Dive into the world of fraud with the "What the Fraud?" podcast! 🚀 In this episode, Tom is joined by Brett Johnson—former cybercriminal turned security consultant. Once the mastermind behind ShadowCrew, Brett now helps businesses stay safe using insights from his past. They discuss the rise of Fraud-as-a-Service, the risks it brings, and how to defend against it.
THOMAS TARANIUK: Hello, dear audience, and welcome to Series Three of What The Fraud?—a podcast by Sumsub, where digital fraud meets its match. I’m Thomas Taraniuk, currently leading some of our most exciting partnerships here at Sumsub, the digital verification platform helping to verify users, businesses, and, of course, transactions.
This week, we’re joined by an incredibly special guest to explore a crucial topic: how tools used to commit fraud have become more accessible than ever. Who’s at risk—and what can we do to stay protected?
Fraud is no longer just a crime; it’s become a global business powered by software. With fraud-as-a-service, anyone can access cybercrime tools online—no technical skills needed, and at just a fraction of the cost.
In our latest Identity Fraud Report, we examine how little it takes to commit fraud today—with criminals spending just a few hundred dollars to inflict millions in damage.
To help us unpack this alarming shift, I’m thrilled to welcome Brett Johnson—one of the early pioneers of digital fraud. A true poacher turned gamekeeper, Brett founded one of the world’s largest hacking communities, ShadowCrew. After serving time in prison, he now works with companies around the world, using his insight and experience to make the digital world a safer place.
Brett, thank you so much for joining us on today’s episode. We’ve had many conversations with industry experts on this show, but never with someone who’s seen fraud from the inside. So we’re really excited to dive in.
Let’s start with a bit of your story. You had your first brush with crime at quite a young age—could you tell us how you first got involved in the world of fraud?
BRETT JOHNSON: Sure. I’m from eastern Kentucky—one of those parts of the US, like the Florida Panhandle or rural Louisiana, where if you’re not lucky enough to have a job, you might end up in some kind of scam, hustle, or fraud—whatever you want to call it.
My mom was basically the captain of the entire fraud industry. No crime was too big or too small for her. At one point, she stole a 108,000-pound Caterpillar D9 bulldozer and drove it down the street. Another time, she staged a slip-and-fall in a convenience store and tried to sue the owner. That was my mom.
My dad, on the other hand, was a good man—just not strong-willed. If my mom wanted to pull off a scam, he’d go along with it. If she wanted to abuse someone, he wouldn’t step in. She was—and still is—an extremely abusive person. Not just physically, but emotionally and mentally too.
When I was 10, she left my dad. My sister Denise was 9. We moved back to Kentucky from Florida, and she would often leave us alone for days at a time while she went out partying. I used to sit at the window, waiting to see if she’d come home. Sometimes I’d walk into the street, just looking for her. Denise, meanwhile, was just angry all the time.
One day, after our mom had been gone for a few days and we were out of food, Denise walked in with a pack of pork chops. I asked her where she got it. “I stole it,” she said. And I replied, “Show me how.” She did—and I thought it was the best idea ever. So we started stealing food.
Soon we moved on to other things. Across the street was a Kmart—kind of a department store—and it turned into this warped version of Maslow’s hierarchy of needs: books, games, jewelry, music, toys… you name it, we stole it.
When Mom came home and saw all the loot, she asked where it came from. I said, “We found it.” She didn’t buy it. Denise, always honest even when she was mad, said proudly, “We stole it.”
And instead of punishing us, my mom said, “Show me how you did that.” Then she joined us. Not just that—she called her mom to come along too. We started taking road trips to go shoplifting together. That’s how my life of crime began.
But I want your listeners to understand something: I’m not blaming my childhood for the choices I made as an adult. As a kid, you copy the adults around you. But when I grew up, I had a choice—and I chose the wrong path.
