Clark is one the fiercest lawmakers in the nation when it comes to our collective digital dignity, and she joined us this week to talk about that. 

Why Your Data Matters

Attorney General Clark laid out two core reasons you should care about data privacy. First, it’s arguably a foundational right. The Constitution protects your reasonable expectation of privacy, which, again, arguably, includes the freedom from surveillance. The second reason is more practical. Whether we’re talking about health records or location history, your data is a goldmine for scammers and criminals.

Highlighting how our information is easily re-purposed in the commission of identity theft, scams, and extortion, Clark is not just floating some abstract idea: Our personal information makes us vulnerable. 

Swagger Eats Ethics for Breakfast

The conversation veered into some wild territory, starting with Attorney General Clark’s view of the current administration’s hiring practices. Focusing on a Trump Administration hire that wasn’t even Googled before being given access to highly sensitive data, Clark calls to question best practices. 

“The average person knows you don’t even go on a date with someone until you Google them,” she quipped. This “swagger,” as Clark calls it, is a dangerous component in the rapid evolution of technology like cryptocurrency and AI, where the drive for innovation and market dominance often eclipses ethical considerations. 

The disregard for privacy goes hand-in-love with the above tendency, extending to the bizarre world of meme coins and beyond. 

AI and Deepfakes

Clark thinks the biggest threat to our privacy may be the runaway train that is artificial intelligence. The technology is advancing so fast that it’s out-pacing legislation in a crony-driven  environment where a 10-year ban on state-level AI regulation was recently buried in a recent federal statute–and thankfully scuttled before that bill was signed into law. 

Clark pointed to Europe’s proactive “AI Act” as a potential model, noting that their historical and political experiences have fostered a greater emphasis on data privacy.

Under her leadership, Vermont is looking to expand revenge porn statutes to include AI-generated deepfakes. 

Enter the shadow of AI chatbots and romance scams, “the romance scam using AI chatbots is a deadly combination and it is coming,” Clark warned. “You know, the idea that I could literally be living my life, making a sandwich, doing whatever I want…[and] my evil AI bots could be romancing victims by the thousands.”

The Kids Aren’t Alright 

We also talked about the privacy of children. A significant privacy paradox is that parents consent to data collection through school-mandated educational technology (EdTech) apps.

“Violation of privacy has been so normalized that people think they’re being like a Karen if they say, ‘No, I don’t want that information shared about my kid,'” Clark pointed out. 

Collective Responsibility

Our privacy is at risk, and we’re all complicit. Through our online behavior and willingness to share information, we participate in the erosion of our own privacy. The couple caught on the Jumbotron at that Coldplay concert we talked about a few episodes ago provides a perfect example: they weren’t identified by a big corporation or the government, but by fellow citizens using publicly available data. We have all become participants in a culture of mutual surveillance.

Attorney General Clark is not without hope. She believes a shift in awareness is possible. She advocates for a society where individuals can experience freedom without ambient surveillance, where private companies are held to the same standards we expect of our government, and where “minding your own business” is not just a quaint Yankee notion but a protected right.

In the wake of this scam, Westbrook launched an executive-level investigation into the true scope of cybercrime worldwide, revealing that these “isolated events” are part of something much bigger—a national security crisis.

The New World War is Financial

According to Westbrook’s research, scams hit an estimated 21 million Americans annually with a staggering 57,000 people per day affected. These aren’t just small-time crimes. Transnational criminal syndicates operating from organized compounds in Southeast Asia are waging war on Americans. 

Westbrook related a story about a Chinese crime boss who was heard leading his workers in a chant: “Cripple the economies of the U.S. and Europe. This is World War III.” 

The sheer volume of attacks and the immense financial scale, pose a direct threat to the U.S. economy. 

