Scams are a supply chain, not a lone hacker#
The stereotype of a hooded loner in a basement is decades out of date. Today's fraud ecosystem looks much more like a tech startup with departments, vendors, customers, and a price list.
A typical operation pulls from at least four specialized layers:
- Tooling. Off-the-shelf phishing kits clone a brand's login page for $30–$200. Phishing-as-a-Service (PhaaS) platforms sell subscriptions with dashboards, A/B-tested email templates, and live victim feeds.
- Infrastructure. Bulletproof hosting, lookalike domains, anonymized SMS gateways, and disposable phone numbers are all rented by the hour.
- Leads. Stolen email lists, breach databases, and lead targeting by demographic (“65+, US, owns crypto wallet”) trade on closed forums.
- Cash-out. Mule networks, crypto mixers, and gift-card laundries move stolen funds out of the banking system and into the operator's pocket.
Why the economics matter to you#
Because every layer is specialized and rented, the cost per attempted scam is now pennies. Attackers can afford to send a million highly personalized messages to find a handful of victims.
The defensive lesson follows directly: you cannot rely on attackers being lazy, stupid, or rare. They are industrial. Your defense has to be habits, not luck.
What you should remember#
- Scams are a business, with vendors, prices, and quality tiers.
- Personalization is now cheap; “generic phishing” is no longer a reassuring marker of safety.
- Defense is about repeatable habits — verification, pauses, second opinions — not about being smart in the moment.