My sister, Denise, had the same upbringing. Aside from that one shoplifting experience, she didn’t break the law again. She became a great teacher, a great mom, a responsible person. Sure, she’s still got some anger issues, but she’s a good human being.
Me? I kept going. And as I got older, I realized it wasn’t just my mom—it was that entire side of the family. Everyone was doing something illegal. So I learned how to shoplift, how to fake insurance claims—staged accidents, stolen cars, even burning down houses for money. We did charity scams, disaster relief fraud, illegal coal mining, even learned how to grow marijuana. That was my foundation.
Eventually, in the mid to late ’90s, I faked a car accident to get enough money to get married. Then I moved from Hazard, Kentucky to Lexington to attend university—and that’s when I started branching off on my own.
Tom: Brett, how did you get interested in technology as a tool to commit fraud? And why is it so attractive to fraudsters, whether or not they’re individuals or criminal organizations?
Brett: So where does my real journey into internet fraud begin? I was living in Lexington, Kentucky, running small street scams—nothing major, and honestly, not very well. At one point, I got caught running a fake charity, served three months in jail, and got out looking for a new angle. That’s when I found eBay. I liked the platform, but I didn’t know how to make money on it.
Then one night, I was watching Inside Edition—that tabloid show Bill O’Reilly used to host before all the harassment scandals. They were profiling Beanie Babies, these collectible stuffed animals. The one they highlighted was Peanut, the Royal Blue Elephant, selling for $1,500 on eBay.
So I’m sitting there thinking, “Well damn, Brett, you’ve got to find a Peanut.” I skipped class the next day and searched every local shop for one. Took me three hours to realize, “He’s not in a shop. He’s on eBay—for $1,500.”
But I noticed stores did have little gray elephant Beanie Babies for $8. So I bought one, stopped by the grocery store for blue dye, went home and tried to dye the little guy. Turns out Beanie Babies are made of polyester—it doesn’t hold dye well. He came out of the bath looking like he had mange. Didn’t matter though. I found a picture of the real Peanut online, used it to post a fake listing—and someone fell for it. She won the bid.
That’s when the real crime started: social engineering. Online fraud is all about trust—getting someone to believe you’re legit. Criminals use both tech and psychology. Tech is stuff like stolen identities, proxies to mask location, spoofed phone numbers that make it look like your bank or local police are calling. That creates a base level of trust.
But tech only gets you so far—then it’s about how good of a con artist you are. So after she won the auction, I didn’t wait for her to question anything—I went on the offensive. I messaged her: “Hey, congrats on the win. But you and I have never done business before, right? I don’t know if I can trust you. What I need is a couple of money orders, government-issued. They protect both of us. Once I get them, I’ll send you your elephant.”
She believed it. Sent the money orders. I cashed them and shipped her the blue-ish mutant elephant. A few days later, she calls: “This isn’t what I ordered.” I told her, “Lady, you ordered a blue elephant. I sent you a blue-ish elephant.”
And that—right there—is the first real lesson most online criminals learn: if you delay a victim long enough, keep stringing them along, many just give up. They get frustrated, walk away, and very few ever complain to law enforcement.
That was my first real internet scam—and the start of my online life of crime.
THOMAS TARANIUK: Super interesting, Brett. We touched on the whole nature versus nurture theme there—how your upbringing shaped your path moving forward. But of course, we’re sitting here now, and you’re definitely not in jail anymore. I’d love to shift gears a bit and talk about how you evolved from things like shoplifting and check fraud to getting into technology and using it to your advantage—as a fraudster would at the time.
Let’s dive into ShadowCrew, Brett. For listeners who may not be familiar, ShadowCrew was one of the very first cybercrime forums where fraudsters and cybercriminals shared tips, tools, and resources online. You helped set it up, so tell us—what was ShadowCrew all about? Who were its members, and what was the forum set up to do?
BRETT JOHNSON:
If cybercrime were a country today, it would have the third-largest economy in the world—behind only China and the United States. That’s how big it’s become.
