When AI Polishes the Scam and People Search Delivers the Victim

This week’s episode of “What the Hack?” begins with a story about a lock installed by friends of the show’s producer Andrew Steven, that illustrates a profound problem we face in cybersecurity. Punch lists and outward appearance don’t work. 

The lock itself was installed correctly. The deadbolt engaged. But the bolt pocket wasn’t installed right–the manufacturers screws that were designed to secure the strike plate were missing and so ones that were too short were used instead. As a result, the lock seemed to be working, but the door could still be forced open with a good kick.

The point is you can’t always see a problem even though you’re looking right at it. And that’s because the vulnerability isn’t always the thing you see, but what you’re not seeing. It’s a “home truth,” as it were, when it comes to physical security features like door locks and alarms. It’s also true for the protections we put in place to protect our homes from digital predation. 

This Week on the Pod: Marc Raphael, CEO of 911 Cyber

Joining us this week on the pod: Marc Raphael, former fan of the pod and now super friend of the pod. Marc didn’t start out in the world of high-stakes digital defense and post-crime, financial claw-backs. Industrial engineering was his first passion, and he liked it specifically because it promised a life not being stuck working on a computer all day. But the computers found him anyway—first at Microsoft Xbox support and later at IBM.

Marc eventually built a career out of noticing the “missing strike plate” in our digital doorframes. He’d already witnessed account takeovers at scale. He’d seen identity management fail inside large organizations. But his most visceral lesson came when all that expertise failed to protect his own devices.

The 2 A.M.scene is straight out of a horror movie: Laptop screen glowing, Marc watched as the cursor on one of his home computers started moving on its own. Someone was in his system, extracting files while he watched–-paralyzed. Even for a tech professional, the feeling of violation was absolute. He had left a remote access tool open, the equivalent of an unlatched door. It was a cyber own-goal. The experience led to the formation of 911 Cyber, a service designed to help people who hit a solutions wall after a cyber incident.

Staying safe online has changed. The “tells” of pre-AI social engineering (bad grammar, awkward phrasing, clunky interfaces and obviously bad links) are quaint relics of a threatscape that leveled up long before you set up your first account on an LLM. Meanwhile, the threat lurking behind those “tells” remains persistent. So intuition doesn’t work anymore, because the messages no longer sound “off.” Our data is over-exposed online. 

As we discussed at length in this episode, generative AI has stripped many of those tells away.

And the problem isn’t just automation. It’s the level of messaging refinement that can be achieved by a non-native speaker of the target’s language. AI allows scammers to iterate fast and fine-tune relentlessly. 

Marc describes testing voice-to-voice tools that can replicate a person’s speech patterns using existing audio. Not perfectly, not magically—but well enough to make impersonation harder to dismiss and easier to believe. Bottom line: the old red flags don’t reliably show up anymore and the result is a threatscape that weaponizes familiarity. Things feel normal right up until they aren’t.

Here’s where the picture sharpens. AI improves the quality and believability of scams. People search sites and other data-related businesses improve the accuracy of who those scams reach.

Operating legally, today’s data brokers navigate a regulatory patchwork that hasn’t kept up with scale or consequences associated with the business of selling intel on individuals. We live in a world where aggregating public and semi-public information—addresses, phone numbers, relatives, purchase histories—create serious peril for people. Sure, it’s framed as marketing data, but to a criminal it’s lead gen.

People search means no technical hacking required. Just time, access and people skills. When your personal details are indexed on people-search sites, you lose the natural opacity that once protected you. That exposure becomes the missing strike plate in the doorframe.

Marc recounted a case-in-point involving a college student in the Netherlands who joined what she thought was a harmless WhatsApp group for concertgoers. Someone infiltrated the group posing as a fellow traveler and used it to sell fake tickets. Financial information was exploited. Money was taken. It didn’t require sophistication—just access and plausibility.

He also recounts cases that cross borders entirely: international blackmail schemes where victims have no meaningful recourse because enforcement stops at national boundaries. A woman in Kosovo being extorted by someone in the Philippines. Local police unable to help. No diplomatic pathway. No clean handoff.

The internet has no borders but many legal jurisdictions do and in that gap, exposure becomes risk. The more your information is available to see for anyone who cares to look, the more risk you face on a daily basis.

What You Can Do: Think Small. 

Compromise is no longer exceptional—it’s inevitable. The volume alone guarantees it. SIM farms, automated calling systems, and scam operations now work the way legitimate lead-by-the-pound sales teams do: high volume, low success rate, constant iteration.

But that doesn’t mean defense is pointless. Scammers are optimizing for efficiency. They want the easy win, which is much more likely when your personally identifiable information is widely available. It makes you cheap to target—zero-CAC line on a spreadsheet. When that data is removed, you introduce friction. You make yourself harder to find, harder to verify, and more expensive to go after.

Using a service like DeleteMe to remove your PII from data broker sites doesn’t make you invisible, but it makes you inconvenient. And in a system built on scale, inconvenience matters. You don’t need to be unhackable. You just need to stop being the easiest door to kick in on the block.

Security needs to be rethought as a habit of privacy. Marc’s nightmare at 2 A.M. wasn’t a failure of code; it was a failure of posture—an assumption that knowing the system was the same as being safe inside it. Reinforce the frame, not just the lock. Reduce what’s exposed. And remember: the real danger isn’t always what you see—it’s what’s already visible to someone else.