We've covered three different stories this week.

Monday: an AI voice clone calling in your daughter's voice.

Tuesday: a breach at Canvas that gave attackers names, school IDs, and the contents of private student-teacher messages.

Wednesday: a piece of code called Axios that nearly turned into a back door inside millions of downloads, because one developer answered the wrong message.

These look unrelated. They're not.

The single sentence that ties them together

In every one of those stories, the attacker didn't break a system. They borrowed somebody's trust.

The voice clone borrows your daughter's voice - your trust in her.

The Canvas breach gives scammers your school's name, your teacher's vocabulary, your kid's email - your trust in messages that come "from the school."

The Axios attack borrowed the maintainer's account - every developer's trust that an update from an official source is safe to install.

Same move, three flavors.

If you read this week's posts and felt like it was three separate problems with three separate fixes, that's exactly what the attackers want. The good news is the fix is also one move, applied three different ways.

The one habit: verify the channel, not the message

When something asks you to do something - send money, click a link, install an update, confirm an account - don't try to verify the message. Verify the channel.

The message can lie. The channel is harder.

Here's what that looks like in practice.

For a phone call: Hang up. Call back on a number you already have. The voice on the new call is who you trust. The voice on the inbound call is not.

For an email or text from a service: Don't click the link. Open a fresh browser tab. Type the website's name yourself. Log in there. If there's really an alert, it'll be waiting for you when you arrive.

For a request from a person in your life - money, a favor, "send me your password real quick": Reach out to them on a different channel than the one the request came in on. If the text seems off, call them. If the call seems off, text them. The second channel either confirms the request or exposes the impersonation.

For an update prompt on your computer or phone: Updates that come from the operating system or the official store are fine. Updates that come from a pop-up, a website, or an email link are suspect - even if they look real. Especially if they look real.

That's it. That's the whole playbook. Four versions of the same habit.

Why this works when other things don't

You can't tell from listening whether a voice is real. The technology has gotten too good.

You can't tell from reading whether an email is real. The grammar is fine now, the logos are correct, the sender address looks right.

You can't tell from glancing at a website whether the certificate, the URL, and the login form are legitimate. They've gotten good at copying all three.

The only thing that still works is not relying on the thing the attacker controls.

The attacker controls the inbound call, the inbound email, the link in the message, the voice you're hearing. They don't control the phone book entry you've had for your daughter for ten years. They don't control your bank's actual website. They don't control the official app store.

Move yourself to a channel they don't control. That's the move.

Why this is going to keep mattering

Voice cloning was a research project two years ago. Now it's a $20 monthly subscription somewhere.

The Canvas breach is one of a dozen large breaches this year alone, and the data from each one is going to circulate for years.

The Axios attack is part of a pattern - North Korean and other state-aligned groups specifically going after the people who maintain the building blocks of the software you use every day. There will be another one of those this year. Probably more than one.

Better tools are not going to fix this. The signal you used to rely on - does it look real, does it sound real - is broken for good. The channel habit is what replaces it.

Tomorrow: the one-page family version

In Friday's newsletter I'm sending out a one-page printable that puts all of this on a single sheet. It's designed to live on the fridge or next to the phone - short enough that someone in a stressful moment can actually use it.

It's newsletter-only. If you're not on the list, this is the week to fix that.

And if you've spent this week reading these posts thinking I should really get a second set of eyes on my parents' setup — or your own — that's exactly the kind of thing a remote session is for. We can go through your accounts, your phone, and your family's habits in one sitting.

Request a callback → | Schedule a remote session →