For the past few years, a handful of glamorous, high-rolling scam artists who conned their way into elite society — making hundreds of thousands, millions, or even billions of dollars along the way — have captivated American media. People like Anna Delvey, New York City’s fake heiress; Elizabeth Holmes of Theranos; or Fyre Festival architect Billy McFarland fascinate us because they’re presented as lone, often freakishly charismatic masterminds — it’s why all three stories have become or are in the process of becoming major documentaries (or in the case of Fyre Festival, two dueling documentaries).

But that’s not how most people get scammed. The real way is far less sordid and more likely to actually happen to you: Robocalls, IRS fraud, and good old-fashioned stolen passwords are still some of the leading ways that Americans lost $16.8 billion to scams in 2017.

That’s according to a new book by Frank Abagnale, whose name you might remember being next to Leonardo DiCaprio’s when the actor played him in Catch Me If You Can. The 2002 Steven Spielberg film was based off Abagnale’s memoir of his time as a teenage con man in the 1960s. After serving five years in prison in the ’70s, he became a security consultant for the US government. He now works with the FBI.

In Scam Me If You Can, which was published on August 27, Abagnale tells the stories of catfished single people, social media identity theft, and fraudulent GoFundMe pages that swindled money and personal information from victims. Here, he chats about why you’re getting so many more robocalls, why the password must die, and how we’re currently living in the golden age of scams.

You’ve worked with the FBI for 43 years. What are the biggest changes you’ve seen among popular scams since then?

Crime is basically the same; the only thing that’s changed is today there are so many forms of communication and the ability to scam someone from thousands of miles away without ever really having personal contact with them.

In the old days the con man was a confidence man. He had to gain your confidence. He dressed well, he spoke well, he had a great vocabulary. He was a likable person and at the same time he was a human being, so he had a little emotion and a little compassion. He might’ve said, “I’m not going to take this old man for all his money. I’m just going to take a little of his money.”

Today you’re dealing with some guy who’s sitting in his pajamas on a laptop with a cup of coffee in his kitchen in Moscow. He never sees you. You never see him. He doesn’t know anything about the victim other than to victimize them. So all of that compassion has gone away and, unfortunately, they will take you for every penny you have.

Do scammers usually scam one person at a time or many at once?

When they do a romance scam, for example, which have doubled in the last couple of years, they basically have 12 or 15 people that they’re romance scamming. When doing the research for this book for five years, I found that millennials actually got scammed more than seniors, but seniors lost a lot more money because they have more money.

But anybody can be scammed. I can be scammed. Some of those romance scams start out as a sweepstakes scam and then the guy realizes I’ve got this older person on the phone, I can talk them into a romantic relationship.

Have you ever been scammed?

I’ve never been scammed, but I know I can be scammed. I do a podcast for AARP every Wednesday out of Washington, DC, called The Perfect Scam. People call in and we investigate the calls. I’ve had two former FBI directors who have long been retired. They’re in their 70s and 80s. They’ve been scammed. I had the editor-in-chief of Time magazine for 35 years, he had been scammed. But these people are nice enough to call and say, “Look, it happened to me. I fell for it.”

What I tell people what’s important is if you are scammed you have to tell somebody. What happens with seniors is they’re afraid to tell their loved ones because their daughter may say, “See Mom, you can’t handle your money. I need to take over your finances and your bank accounts.” And they take away their independence, so they never tell anybody, which just means the scam artist goes on to scam somebody else.

Why are you the best person to be giving this advice? Why is a former con man the best person to write this book?

A couple things here: This is my fifth book, and the four books prior to this had always been about crimes against governments, financial institutions, corporations, embezzlement, check forgery, cybercrime. This is the first time I’ve written a book about crimes against consumers, but it’s the same reason why I’ve given over 3,000 seminars out in the public sector over the last 40 years: because I am the guy who did it. I’m not the former policeman. I’m not the social worker. I’m not the detective. I’m the guy who actually did this, lived that life, and telling people from my point of view how these people work, how these crimes are committed.

What kind of scams have you seen kind of explode over the past 10 years in the era of social media and smartphones?