The growth of cybercrime has been massive, and there’s a reason for that. To understand it, you need to look at what I call the three necessities for successfully committing online crime:
These three elements—gather data, commit the crime, cash it out—must work in sync. If even one is missing, the crime fails.
Now, a problem here is that a single criminal usually can’t do all three. Sometimes it’s a skills gap—maybe they don’t know how to run a phishing campaign or do a man-in-the-middle attack. Other times, it’s geography. Maybe they’re in a country where they can’t launder money. That’s where collaboration comes in.
Before ShadowCrew, the main place criminals networked was IRC—Internet Relay Chat. It was a rolling message board where you had no idea who you were dealing with. Were they legit? A scammer? Law enforcement? You never knew.
ShadowCrew changed that. It provided a trust mechanism—a way for criminals to vet each other, communicate, and collaborate more safely.
So how did ShadowCrew come to be?
I told you the eBay story—that scam worked, and because I got away with it, I kept going. I started selling pirated software, then moved into mod chips (soldering onto gaming systems), then cable boxes for free pay-per-view, and eventually, programming satellite DSS cards to unlock all the channels.
At some point, I started scamming people—taking orders, pocketing the money, and never delivering. That made me nervous, so I decided I needed a fake ID. I got online, found someone who claimed to make IDs, sent him $200 and a photo—and he ripped me off.
Yes, I, a fraudster, got defrauded. And I’ll be honest—it sucked. I was furious. Still am. But that experience led to ShadowCrew.
There are three websites that laid the foundation for modern cybercrime: Counterfeit Library, Shadowcrew, and CarderPlanet.
I ran the first two. Counterfeit Library came first, then evolved into ShadowCrew. Around the same time, a Ukrainian named Dmitri Golub saw what we were doing. He was spamming for credit card numbers and realized—hey, maybe people would buy these. Spoiler: they would.
He called some friends, they called more friends, and eventually, 150 cybercriminals met in Odessa. That meeting launched CarderPlanet, the foundation for modern credit card fraud.
But the most important of the three, in terms of impact on cybercrime, was ShadowCrew—because of that trust mechanism.
If you want to network with other criminals who are strong where you’re weak, you have to be able to trust them. But how do you build trust in an environment where no one uses real names and you’ve never met?
ShadowCrew was the solution. It used a forum-style structure so people in different time zones could join and revisit conversations. Your screen name became your brand. Just by seeing your handle, people knew your skills, your reputation, and whether they could work with you.
We had vouching systems, reviews, and escrow—all designed to help criminals trust each other and work together.
That was ShadowCrew’s biggest innovation: it was the first true marketplace for criminal goods and services—specifically financial and identity crimes.
We had rules—no child exploitation, no drugs, no counterfeit currency. Toward the end, we did start dealing in drugs and counterfeit money, but we never allowed child exploitation, ever.
ShadowCrew hit the front cover of Forbes in August 2004. Two months later, in October, the US Secret Service arrested 33 people across six countries in six hours. I was the only person publicly mentioned as getting away.
Four months later, they caught me. The Secret Service offered me a job—and I kept breaking the law from inside their offices for another 10 months before they figured it out.
After that, I went on a cross-country crime spree, stole $600,000 in four months, landed on the United States Most Wanted list, got arrested at Disney World, went to prison, escaped, got arrested again, and finally served out my time.
THOMAS TARANIUK: Great—what a story. Do you think you played a pivotal role in the democratization of fraud-as-a-service through your involvement in these various platforms? In other words, did you help make fraud more accessible—not just to seasoned criminals, but to everyday users who wanted to step into that world?
Was it something that catered mostly to complete beginners, or was it primarily dominated by experienced fraudsters? And as we look ahead, do you think that dynamic has stayed the same?
BRETT JOHNSON: Excellent question. When we started ShadowCrew—and I want to emphasize this—it wasn’t just me. Sure, I ran it, I was the public face, but these kinds of cybercrime communities aren’t structured like a traditional corporation. Think of them more like a co-op, where people cycle in and out. So while I played a major role, the foundation of modern cybercrime was built by a broader community of individuals collaborating together.