Data from organizations like the FBI and FTC show that the losses, while often underreported, amount to billions of dollars annually. A recent study by the Common Sense Institute estimated that financial fraud in a single U.S. state, when both reported and unreported losses are considered, could result in billions of dollars in lost GDP and thousands of jobs. At a fundamental level, these losses could present a problem for governmental management of public resources and the maintenance of economic stability.

Also discussed in this episode: the ubiquitous “overdue toll” text message scam. While they seem like a minor annoyance, these SMishing attacks are part of a massive smishing scam linked to Chinese cybercriminals managing the more than 60,000 web domains used to send these texts.

Follow the money

The money pilfered in these attacks isn’t going into showy cars and watches, or at least not exclusively. According to Westbrook, the proceeds are also being used to fund serious global threats, including human trafficking and drug cartels producing fentanyl. In a recent episode we talked about the fact that as much as half of North Korea’s missile program is funded by cryptocurrency scams.

So why is this such an “American” problem? Westbrook believe the U.S. has become the “softest target” for these criminals because of lax government response. Unlike the UK and Australia, which have a centralized, national anti-cybercrime strategies (and have seen a decrease in fraud as a result), the U.S. response remains fragmented. He advocates for a systemic approach, including the appointment of a dedicated leader to coordinate efforts and 

What can you do? 

Turns out, there’s a lot you can do. By understanding the common red flags indicating cyber shenanigans—the sense of panic, the urgency, and unusual payment methods—we can protect ourselves. And then there are the proactive measures you can take, like using a data removal service like DeleteMe which may reduce your need to verify unexpected communications, click on fishy links or call numbers quick or else.

Westbrook has a vital wake-up call for us all: vigilance isn’t just about protecting your wallet; it’s about safeguarding your community and fighting back against a global threat by staying informed and sharing what you know about staying safe.

If You Have to Ask What a Penetration Test Is, You’re Probably Not Ready for One.  

The simplest trick in a hacker’s playbook is asking nicely. This week we double down with our second installment focused on the most basic method of cyber attack: Social engineering. 

As social engineer and SocialProof Security CEO Rachel Tobac explained to me at DEF CON, the most effective attacks are often focused on tricking people into an exploitable trust situation. 

The human element is often the attack vector because it reliably yields security vulnerabilities. So you’d think that’s something you want to test for at your company, right? 

According to Tobac, most organizations that ask for a penetration test aren’t prepared for this kind of attack, and in her work she routinely turns down requests because a pen test against an unprepared organization is often demoralizing, and usually a waste of time and money. As with all tests, her theory is best to take the class first, study, and then see how you do. 

All Too Human

When it comes to things cyber, the most effective attacks exploit human nature. The Social Engineering Community Village at DEF CON is the proving ground for this cybersecurity home truth. Gamifying the process, contestants enter a soundproof booth and call real companies to get real sensitive information in real time. The goal isn’t to be mean or threatening; it’s to provide proof of concept and a solution, that the human vector is real, and there is a solution. 

This is all about learning by doing. Social Engineers, attackers, and pen testers build rapport quickly, using small details to create a convincing story. The approach is informed after hours are spent scouring public information—from social media profiles to data broker sites—to find clues to start a conversation, connect and download information. A seemingly harmless detail found online could be the key to a physical breach. 

As Tobac explains, attackers know that even the most secure companies can be breached with the help of a well-placed phone call or a friendly voice.

The Art of Target Hardening

Q: If a pen test isn’t the first step, what is? A: target hardening.

Before Tobac ever attempts to hack a company, she works with them for months, and sometimes even a year, to update their security protocols. This isn’t a top-down mandate; it’s a collaborative process. Tobac runs workshops where frontline teams, like the IT help desk, are empowered to create their own identity verification procedures. By giving them ownership of the process, they’re more likely to follow it and feel confident in their ability to stop an attack. This approach ensures that a company’s defenses are built from the ground up, making the entire organization a much tougher target. When a pen test finally happens, it’s not a demoralizing, 30-second failure; it’s a meaningful exercise that tests a team that is ready to defend itself.

