I watched The Beekeeper recently. If you haven’t seen it, Jason Statham plays a retired operative who goes to war against a network of scammers after they destroy someone he cared about. It’s a great action movie. Statham does what Statham does.
But I’m a pacifist. I don’t believe in individuals taking violence into their own hands. What I do believe in is the underlying premise: that someone needs to protect the vulnerable. That the people running these operations are genuinely predatory. And that most of us are not doing nearly enough to defend ourselves or the people we love.
I’ve been following digital security closely since around 2008. I’ve listened to Security Now! with Steve Gibson for most of that time. I’ve followed Troy Hunt for over a decade and read his book Pwned!, which he’s made available for free. This isn’t a topic I stumbled into. It’s an area of genuine passion.
And right now, the threat landscape is worse than it has ever been.
The Numbers Are Staggering#
In 2024, Americans 60 and older lost $4.88 billion to cybercrime, a 43% increase from the year before, according to the FBI’s Internet Crime Complaint Center. That’s 147,127 complaints filed, up 46% year-over-year. Investment scams alone accounted for $1.83 billion of those losses. Tech support fraud, where someone calls pretending to be from Microsoft or Apple, claimed another $1.46 billion.
The FTC reported that total fraud losses across all ages hit $12.5 billion in 2024, up 25% from the prior year. For adults 60 and older specifically, losses from impersonation scams grew from $122 million in 2020 to $700 million in 2024. That’s not a trend. That’s an industry.
And those are only the reported cases. The FTC estimates actual losses, including unreported incidents, could be anywhere from $10 billion to $81.5 billion annually.
Why the Vulnerable Are Being Targeted#
The people running these operations are not random opportunists. They are organized. The FBI charged 13 people in a Boston-based operation that functioned like a call center, complete with scripts, managers, and “openers” and “closers” working victims in sequence. They bilked over 400 people, with an average age of 84, out of roughly $5 million. The Boston Globe reported that victims were often too ashamed to tell their families they had been duped.
Seniors are targeted because they are high-value and, statistically, easier to deceive. That’s not an insult. It’s neuroscience. Research from the University of Iowa found that naturally occurring changes in the ventromedial prefrontal cortex make older adults less skeptical and more likely to rely on initial impressions of trustworthiness. Social isolation compounds this. When someone is lonely, a friendly voice on the phone carries more weight than it should.
And then there’s AI.
The Voice Cloning Problem#
This is the part that should concern everyone. AI voice cloning has transformed the grandparent scam from something detectable into something that is nearly indistinguishable from a real call.
Here’s how it works. Scammers harvest a few seconds of audio from public social media. A birthday video on TikTok. A family reunion clip on Facebook. A voicemail someone posted. That’s all they need. AI tools, many of them free or cheap, generate a convincing voice clone. The scammer calls the grandparent using that cloned voice, sounding panicked, crying, begging for help. “Grandma, it’s me. I’m in jail. Please don’t tell Mom and Dad.”
Reports of AI-enabled scams jumped 456% between mid-2024 and mid-2025. The Financial Crimes Enforcement Network issued a warning in November 2024 about deepfakes that “can manufacture what appear to be real events.”
The old advice about looking for typos and bad grammar is obsolete. GenAI produces flawless, natural-sounding text in any language. Personalized phishing emails now reference your real job title, your colleagues’ names, and your recent projects. Vishing attacks, voice phishing over the phone, surged 442% year-over-year.
The Single Most Important Thing You Can Do Right Now#
Establish a family code word.
Pick a word or short phrase that only your immediate family knows. If anyone ever calls claiming to be a family member in distress and asking for money, ask for the code word. If they can’t provide it, hang up and call the person directly on a number you already have.
My family has one. I’m not going to tell you what it is. That’s the point.
This is the number one recommendation from cybersecurity experts and law enforcement. It’s free. It takes five minutes. And it defeats even the most convincing AI voice clone, because the clone doesn’t know your family’s private word.