From the beginning, one of our core principles was freely sharing and exchanging information. We understood, even back then, that educating others ultimately made everyone more skilled—and more profitable. That spirit of openness, of knowledge sharing, really laid the groundwork for what you’re calling the “democratization of fraud.”
Back then, if you were a criminal, you had to understand every single part of the fraud lifecycle. That meant knowing the operational security of your target—whether an individual or an organization—as well as your own opsec to avoid getting caught. You had to know how to run drop addresses, launder money, create fake IDs—everything. It was a lot of work, and a lot of knowledge.
But that’s not how it works anymore.
Today, cybercrime has evolved into a service-based industry. Everything is “off the shelf.” A complete beginner can step into the scene and start profiting almost immediately. Need to know how to pull off a fraud? You can buy a tutorial for $10. Don’t want to learn it yourself? You can sign up for live instruction, where a seasoned fraudster walks you through the process—step by step. And they guarantee your success. If you’re not profitable by the end of the course, they’ll refund your money.
Why? Because today, cybercrime is so lucrative that customer service matters. If cybercrime were a country, it would have the third-largest economy in the world—behind only China and the US.
This evolution—from ShadowCrew to today’s cybercrime marketplaces—represents a massive shift. It started with our idea of an open, collaborative environment.
As these communities grew, they began fulfilling the first critical necessity of any cybercrime: data acquisition. Most criminals today don’t steal data themselves—they buy it. Marketplaces now supply everything: stolen credentials, malware kits, phishing tools—you name it.
Over time, those same marketplaces expanded into other criminal sectors, including drug trafficking, counterfeit goods, and beyond. It’s a lot like the Gold Rush in 1890s California: the real money wasn’t made by the miners, but by the people selling the mining tools. In cybercrime, it’s the marketplaces—and the vendors—who are raking in the profits.
Today, a cybercriminal doesn’t need to understand the technical side of things at all. Whether it’s basic refund fraud or sophisticated attacks like man-in-the-middle operations, session hijacking, or cookie injection—it’s all readily available. Everything can be purchased or taught on-demand.
That’s how far we’ve come from ShadowCrew—and that’s the reality of cybercrime in the modern era.
THOMAS TARANIUK: Definitely—and as you’ve mentioned, the accessibility of fraud-as-a-service has grown significantly. The ease of access, paired with the anonymity it offers, makes it incredibly appealing. Add in the scalability powered by AI, and suddenly, with minimal investment, anyone can cause serious damage.
The speed at which cybercriminals can act is another major draw. From our side at Sumsub, we publish an annual Identity Fraud Report, which has become a go-to resource for the fraud prevention community. It’s been cited by trusted sources like the UN, Statista, CNBC, and more.
In our 2024 report, we explored the cost of tools needed to commit digital fraud. For example, a phishing kit can be purchased for as little as $20, and server space goes for around $100 per month.
So, Brett—from your perspective, how much damage can someone really cause with that kind of setup? Are we talking about losses in the thousands, hundreds of thousands, or even millions with just a $20 or $100 investment?
BRETT JOHNSON: Before I answer that, let me just say—you guys do a fantastic job. Seriously. You’re doing great work in this space, and you make a real difference every single day. You’ve got nothing but my respect.
Now, how much damage can you actually do?
Let’s take cookie injection attacks as an example. A few years ago, I was working for a bot mitigation company, and during that time we really saw the rise of Fraud-as-a-Service—the true democratization of fraud. Cookie injection attacks were being packaged and sold as automated services.
All you had to do was pay for a monthly subscription—anywhere from $50 to $400, depending on the level of service—and buy server access, which typically cost under $100. That’s it. Everything else was handled for you. There were even YouTube tutorials that walked you step-by-step through the setup process. The only real task left for the attacker? Getting a potential victim to click on a link. Once they clicked, it was game over.
