The message popped up on Tiziana Barrow’s phone like any other dating app intro. The photos showed a handsome blond with glasses — a Washington, D.C.-based architect from Sweden finishing a project overseas.
At first, nothing felt off. He texted often, sounded warm on the phone and kept the conversation going. Then small details started to nag at her. The accent didn’t sound Swedish. He wasn’t in a hurry to meet. When his profile disappeared and Barrow mentioned it, he got defensive.
A few weeks in, the story changed. A tax problem on a construction project in Turkey had left him short. He asked her for $22,000.
By then, Barrow already knew what was happening. The messages, the urgency and the emotional pressure followed a familiar pattern. This was a scam. Years working in and around cybersecurity helped her spot it fast.
But Barrow didn’t just see a romance scam. She saw how people get pulled in. How urgency, a few convincing signals and the right emotional pressure can short-circuit common sense. The same dynamics, she says, show up in attacks on companies every day.
The Human Factor Problem
“If you’re not in cybersecurity, you’re likely having a hard time understanding the value proposition of most of it,” Barrow said. “It’s technical. It’s specialized. And while that specialization is necessary, it has created a communication gap between security teams and the rest of the organization.”
That gap isn’t theoretical. Security programs grow more sophisticated each year. Controls improve, investments increase and yet the language of risk still doesn’t translate into everyday behavior — where most breaches begin.
IBM’s Cost of a Data Breach report shows organizations take, on average, over six months to detect an intruder, a reminder that attacks don’t arrive in a single dramatic moment. They unfold quietly, over time.
Barrow sees that pattern constantly.
“The attack is never a one-time event,” she said. “It’s a campaign.”
Why Awareness Training Falls Short
Barrow is blunt about why security awareness efforts haven’t closed the gap. Most programs check a box for compliance or audits. People click through a module once a quarter, then go back to doing what they’ve always done.
“Current cyber-awareness trainings are imparting knowledge, but they’re not imparting behavior change,” she said.
In practice, most programs teach people how to spot phishing emails, not how to recognize manipulation in everyday interactions.
She’s deliberate about how she talks about security, too. Barrow wants people to stop seeing it as something to dread and start treating it as something they can explore, test and learn from.
“Being able to move cybersecurity from a place of fear to a place of inspiration and curiosity is really something that will light me up,” she said.
From there, she brings the conversation back to everyday behavior. Digital safety shouldn’t feel like a specialist discipline but more like basic safety.
“We teach our kids about stranger danger,” Barrow said. “But then we’re out there clicking on links from unknown people and picking up phone calls consistently from unknown numbers.”
That translation — from abstract risk to everyday decisions — is where Barrow sees her role. She sits at the intersection of security, product and communication, trying to turn technical risk into practical habits that shape day-to-day behavior.
In enterprise environments, especially across federal agencies and government contractors, that behavioral layer becomes even more consequential. A single manipulated employee can become an entry point into mission-critical systems. Barrow said the challenge isn’t simply preventing clicks but reshaping how organizations think about trust and persuasion at scale.
Turning Awareness Into Action
Romance scams like the one Barrow avoided are part of a much bigger fraud economy. The stories show up everywhere — in national headlines like USA Today’s Feb. 24 coverage of rising romance-scam losses and in daily posts on Reddit’s r/Scams about parents, partners and coworkers who sent thousands or even hundreds of thousands of dollars to imposters.
In 2024, the FBI’s Internet Crime Complaint Center logged about 18,000 confidence and romance scam reports nationwide. Federal Trade Commission data show U.S. consumers reported losing over $12.5 billion to fraud that year, a 25% jump driven by imposter scams, text scams and investment fraud.
That scope is what drives Barrow’s approach: less theory, more habit.
She calls it the ABCs of digital safety, built for real life, not checklists. She has long used Google Voice to protect her identity and keep her primary phone number off platforms she does not trust. With so much personal information tied to a main number, that small step limits how far a stranger can reach.
Barrow also talks about credit freezes, password managers and longer passwords, but she pushes people to focus on where they are most exposed: phones, public Wi-Fi, Bluetooth and the airport scroll.
That’s why she says training can’t stop at phishing. People have to learn how manipulation actually sounds in the wild, like a caller posing as a traveling CEO who needs something bought right now.
Barrow wants that sense of control for other people. Digital safety doesn’t have to feel like something looming over you. It can just be part of how you go about your day.
“We pause before crossing the street, and we look both ways,” she said. “Why are we not stopping before clicking on the link or picking up the phone call?”
Barrow envisions a system that works like a wellness tracker, a simple, transparent way for individuals and teams to see their digital hygiene over time. Like a credit score, it would offer a clear, evolving measure of human risk posture — built to drive awareness and improvement.
The bigger goal is to make digital safety feel like an ordinary part of daily life, like fastening a seatbelt, not something people only think about after something has gone wrong, she said.
That starts with stories that connect the digital to the real world. But it doesn’t end there. For organizations, it means building secure behaviors into everyday workflows so safe decisions become habitual, not heroic.
The work now is turning awareness into instinct — so the next polite message from a stranger doesn’t automatically get the benefit of the doubt.