This layered, inside-out approach makes companies stronger before she ever tries to break in. But even the best in-house processes can’t erase the fact that employees’ personal details: phone numbers, home addresses, favorite movies, recent vacations, are shared across the internet, waiting to be exploited in a social-engineering attack.

The First Step Is Data Removal

One of the easiest ways to harden your company is to make it an annoying target. Attackers want the path of least resistance. If your information is hard to find, they’ll just move on to the next target that has its data readily available. 

This is where a digital footprint cleanup comes in. You can start by manually from data broker sites, or you can use a service like DeleteMe to do the work for you. Proactively removing this information is the first and most crucial step in making yourself less of a target.

Whether you’re a company or an individual, don’t wait to be hacked to realize you were never ready. Build resilience. Focus on preparing your team, strengthening your protocols, and cleaning up your public data first. A strong defense isn’t built in a day; it’s built one smart step at a time.

A pen test shouldn’t be the first step in security. It should be the final exam. The real work happens long before. By the time the test comes, the goal isn’t to catch you off guard, it’s to prove you’ve already made yourself harder to hit. 

At DEFCON 33, the world’s biggest hacking conference, I saw a scene you may not picture when you think of a hacker convention: average-looking humans (some of them wearing costumes) in competition with each other. The goal: to trick real companies into giving away sensitive information without writing a single line of code. 

Maybe you think of teenagers first. Many people do, and that’s because many hackers started their careers in parent-sponsored (as opposed to state-sponsored) settings: a messy bedroom, a basement play area, an attic.

This year, DeleteMe was sponsoring the Social Engineering Community Village at DEFCON, and I was excited to have a front row seat. But I wasn’t prepared to see teenagers barely old enough to vote among the contestants’ ranks. These hackers weren’t engaged in credential stuffing or cracking passwords. There was no malware. They were picking up phones in a soundproof booth, calling real employees at real companies, and convincing them to share details that could later be used to break into a system. No code required. Just confidence, psychology, and the right script. 

Watching them at work, it underscored an old truth in the realm of cybersecurity: the human element is still the biggest vulnerability any of us face.

Teenagers at a hacker convention was novel, but their presence underscored an important situation. If skilled communicators can talk their way into getting information that can be used to hack an established company with cybersecurity protocols and systems, then nothing is safe. 

One participant–not one of the teenagers, but not an oldster either–explained his strategy bluntly: He called businesses in the South because, in his words, “people there are nicer and will stay on the line.” It worked. He got further into conversations simply by exploiting cultural psychology.

That moment stuck with me. It was all about people. And it reminded me that threat actors succeed because humans, under pressure or distracted, tend to react instead of responding to stimuli.

Psychology scales faster than technology

Security teams globally spend billions of dollars on firewalls, intrusion detection, and AI defenses. 

But all it takes is one phone call to a helpful employee willing to share something about the way a company does business, and the whole system unravels. Threat actors know this fact well. 

They don’t need to out-code your company’s engineers. They just need to get someone who works there talking long enough to build trust. 

As I watched those teenagers, I gained a new appreciation for just how fast these skills can be learned and weaponized. 

What happened in that soundproof booth is happening right now in offices, customer service departments, via LinkedIn DM, and in your inbox. In the weird world of social engineering, the helpful IT tech and the frustrated CEO are straight out of central casting. Ditto the IT compliance officer who just needs to “confirm a few details.” 

Human vulnerability is universal. If a teenager can exploit it under pressure in front of an audience, so can a criminal who has all the time in the world. 

Awareness is everything. The moment you see how easy it is for a threat actor to extract and weaponize something as seemingly trivial as the waste management service used at a company, you can’t unsee it. You realize how data points are like so many breadcrumbs guiding threat actors in the commission of crime, one that could be an extinction-level cybersecurity failure. 

And that realization—that human trust can be hacked more readily than any machine—is the first step in protecting yourself.