The attack would sit in the middle, capture the victim’s session token, and from there, the criminal didn’t need credentials. It bypassed multifactor authentication and gave full access to whatever environment the victim had logged into.
In the US, there are nine major banks. We saw this kind of attack succeed against eight of them. The root issue? These institutions were relying solely on the session token to establish trust.
And remember what I’ve said: everything comes down to trust. For me to successfully defraud you—whether you’re an individual or an organization—I need to make you trust me. That trust might be built on stolen identities, login credentials, or session tokens. In this case, it was the latter.
Because session tokens were trusted, attackers could hijack accounts, bypass all security layers, and move money—no questions asked.
So, what’s the damage potential? For a couple hundred dollars—or often even less—an attacker could profit thousands, tens of thousands, even hundreds of thousands, depending on the target and the account being compromised.
THOMAS TARANIUK: Given how cheap these solutions are as well, are there some which are inherently more popular just because they’re more profitable? And on the basis of that, I mean, are these sustainable as cheap tools if they’re sort of hammered towards the same organizations who can fix, let’s say, well barriers, which basically prevent these tools from actually making any impact?
BRETT JOHNSON: When I first turned my life around and started working on the right side of cybersecurity, one of the first questions I asked was—admittedly a bit naively—“Why don’t the good guys share information like we used to on the criminal side?”
It took me some time to understand the reasons: privacy laws, regulatory constraints, and most of all—competitive advantage. See, as criminals, we had no problem sharing data, tools, and tactics. But in the corporate world, if one company in a particular vertical is being attacked, they’re often reluctant to share that information with competitors, even though those competitors are likely just as vulnerable.
What happens next is predictable: as the original target strengthens its defenses, attackers simply shift focus to another company in the same space, applying the exact same techniques. It’s a vicious cycle that thrives in the absence of open communication.
Now, does the cost of an attack matter to a criminal? Absolutely. Like any investor, I want the highest return for the lowest input. I’m not looking to spend heavily—I want cheap tools and easy access.
But that also ties directly into why someone is attacking. There are typically three motivations behind online attacks:
Suggested read: Psychology of a Fraudster: “What The Fraud?” Podcast
Each of these impacts the persistence of the attacker. For example, a cash-motivated criminal is opportunistic—if your defenses are even moderately strong, they’ll likely move on to a softer target. Status-driven actors seek notoriety, so they may aim for tougher targets that earn respect. Ideological attackers, on the other hand, don’t care how secure you are—they’re determined to hurt you specifically, and they’ll invest the time and money to do it.
Understanding both the cost to the attacker and their underlying motivation can offer powerful insights into how to defend against them.
THOMAS TARANIUK: Super interesting. On the basis, if you had to look at it as proportionate, would you say it’s disproportionate that individuals are focused more on the cash quick wins, and these criminal organizations are more focused on larger cash grabs? Or the ideological sort of area of expertise where they’re trying to target organizations to bring them down, find weak points so they can share it with the community, that sort of thing?
BRETT JOHNSON: You know what’s interesting? The most damaging attacks we see today are often ideological—because they don’t go away. Ideological attackers aren’t just chasing payouts; they’re driven by belief, anger, or revenge. And if you’ve been following the news, you’ll know that ideology is on the rise globally.
What’s even more important to understand is that in cybercrime, it’s not always about chasing the biggest reward—it’s often about what’s scalable.
Take the US during COVID as an example. At the time, one of the biggest potential fraud payouts was the Paycheck Protection Program (PPP)—a government loan of up to $2 million that, in many cases, was later forgiven. But interestingly, most experienced criminals didn’t go after that. Why? Because it was hard to execute and difficult to repeat.
Instead, they focused on unemployment fraud. Sure, it paid less—around $10,000 a week per account—but it was easy to scale. Fraudsters could open 20, 30, or even more fake claims a week, turning what looked like a smaller opportunity into a massive, consistent profit stream.
