8:00 pm, Las Vegas
After a marathon day of window shopping, gazing at sea life, and savoring the tamer thrills of daytime Vegas, my wife and I peeled away from our vacationing companions. We had our sights set on the Strip, injecting ourselves into the main artery supplying the city's nocturnal heartbeat.
Vegas was uncharted territory for us. My wife had never set foot in the neon jungle, and my own last visit was before I could legally down a drink. Now, we were ready to dive into the Sin City, practicing our own skeptical receptiveness, with eyes wide open, armed with at least the surface wisdom that the glitz and glamour are, by design, there to hack your mind (and your wallet.)
We were on the strip maybe sixty seconds, having just emerged from a tram funneling people in from some of the off-street hotels, when we hit first contact.
As we approached the escalator, two young women in full feathered Show Girl attire, dripping with Vegas glamour, caught sight of my tall, beautiful wife. They swarmed her with high-octane excitement, “Hey girl! I love your outfit! Come take a picture with us!”
I don’t think either of us were particularly naive as to where this was going, but all illusions were dispelled as one girl pulled my wife away to get into position, while the other took a moment to lean in and say: “We do these for tips, is that cool?”
It is a solid hustle. It is Vegas. It is grandiose - they’re grandiose - it’s a fun grandiose photo-op on the Vegas Strip. Most importantly, they single out the wife, ignore the husband as a disarming technique for the wife, and set the social trap for the husband:
Am I going to be the fun guy who snaps the photo, or am I the party pooper who tells the pair to kick rocks in front of a bunch of people?
“Yeah sure, it’s cool.”
Experienced onlookers may have chuckled to themselves at another pair of tourists falling for a street scam, but that wasn’t the moment.
Before agreeing, my wife and I exchanged a set of finely-tuned, barely perceptible, micro-reaction glances that have been forged over a decade of marriage. We’ve developed non-verbal ways of confirming opt-in before proceeding when we know we’re about to indulge in “pissing money away for fun”.
The exchange happens quickly, so as to appear to be in the moment, but offering the escape lever so denial is every bit as gracious and without causing a scene. Anyhow, this situation got the nod, and we became willing participants in the masquerade.
Now for the part we didn’t see coming.
After the photoshoot, it was time to tip. The “main” girl came over to chat with me, while my wife chatted with the other one.
“Cool, so yeah! Did those turn out ok? That was fun! How much you thinkin’?”
As I flipped through my cash, which I purposely keep smallest denomination first, I thumbed through a pair of five-dollar bills before it jumped to Jacksons.
“So like…”, she eyeballed, “…we usually do this for eighty…”
“Eighty?!”, I laughed- “that was like five minutes… we used my camera.”
“No, yeah, eighty. People pay that all the time.”
“Cool, but nah, look, y’all seem chill, so here’s way more than what I was expecting.” I slipped her a twenty.
Realizing now that inflation was the scam, I started to move past her, but she stepped back in front of me, dropping the money talk.
“That’s fine, can I at least show you something really quick on your phone?”
“On my phone?”
“Yeah, pull up vegas.com”
“Vegas.com?”
“Yeah, I wanna show you the show we perform in…”
Two things dawned on me in an instant. One, she was obviously trying to distract me. Two, she was using her Show Girl costume, complete with giant pink peacock feathers fanning out over her head and shoulders, as a visual blocker. My wife - I now assumed - was dealing with her own wall of plumes.
“Nah, I think I’m good…” I said as I started to move past once again, but she stepped in again.
“Ok, well see, her and I are technically separate.”
“Separate, huh…”
“Yeah, so can I at least get one for my friend?”
As I was thinking about my wife, likely getting the same treatment, I knew she didn’t have any cash on her. I imagined her conversation was going quite awkwardly.
I gave in, and slipped the girl a second twenty, but did so as I finally shunted past her to rescue my wife.
“Hey, can you give her a little cash too?” my wife asked, still in better spirits than I now was, then continued: “My CashApp isn’t working…”
My eyes must have betrayed how ‘Woah, App?’ I was in the moment, and she instantly realized something was amiss. I realized now exactly how these girls really do average $80 per interaction.
“Nope, I already gave this one forty.”
“But we’re separate!” the second, empty handed girl barked out.
“Yeah, well, your friend here has twenty bucks she claimed was for you, take it up with her."
And where I was now finally expecting a scene, it was interesting how dialed in this ruse was. The moment they could tell that I was done done, they dropped the act and moved on.
Sim Theory - Exhibit #153,211
The irony of this story isn’t that it is true, or that it really happened to us/me. No, the true irony is that this situation happened last Thursday - a day before 2FA for Reality (Part 1) dropped, which was a day after I finished writing it and scheduled it. Did I mention my wife also helps proofread most of my work before it goes out, Part 1 included?