Well, first of all, identity theft. When we interview people who commit these crimes and ask them what’s the No. 1 source they go to when they steal someone’s identity, they say their Facebook page. I always tell people you never want to mention where you were born or your date of birth on your Facebook page. But on social media we tell people everything, and that’s why all these phishing emails work, why a lot of these romance scams work.

It’s very easy to manipulate the caller ID to say whatever you want it to say. Then they say, “We arrested your grandson. He got a DWI on the West Side Highway and was driving this vehicle, he didn’t want us to call his parents, he asked us to call you. If he doesn’t post bail in the next two hours he’ll have to spend the weekend in jail. You can give us a credit card over the phone and you can post his bail on your credit card.”

They went to social media because the grandson has a picture of his car, a picture of his girlfriend, his girlfriend’s name, and his parent’s name. The information is so exact that the people on the other end said, “This must be for real.”

At one point you say that obviously you should have two-factor authentication on your passwords, but that’s until passwords become irrelevant. What would replace passwords?

Back in the 1990s I started writing about passwords and I said that passwords were for tree houses and passwords were invented in 1964. I was 16 years old. Today I’m 71 years old and we’re still using passwords. When you look at all the breaches, all the problems at ransomware and malware, it all comes back to passwords. We absolutely have to rid the world of passwords.

Now the technology exists to identify people through their phone, their device. It’s great because now when you call the call center at your bank, they ask you all these security questions and on the call center screen are the answers to your social security number, your mother’s maiden name or all that. An individual could sell that information to someone else.

With the new technology, I call the bank and they say, “Mr. Abagnale, I’ve identified you by your incoming number. Would you press the bank app on your phone?” And I’ve pressed that and they say, “How can I help you?” They already know it’s me. They don’t have any data on their screen. They don’t have any personal security questions.

I think in the next two or three years you’ll start to see Aetna and some of the major airlines getting away from passwords, and certainly banks. It should’ve been done years ago.

You list a variety of ways that people make themselves vulnerable to scam artists. Do you think there’s one most important one?

In doing the research for this book over these five years, the one thing I recognized in going through all of these scams, at some point there were two red flags: Either I’m going to ask you for money and when I do, it’s immediate. “Go down to Walmart, get a Green Dot card, come back and read me the number on the back, or give me your credit card over the phone.”

Second, I’m going to ask you some information. “What’s your social security number? What’s your date of birth?” I may call and say I’m your bank and I’ll start out just talking to you. But at some point in the conversation I’m going to ask you for personal information, and that’s the red flag. When you see that red flag it’s time to hang up the phone and make sure you didn’t solicit that call. They called or emailed you. You need to verify that is who it’s supposed to be before you give them any information or give them any money.

There was a post that went viral a few weeks ago about how people in the grocery store were paying for the groceries of a person in front of them because they couldn’t afford it. Some people were like, “No, you got scammed.” And then other people were like, “Well, maybe that’s okay because it was a grocery bill and I’m glad I did it anyway.” Do you think being too vigilant about scams can breed mistrust in each other?

I don’t like breeding a society of skeptical people, but I do believe this skepticism is a virtue. If you make it easy for someone to steal from you, somebody will. It’s like when people ask me about charity; if I’ve never heard of the charity but I think it’s a good cause, I’ll call the state attorney general’s office and ask their consumer protection people or the Better Business Bureau, “Is this a legitimate charity?” It takes five minutes for me to do that, but I’d rather do that than part with my money and give it to some criminal.

If you were still scamming today, what scam would you get into?

I think if I was doing this today I would be finding a way to breach all the search engines because of stuff that people look up on Google and all that. I always look at crime with what would I do if I was going to do the next crime.

How would that even happen? I would like to think that Google is difficult to hack.

Everything is breachable. They told us that the cloud couldn’t be breached, but every breach occurs because somebody in that company did something they weren’t supposed to do. All it took was an employee at Amazon to be able to go up in the cloud and bring that information down. Nothing is foolproof. If you believe that you have a foolproof system, you have failed to take into consideration the creativity of fools.

Sign up for The Goods’ newsletter. Twice a week, we’ll send you the best Goods stories exploring what we buy, why we buy it, and why it matters.