Have that conversation with your parents this week. Not someday. This week.
What to Do for Yourself#
Beyond the code word, here’s what I actually use and recommend.
Get a password manager. I use 1Password and have for years. I’m not paid by them. I’m a customer. The reason I recommend it over saving passwords in your browser is the architecture. 1Password uses a zero-knowledge model with a Secret Key that never leaves your devices. Even if their servers were breached, your vault is unreadable without that key. Their Watchtower feature monitors for breached passwords, weak passwords, and reused passwords, and flags accounts where you haven’t enabled two-factor authentication yet.
Check if you’ve been breached. Go to haveibeenpwned.com right now and enter every email address you use. Troy Hunt built this service and has been maintaining it for over a decade. It aggregates data from known breaches and tells you exactly which ones included your email. Sign up for notifications so you hear about future breaches as they happen. If you’re already a 1Password user, Watchtower pulls from the same database.
Stop using SMS for two-factor authentication. SMS codes are better than nothing, but they’re the weakest form of MFA. SIM swapping, where an attacker social-engineers your carrier into transferring your phone number to their device, is a well-documented attack. The FBI and CISA both explicitly recommended in December 2024 that Americans move away from SMS-based authentication, following the Salt Typhoon telecom espionage campaign that compromised multiple US carriers. Switch to an authenticator app. 1Password has one built in.
Set up passkeys where you can. Passkeys replace passwords entirely with public-key cryptography tied to your device. They can’t be phished because the private key never leaves your device and is cryptographically bound to the real domain. A fake site can’t request it. Google, Apple, Microsoft, GitHub, Amazon, and hundreds of other services support them now. passkeys.directory has a full list.
Freeze your credit. This is free by federal law and most people still haven’t done it. A credit freeze prevents anyone from opening new credit accounts in your name, even if they have your Social Security number. You freeze and unfreeze online in minutes. Do it at all three bureaus: Equifax, Experian, and TransUnion. Then do it at Innovis too, the lesser-known fourth bureau. Store the PINs in 1Password.
What to Do for Your Parents#
The code word conversation is the starting point. Beyond that, the most effective thing you can do is set up the tools for them rather than explaining the tools to them.
Install 1Password on their devices and set it up. Import their passwords. Show them how to use it once. You don’t need to explain zero-knowledge architecture. You just need them to use it.
Freeze their credit for them if they’ll let you. Walk them through it on a video call. It takes about 10 minutes per bureau.
Talk to them about the specific scams that are circulating right now. The grandparent scam. The tech support pop-up. The government impersonation call. Not to scare them, but to give them a mental model. “If anyone ever calls saying I’m in trouble and asks you not to tell anyone, ask for the code word.” That sentence alone could save them.
The AARP Fraud Watch Network has a free helpline and publishes regular alerts about active scams. It’s worth bookmarking for them.
A Note on This Blog#
Since I work in cloud infrastructure, I’ll mention briefly that this blog runs on AWS with S3 and CloudFront. The GitHub Actions deployment pipeline uses OIDC for authentication, which means there are no long-lived credentials stored anywhere. The IAM roles are scoped to exactly what the deployment needs and nothing more. It’s a small thing, but the same principles apply at every scale: least privilege, no standing access, no secrets in code.
The Beekeepers We Actually Need#
The Beekeeper works as a movie because it taps into something real. There are people out there running industrialized operations designed to steal from the vulnerable. They have scripts and managers and daily targets. They use AI to make their attacks more convincing. And most of their victims never report it because they’re too embarrassed.
We don’t need vigilantes. We need people who are informed, who set up the right defenses for themselves and their families, and who have the conversations that most people keep putting off.
Read Troy Hunt’s Pwned! if you want to go deeper. It’s free and it’s excellent. Listen to Security Now! if you want to stay current. And have the code word conversation with your family this weekend.
That’s the kind of beekeeper we need more of.
Keith