It took me longer than I care to admit realizing how comedically timed this was. While we were in Vegas, I even asked her: "Do you think it’s dumb for me to write a few articles like this?”, to which she replied, “Nah, I think it’s helpful to talk about these things.” I ultimately agreed.
I think the situation, complete with Las Vegas as the perfectly absurd, grandiose, shiny, deceptive parallel to the internet, as a living, breathing façade of reality, is the perfect backdrop for this topic.
On Risk
If we look at the Vegas situation under a bit more of a microscope, we can draw out a few risk calculations that make the story what it is. We were in the middle of a busy sidewalk, rather than a dark alley. We saw the ruse coming, and it is one of the more obvious ones on the strip.
Wife and I both agreed to go along with the ruse for fun. While it sounds like $40 is a lot of money, it’s not when you consider most exhibits and museums in Vegas have some form of photo opportunity they later attempt to sell back to you for $60-$70 as a package deal, or $20 a pop, and we walked away with 6-8 photos.
Now, could it have gone sideways? Sure. Maybe I pull out my cash to tip and the girl snatches the wad and runs off or starts screaming that I’m robbing her. Maybe while she’s using her plumes to break my line of sight, my wife is getting mugged or being led away.
The point here is that there’s always an infinite number of ways things can go way off the rails, but that’s life. So, we start here: When indulging in the masquerade, online or otherwise, manage first your risk profile. What goes wrong if it goes sideways? How reversable is the move? Can you afford to walk away from whatever collateral is being asked?
We each have a part in managing our ongoing exposure within public and private spaces, and this is most amplified once we start to involve conversations with AI Agents.
The Power of Do Nothing
Think about how many anti-scam warnings include the word: Don’t.
"Don’t click on unknown links or attachments."
Common advice to avoid phishing and malware."Don’t share personal information over email or phone."
A critical warning for avoiding identity theft and impersonation scams."Don’t send money or gift cards to unknown people."
A standard tip in preventing financial fraud and scams, particularly romance and lottery scams."Don’t trust unsolicited requests for personal details."
Warns against social engineering tactics that rely on cold-calling or phishing emails.
So… just don’t, right? I have no doubt that I’d still be $40 richer if we would have politely said “Nah, thanks!” and kept walking.
In fact, that’s how we passively avoid everything from the guy at Costco asking how satisfied we are with our cable service, to the one that knocks on the door for a few minutes hoping to give you a great deal on solar, or the guy on the strip that brazenly offered us “cocaine weed”.
But what about this infamous deep fake everyone talks about, where your phone rings and - it’s your grandson or your grandma on the other end and, they sound distraught - they’re in jail - they need your help right away.
Even in what seems like a time-sensitive, high-pressure situation, a “do nothing approach” is still viable, even if it feels counter-intuitive at the time.
Easier Said
Along that scale, from the easy to ignore salesperson to the hard to ignore person claiming to be your child, the more personalized it is, the more difficult it is to resist. This much is clear - but why?
One reason is that the more intimate a person is to you - the more targeted and personalized the situation appears to be - the more uncomfortable we feel with the prospect of waiting before we act.
But remember, unless the emergency is both clear and present - like a mugger with a gun in your face - there are few emergency situations which cannot stand to wait a couple of minutes while you confirm reality.
Examples:
Your “son” calls in a panic, claiming he’s just been arrested and needs bail money.
Do nothing. Ask specific questions instead: "Which county? Which jail? Who picked you up?" Scammers rarely have these details on hand.
Also, jail custody information is generally considered public record (at least in the U.S.). The level of accessibility and the methods for obtaining this information can vary by state and jurisdiction, but if you independently look up and call to verify, or, I don’t know, try calling your son back on a known good cell or work phone number, call his partner, etc., you will absolutely be able to triangulate within minutes whether it’s a scam or not.You receive an email from your bank warning that your account has been compromised, urging you to click a link to resolve it immediately.
Do nothing. Don’t click. Instead, contact the bank or institution directly using a number from their official website. If you’re really worried, do this from an independent system, like a friend’s laptop. Scammers rely on you to act without thinking, so pressing pause is your best defense.A loved one messages you urgently, needing money for an emergency.
Do nothing. Call them back. Verify their story through a secondary method. Even when it sounds like someone you know, take a moment to check; deepfake technology can manipulate voice and video. Call someone else you mutually know and who can physically cross-verify the situation in person.
These moments of hesitation and non-action create a critical space for reflection. Scammers thrive on urgency. They want you to do something immediately. But your greatest weapon is often inaction.
No Response Owed
As an extension to our ‘first, do nothing’ principle, we also have zero obligation to respond.