So yes, if you can pull off a one-time hit with a massive payout, that’s great—but criminals often lean toward what’s easier to scale and replicate. Lower-dollar crimes that fly under the radar often end up being far more lucrative in the long run.
THOMAS TARANIUK: So that’s an interesting one, Brett, at Sumsub we’re also looking at the growing trend of hybrid attacks.
I mean, these are where fraudsters basically use multiple methods such as stolen libraries of passwords and also brute force in tandem to make or conduct attacks on security systems. So what are the most dangerous hybrid attacks right now, in your opinion? And what makes them so effective?
BRETT JOHNSON: Everything about today’s threat landscape feels hybrid—and here’s why.
When you look at what actually creates that landscape, it’s a mix of well-known vulnerabilities, human error, and weak links in the supply chain. For example, about 90% of all cyberattacks leverage known exploits—they’re not new, they’re just unpatched. Then you’ve got 56% of organizations being compromised through third-party access, and a staggering 41% of routers still operating with default passwords.
And perhaps most telling of all: 87% of breaches begin with a phishing attack.
Why? Because from an attacker’s perspective, it’s far more efficient. Instead of spending months or even years trying to brute-force a hardened system—say, getting through an industrial-grade firewall—I can simply send a convincing email to someone on the inside. Or even just pick up the phone and social engineer someone working remotely. In many cases, that’s all it takes to get remote access.
At the end of the day, it’s about saving time, effort, and money—and phishing delivers that with terrifying efficiency.
THOMAS TARANIUK: So it could be a combination of bot networks and social engineering and other methodologies, which would be the most effective, right?
BRETT JOHNSON: Absolutely. One major oversight in cybersecurity has long been the human element.
Back when I began my life in internet crime, penetration testing already existed. Companies hired pen testers—but often with strict limitations. They wanted their software or network tested, not the people. The attitude was: “Yes, we know humans can be compromised, but let’s not go there.”
That’s a mistake.
As an attacker, I’m always looking for the path of least resistance—and more often than not, that path is a person. Take Business Email Compromise (BEC) as an example. It’s a hybrid attack involving technical skill and social engineering. I might go on LinkedIn, identify someone in payroll and the CEO of a company, register a Unicode domain that looks nearly identical to the company’s real one, and then spear-phish one of those targets.
Once inside their inbox, I’ll monitor email chains until I spot the right moment to strike—often by diverting funds with a well-timed fake message. That’s the anatomy of a BEC attack. It’s not just one technique—it’s a combination of methods chained together to get the job done.
Sometimes, it’s as easy as hijacking a cookie. Other times, it involves picking up the phone and convincing someone to give me access. Whatever it takes to succeed—that’s the criminal mindset.
THOMAS TARANIUK: So Brett, I would love to talk about what we can do as a business or individual to protect ourselves right now from this threat you’re talking about. I mean. You are a security consultant now when you are called to help businesses, right? Wherever it may be in the world. Dubai, London, uh, any other state in the US of course.
I mean, what’s the biggest vulnerability you’ve seen over the last year, let’s say 2024, moving into 2025? I mean, what changes are you seeing in the way that fraud takes place? Have companies just not kept up with it?
BRETT JOHNSON: Here’s the truth: we have over 8,500 cybersecurity companies, and yet the threat landscape keeps growing. Why? Because the problem isn’t always advanced. It’s often the exact opposite.
Media love to paint cybercriminals as brilliant hackers—geniuses capable of breaking into anything. And sure, some of those people exist. But 98–99% of cybercriminals? We’re not like that. We’re skilled social engineers. We exploit known weaknesses and human behavior, not zero-day vulnerabilities or impenetrable firewalls.
The real threat comes from what we already know—and continue to ignore.
Most attacks don’t involve unknown exploits. They rely on default passwords, unpatched systems, and untrained people. If you’re not scanning your environment, identifying your vulnerabilities, and patching them, you’re leaving the door wide open. And many attackers use automated tools to scan for exactly that.
