The standard policy response to fraud is to teach people to spot it. Run awareness campaigns, post warnings, hand out brochures. The implicit theory is that informed people don’t fall for scams. The data says that theory is mostly wrong. People who know about phishing get phished. Financial professionals lose money to investment fraud. The variable that actually moves outcomes isn’t education—it’s structural friction.
What the research keeps finding
Studies of phishing susceptibility consistently find that prior exposure to anti-phishing training produces small, decaying effects. Within a few months, click rates among trained employees converge with untrained ones. The FTC’s data on consumer fraud victims shows that older adults, who generally score higher on financial literacy tests, lose more money per incident than younger adults, because they’re targeted with more sophisticated schemes and have larger account balances. Highly educated professionals are heavily represented among victims of investment scams, romance scams, and business email compromise. The pattern is not that knowledge fails entirely—it does help at the margins—but that the gap between knowing about a scam in the abstract and recognizing one in the moment, while emotionally activated and time-pressured, is enormous and resistant to education.
Why structural friction works better
Fraud succeeds in narrow time windows where the target is rushed, isolated, and aroused. Anything that introduces a forced pause, a second pair of eyes, or an outside verification step is more powerful than any pamphlet. Banks that require a 24-hour delay on first-time wire transfers stop large-loss fraud at far higher rates than banks that train customers to spot suspicious requests. Brokerages that require trusted-contact callbacks before unusual transfers catch elder financial exploitation that no amount of customer education would have caught. Two-person rules in business email policies stop CEO-impersonation wire fraud cold. The common thread: these interventions don’t depend on the target being clear-headed at the moment of the scam. They build the protection into the system, not the person.
What this means for policy and personal practice
For policy, the implication is that consumer education is necessary but radically insufficient, and that requirements on institutions—delays, callbacks, mandatory holds, liability for missed red flags—do more good per dollar than another awareness campaign. For individuals, the practical move is to install your own friction in advance: a rule that any transfer over a threshold requires a phone call to a specific person, a 24-hour cooling-off rule on any new investment, a designated trusted contact at your bank. These work because they remove the in-the-moment decision from a compromised version of yourself and hand it to a calmer one with a checklist.
The takeaway
Fraud prevention as currently practiced relies too heavily on the idea that informed consumers protect themselves. They mostly don’t, because fraudsters target them at moments when knowledge is offline. The interventions that work are structural: delays, second checks, mandatory verifications, and institutional liability. Education has a role, but it should be the smaller part of the program, not the centerpiece.
Leave a Reply