This one is also difficult in practice because it runs counter to general civility that’s engrained in us from an early age. These situations come to us, in almost all cases, as a prompt-response interaction - sales and scammers leverage this.
A common example I get a lot is the “accidental” text message from an unlisted number. It’ll say something like “Is there a traffic jam? Why haven’t you arrived yet!” or “Hi Robert it’s me, Cindy, from the conference.”, even though my name isn’t Robert, and I don’t know anyone named Cindy.
These scams bank on people being polite enough to respond with a “Sorry, you must have the wrong number” which is then followed up with a “Oh, sorry to bother you” and some kind of hook to keep you talking.
But being polite and responding at all is part of the trap, even if you resist the follow-up engagement attempts. Responding confirms that someone is on the other end for what was likely a robo-spam script blasted out to thousands of random numbers.
For the most part, if it’s a text or an email or otherwise some anonymous form of contact - I don’t even bother. Swipe, block, report. If it was real, they’ll just have to deal with the minor inconvenience of trying to get a hold of me some other way or through another person we mutually know. So far, a false-negative has only happened once over several decades of cell phones and email.
In person, this is a bit more difficult to do. Some of my friends have no problem just completely ignoring advances. I tend to say “no, I’m good, but thanks and have a great day” with a bright smile while avoiding eye-contact as I continue to walk past without breaking stride. Flipping a prompt-response with a closing response is a way to be cordial while letting them know it’s not worth the effort. “Have a great day” is usually a phrase that comes at the end of a transaction.
A note before we get to our final topic for Part 2
I apologize if all this SecOps talk feels like a derailment from the original discussion on dealing with AI-enhanced deep fake people and information online, but I couldn’t in good conscious skip personal security precisely because we’re dealing with an online space that sometimes wants to punch through that anonymous layer to convince you to take actions you’ll later regret, and often leveraging contact information you either willingly or unwillingly gave out.
Having bought ourselves some time through inaction, in many cases, we can probably just stop here and get on with our day.
But if you need to proceed, or if this is just you ‘being on the internet’ and not overtly targeted by some sort of social engineering, we can move on to reducing our exposure.
Reducing Your Online Exposure / Footprint
This is a topic that could itself be an entire post. Again, not a cybersecurity expert, but for this section I’m going to give you a name you’re definitely going to want to research, especially if you have children: Ryan Montgomery.
He has a YouTube channel and I recommend bookmarking this interview for later:
Ryan is a cybersecurity expert and what’s called a white-hat or ethical hacker. He uses his talents to expose bad people doing bad things, and conduct what’s called “pen tests” or penetration tests on organizations to help them see where they have vulnerabilities.
I came to find out on a different podcast that Ryan also runs a system called pentester (https://app.pentester.com/) which extends some of the vulnerability detection to the general public, and this is the final bit I wanted to mention in relation to reducing online exposure.
Understanding and reducing the amount of attribution we have hanging out on the internet is one of the best ways to reduce the ability for AI or human bad actors to “customize” social engineering situations for us. It’s also just a really good idea to see if your PII (Personally Identifiable Information) is circulating on the web so that you can proactively change passwords, turn off accounts, and otherwise anticipate potential attack vectors.
Authoring this article was a great reminder of this. I’m not sponsored by anyone but the small percentage of you who are paid subscribers, which reminds me -
- but I did sign up for an account on pentester and found it quite valuable (and reasonably priced). I’m not shocked that some of my information is out there - every other week there are announcements of major information breaches.
The thing to come to peace with is that while you can request PII removal from many of the systems - pentester.com does this for you automatically, btw - it’s a different story on the dark web or on random people’s hard drives, where data removal is impossible. The aim here is to do what we can to reduce the digital footprint, and to understand what remains.
It almost goes without saying but folks should really, really avoid having online accounts that betray personal information, where possible, and especially for kids. It is astonishing to me how many people have twitter accounts and gaming accounts that are literally their entire name and photo. It’s one thing if it’s Linkedin or if you are an actual public figure for the government or media, but maybe not everywhere on Social Media is a good idea. Just my 2 cents.
I came from a different era where having separate online personas tied to persona email accounts is one of the best ways to keep the digital universe at arms-length to limit the “psychic medium effect” of strangers who purport to know you but really just googled you.
With that, I think we’ll call it here, as I still haven’t gotten to the multifactor authentication topic I originally wanted this to cover. I believe Part 3 should be enough runway to wrap this topic up, and then we’ll get back to AI and philosophy.
Hopefully this was valuable, or at least thought and conversation provoking. The reality we see coming through our largest and tiniest screens are about to get a whole lot stranger, so it pays to fortify digital, mental, and social firewalls the best we can.