minutes and listen for a dial tone first.)

A determined figure shouts “HANG UP” in a burst bubble. A green arc sweeps from a red phone (“the call that came to YOU — their channel, don't trust it”) up and over to a green phone (“the number on your card — yours, already trusted”). The arc reads “verify on a channel YOU chose.”
The one reflex that survives every upgrade: never act on the channel that contacted you.

The rest of the kit is just as small. Agree on a family code word — a single private word, set in advance and kept off the internet, that a real loved one in trouble can produce and a cloned voice can't guess (and if it slips your mind in the panic, you still have the master key: hang up and call them back).16 Never read a code aloud to anyone who contacted you. And treat urgency itself as the tell: not "all urgency is a scam," but "an unexpected message pushing me to pay or act this second is the alarm." A real emergency survives a sixty-second pause to call back. A scam does not.

A confident figure beside four highlighted reflexes: “Hang up & call back,” “Agree a family code word,” “Never read a code aloud,” and “Slow down — urgency is the tell.”
Not a list of tells to memorize — those expire. A few reflexes that work when there's nothing to spot.

That's the upgrade — yours, this time. You don't have to win the arms race against the costumes; you'll always be one model behind. You just have to recognize the skeleton, and reach for one of four reflexes when you see it glowing.

The next time the phone rings and the calm, perfect voice tells you your money is in danger and there's no time to lose, you won't be hunting for a typo that isn't there. You'll hear the shape — unexpected, urgent, an ask — and you'll do the one thing the whole con is built to prevent.

You'll hang up. And you'll call back on a number you trust.

Footnotes & receipts

  1. $12.5 billion, FTC, 2024. Federal Trade Commission, "New FTC Data Show a Big Jump in Reported Losses to Fraud to $12.5 Billion in 2024" (Feb 2025), from Consumer Sentinel reports. These are reported losses only; the FTC notes most fraud is never reported, so the true figure is higher.
  2. $16+ billion, FBI, 2024. FBI Internet Crime Complaint Center (IC3) Annual Report, released April 2025. IC3 and FTC totals are compiled differently and overlap; they should not be added together.
  3. Investment scams are the largest category. Using the most recent year with a full category breakdown (2023): the FTC reported $4.6 billion in investment-scam losses, and the FBI's IC3 reported $3.94 billion in crypto-investment fraud — its single largest loss driver. "Pig-butchering" falls inside this category, and while these operations are human-run, they increasingly use AI for translation, scripting, and fake profiles.
  4. Younger adults report fraud more often. FTC Consumer Alert, "Think you know what the top scam of 2023 was?" (Feb 2024): adults in their 20s reported losing money to fraud more often than those 70+, though older victims reported larger median losses per incident. Self-reported data; reporting rates differ by age.
  5. No "AI fraud" dollar figure exists. No major regulator (FTC, FBI, UK PSR) breaks out AI-enabled fraud as a separate category, because losses are tracked by scam type (investment, imposter, etc.), not by the tools used.
  6. Voice cloning from seconds of audio. The widely-cited "few seconds" figure comes from a 2023 McAfee Labs blog post testing commercial cloning tools — a vendor source, not a peer-reviewed measurement; treat the exact threshold as illustrative. The underlying warning is official: FTC Consumer Alert, "Scammers use AI to enhance their family emergency schemes" (Mar 2023).
  7. The Arup deepfake, ~$25 million. The Guardian, "UK engineering firm Arup falls victim to £20m deepfake scam" (May 2024), confirmed by Hong Kong Police and by Arup. A finance employee wired ~HK$200 million (~US$25M) after a video call in which every other participant was an AI-generated fake.
  8. AI-written phishing. Security vendors including Proofpoint and Microsoft report that generative AI now produces grammatically flawless, personalized phishing at scale, undermining "spot the typo" advice. These are industry sources with a commercial interest; the volume attributable to AI is not independently quantified.
  9. The FTC's four signs. FTC, "How to Avoid a Scam" (consumer.ftc.gov): a scammer pretends to be someone you trust; says there's a problem or prize; pressures you to act immediately; and tells you to pay in a specific way (gift cards, wire, crypto, payment apps).
  10. The padlock is not safety. Brian Krebs, "Half of All Phishing Sites Now Have the Padlock" (Nov 2018), citing Anti-Phishing Working Group data; the share has only grown since. HTTPS means the connection is encrypted, not that the site is legitimate.
  11. Real-time code relay defeats 2FA. Microsoft (MSTIC) and CISA have documented adversary-in-the-middle phishing kits that relay one-time codes live. Passkeys / FIDO2 credentials resist this because they're cryptographically bound to the real domain (CISA; NIST SP 800-63B); adoption is not yet universal.
  12. "Move your money to a safe account." UK Finance states plainly that no genuine bank will ever ask you to transfer money to a "safe account"; the request is itself the scam.
  13. Caller ID can be faked. The FTC warns directly not to trust caller ID, as it can be spoofed. The FCC's STIR/SHAKEN framework (mandated for major US carriers since 2021) authenticates the originating carrier path, not the human caller, and gaps remain for calls routed through non-compliant or international gateways.
  14. UK reimbursement, £85,000. UK Payment Systems Regulator, Policy Statement PS24/7, effective 7 October 2024: banks must reimburse most victims of authorized push-payment scams over Faster Payments, up to £85,000 per claim (with a small optional excess, never for vulnerable consumers). In its first year the PSR reported ~88% (~£173m) of in-scope losses reimbursed.
  15. Inoculation works, modestly. Roozenbeek & van der Linden's "Bad News" studies (Palgrave Communications, 2019) and a YouTube prebunking trial (Science Advances, 2022) find that teaching manipulation techniques measurably increases resistance — with moderate effect sizes that decay without reinforcement, demonstrated mostly for misinformation rather than financial fraud.
  16. A family code word. Recommended by the FBI as a defense against AI voice-cloning (reported by Ars Technica, Dec 2024); the FTC's March 2023 guidance gives the functional equivalent — call the person back on a number you trust to verify.