You also need to understand your role in the cybercrime ecosystem.
Everyone has one. Whether you’re a CEO, someone in payroll, or working in food service, the way an attacker approaches you will differ—but no one is off-limits. A CEO or finance employee might be targeted through business email compromise or ransomware. Someone in food service might be hit with credit card fraud, account takeovers, or even student loan fraud.
Security should be tailored to your risk profile.
And when it comes to training, there’s a major difference between compliance and effectiveness. Compliance satisfies regulations. But effectiveness simulates real-world attacks.
I once worked with a Fortune 50 company where we ran a phishing simulation. The email claimed, “You’ve been given two extra vacation days.” Attached was a PDF labeled “Calendar.” Everyone clicked it. The backlash? People were embarrassed, angry, and they complained. In response, the company sent a mass apology promising to never do it again.
That’s a double failure. Because that’s exactly how attackers operate—and if you’re training employees to feel safe rather than to be prepared, you’re missing the point.
Want to mitigate fraud and cyberattacks?
As attackers, we’re after data, access, or money—and our motivations usually fall into three categories: status, cash, or ideology.
At the end of the day, there are really just seven types of attackers:
Figure out who’s targeting you, what they want, and how they’ll try to gain your trust. Then build your defenses around that. And listen to what Sumsub has to say.
THOMAS TARANIUK: From a fraudster’s perspective, identifying vulnerabilities is just the starting point. Once a weakness is spotted, it’s often shared within the criminal community or organization—and then quickly exploited.
But with the rapid growth of artificial intelligence tools, the fraud landscape is evolving faster than ever. AI is changing how attacks are carried out, making them more scalable, personalized, and harder to detect.
So the real question becomes: what does this mean for fraud defense going forward? And as AI continues to accelerate, where should businesses focus their efforts to stay ahead?
BRETT JOHNSON: I just got back from Edmonton, Canada, where I sat on a panel with the police chief—a fantastic guy—who made a point that really stuck: AI is already helping the bad guys, and while it’s helping the good guys too, the difference lies in timing.
AI on the defensive side is reactive. We train models based on what criminals have already done, which means we’re always playing catch-up. And that gap is only getting wider.
Take deepfakes. We’re already at a point where they’re hard to detect—and real-time deepfakes are just around the corner. Imagine the damage: business email compromise, account takeovers, stock manipulation through fake CEO videos, or even citywide chaos triggered by falsified footage of police violence.
Suggested read: What Are Deepfakes, and How Can You Spot Them? (2025)
The truth is, AI is amplifying everything from phishing and crypto scams to romance fraud. And while we’ve heard warnings about this, the reality now unfolding is far worse than the early rhetoric.
We’re heading toward a world where we may no longer be able to trust what we see or hear—and when that happens, I honestly don’t know how we fight back. It’s a very scary proposition.
THOMAS TARANIUK: Absolutely—and the growth is honestly pretty alarming. Everything seems to be happening all at once in 2024. The pace has been so fast that it’s forcing us to look back instead of ahead. That retrospective approach is leaving regulators and policymakers struggling to keep up, let alone implement effective systems in real time.
As you mentioned, it’s become a constant game of cat and mouse. We’re not really being proactive—we’re reacting, and that’s a tough position to stay in.
But I don’t want to end on a negative note. It’s easy for this to all sound like doom and gloom, right?
So Brett, from your unique perspective—having been on both sides of the digital fraud world, first as a cybercriminal and now helping real businesses and real people protect themselves—what practical advice would you give? What can we do, both in our work and personal lives, to stay safe in a world where anyone can become a target? Anyone can become a victim.
BRETT JOHNSON: Absolutely. You know, as a business—and I’m a big advocate of going to conferences—the reason I say that is because it allows people to network, share, and exchange information.
A big reason the bad guys win every day is that they’re better at collaborating, sharing, and exchanging information. So, we need to get to that level. That’s a big one.
The other big one for me is situational awareness. Like I said at the beginning of our talk, we inherently trust these technologies. For some reason, when we’re in the physical world, our situational awareness is pretty high. We know when something doesn’t feel right—our hackles go up, we sense it. But that doesn’t translate very well to an online environment.
Still, we need to get to that point where our situational awareness is sharp—whether we’re a customer or client interacting with a company, running a company ourselves, or an employee within one. We need to be aware that, while most of the time things are fine, there are predators in this environment. There are people out there actively looking to victimize us or our company.
I think just having that awareness alone leads to things like properly scanning the threat landscape, doing effective training, and really examining what it takes to trust someone in that environment. I believe it all starts with situational awareness—and everything else builds from there.
THOMAS TARANIUK: A hundred percent. At the end of the day, we’re not just talking about operational strain, financial losses, or reputational damage—we’re also talking about people’s day-to-day lives, which can be completely disrupted or even ruined.
Before we wrap up today, Brett, we want to get to know you a little more on a personal level. I know we’ve already touched on a few things, but I’d love to ask you our standard five quick-fire questions.
Actually, I might even sneak in a sixth one, if you don’t mind.
Let’s get started—quick-fire round! First question: When choosing a digital wallet, do you go for more features or better security?
BRETT JOHNSON: Better security.
THOMAS TARANIUK: Excellent. What’s one thing about fraud that still surprises you? Even after all of your experience in and out?
BRETT JOHNSON: That sharing of information, it’s outstanding the way it works.
THOMAS TARANIUK: Interesting. We highlighted this earlier, but have you ever been a victim of fraud outside of your times as a cyber criminal?
BRETT JOHNSON: A couple of years ago, I was hit four times in one year. So it started, I was, uh, I walked out of the Oklahoma City FBI field office. Went to get gas in a rental car. My credit card was shut down because someone had stolen the information and had tried to buy an iPhone in Nebraska. And then I got hit three more times on different cards the rest of the year.
THOMAS TARANIUK: Unlucky strike, Brett.
BRETT JOHNSON: Oh yeah. Really? But I view it as karma. I figured I deserved that.
THOMAS TARANIUK: Oh, well you’re making amends. I mean, what would you say is one habit that you rely on today to stay safe online? You mentioned situational awareness, but it’s very difficult in a digital space for sure.
BRETT JOHNSON: You know, I use a combination of password managers and authenticators. And passkeys—when they’re available. That’s the big one for me. And I go into trusted websites. I mean, I try not to go any place else. Any place that’s not trusted.
THOMAS TARANIUK: Fantastic. Reputation is key. And if you could have any other career than the one you’re currently in or the one that you’ve had previously, Brett, what would it be?
BRETT JOHNSON: Actor.
THOMAS TARANIUK: Actor? Excellent. So one extra just for you. Do you still sometimes miss the good old hacking days?
BRETT JOHNSON: You know, I don’t miss it because of the fear of the knock on the door, the stress and anxiety when you’d be driving down the road and a police car pull behind you. I don’t miss it. I’ve still got a lot of temptations. I’ve still got the criminal mindset, but I don’t miss that life whatsoever.
THOMAS TARANIUK: But Brett, you’re putting that criminal mindset to good use. Now, of course, teaching our audience—and also businesses and people—to stay safe themselves, both online and in person. And I think that’s a good cause.
BRETT JOHNSON: Thank you. I appreciate it truly.
THOMAS TARANIUK: Brett, thank you so much for coming on our podcast. It’s been a great episode and I’ve enjoyed thoroughly getting to know you and, of course, your story. Thank you for joining us on this episode of What The Fraud? by Sumsub. On the next episode, we are going to take a look at fintech fraud. We’ll take a deep dive into the new trends and tactics and how the sector is fighting back.
Suggested read: AML/KYC Compliance Guide for Fintech 2025
