Why Gen Z Gets Scammed? Risks of Being Tech-Savvy – Interview with Oliver Sild

In today’s episode, we’re diving deep into the intricate world of website security. Joining us is Oliver Sild, cofounder of Patchstack, to break down a plethora of critical topics – from social engineering in cybercrime to the surprising vulnerability of Gen Z to online scams.

Gen Z shouldn’t be the easiest group to scam. They grew up online, move fast across platforms, and can configure apps in their sleep. And yet – young, highly online users are more likely to get conned than their grandparents. Why? Because the modern threat model is less “Hollywood hacker,” more “convincing stranger.”

We’ll explore how AI is both aiding and complicating cybersecurity, delve into the implications of the forthcoming Cyber Resilience Act, and discuss the issues around WordPress plugin security. Oliver will shed light on some persistent myths about website security, the ramifications of the Cyber Resilience Act for software developers, and the innovative ways Patchstack is leading the charge in vulnerability disclosure programs. We’ll also touch upon the stark realities of modern cybersecurity threats, from abandoned open-source libraries to the thriving underground market of cybercrime driven by financial motives. With Oliver sharing insightful examples and shedding light on regulatory shifts, get ready for an enlightening session that probes the future of digital security.

Gen Z Scam Risk: Why Tech-Savvy Users Get Tricked

“You would think it’s the grandmas who get scammed,” Oliver Sild says. “But it’s actually Gen Z – the youngest generation online. They are the most vulnerable because they use computers every day, they know exactly what to click, but they’re also naive.” He adds that many older people avoid scams precisely because they “don’t know what to click,” which slows them down and protects them.

Bottom line: Time online × speed × confidence = higher exposure. Educating Gen Z isn’t about explaining how the internet works – it’s training pattern recognition for malicious journeys that look just like normal ones.

Social Engineering Dominates: People Are the Weak Link

As Sild puts it, “Things that work, they don’t change until they don’t work anymore. And for that reason, a lot of crime on the Internet is powered by social engineering. It’s way easier to hack the person behind the keyboard than to hack the computer.” He explains that in most major hacking incidents, the human factor — an employee being convinced to share a 2FA code or click something unsafe — is the real entry point.

Actionable takeaways

• Normalize “pause and verify”: any request that changes data, money, or access should trigger a second channel (Slack → phone; email → ticket).
• Narrate adversary tactics in training (SIM swaps, OTP prompts, “urgent” payroll edits) so employees recognize the script in the wild.
• Track and reward “near misses” reported by staff. The goal is reflexes, not blame.

AI Supercharges Scams: Voice, Text, and “Trusted” Style

“One thing that AI does really well,” says Sild, “is mimic human speech, the voice, the text. You can basically make any kind of text look like it’s truthful.” That realism means scams are no longer easy to spot by typos or tone. AI tools give attackers human-like persuasion at scale, generating credible emails, DMs, or voice calls that sound like people you know.

What teams should do now

• Assume style-matched phishing will become the default. Replace “spot the typo” training with process-based defense: approvals, limits, and out-of-band checks.
• Expand “do-not-do” playbooks: e.g., “We will never ask for a 2FA code on chat” and “All vendor bank changes require a video-verified callback.”
• Add friction where it matters: delayed payouts for first-time payees, mandatory manager review for access changes, and flagging unusual authentication flows.

WordPress Reality Check: Plugin Bloat = Bigger Attack Surface

Sild points out that in many WordPress sites, “you have a lot more code coming from plugins than from the WordPress core.” The math adds up quickly: an average site might have 20 plugins, but some stretch into the hundreds. Every new package expands your risk surface — and it’s not WordPress’s fault, but plugin sprawl.

Practical guardrails

• Inventory quarterly: list every plugin, its purpose, owner, last update, and alternatives.
• Adopt “one in, one out”: add a plugin only when you remove or retire another.
• Prefer popular, actively maintained plugins with transparent disclosure practices.
• Stage updates and roll out with monitoring to catch regressions or conflicts fast.

CRA in Focus: What the EU Law Changes for Software Teams

Discussing the upcoming Cyber Resilience Act, Sild explains that it’s like GDPR. The fines are serious—either a percentage of your revenue or €15 million. The regulation aims to make security a mandatory part of every digital product, not just an optional best practice. It also defines clear responsibilities for developers and companies that release software into the EU market, ensuring they maintain secure development and vulnerability management over the product’s entire lifecycle.

“Developers will start asking, ‘Hey, is your plugin CRA compliant?’ If not, they can’t use it.” —Oliver Sild

Oliver notes that the regulation formalizes secure development practices, affecting everyone from open-source contributors to large SaaS vendors.

What to prepare

• Define “manufacturer” status for your projects and map obligations.
• Create a vulnerability handling policy (intake → triage → patch → disclosure).
• Log software bill of materials (SBOM) for plugins/dependencies to speed incident response.
• Treat security as a product feature in sales/marketing. Compliance will become a buying criterion.

Patchstack’s Moves: Compliance Tools for Plugin Makers

Sild reveals that Patchstack is “in the final testing phase of releasing a free platform for plugin developers to make them compliant with the Cyber Resilience Act.” Supported by EU R&D funding and new investment led by Karma VC and German cybersecurity investors, Patchstack is building what he calls “a Vanta for plugin makers”—a simple way to automate compliance. The Yoast founders have joined as angels and board advisors to strengthen the WordPress connection.

Why this matters for teams

• Expect more standardized ways to prove you handle security and disclosures well.
• CRA-readiness becomes a competitive edge for plugin and SaaS vendors.

The Underground Economy: Crime Follows the Money

“Most of the large-scale hacking incidents you hear about,” says Sild, “include social engineering. It’s just so much easier to hack people compared to hacking computers.” Cybercrime, he stresses, isn’t ideological—it’s commercial. Attackers optimize for ROI. Tricking someone is faster and cheaper than exploiting software.

Translate this to roadmap

• Invest in response speed as much as prevention—assume contact will occur.
• Bake security into daily workflows (approvals, alerts, runbooks) so the “right thing” is the easy thing.
• Put budget into the boring basics that actually work: MFA, logs, patching cadence, least privilege, and dependency hygiene.

Full conversation with Oliver Sild

Want to hear the full conversation with Oliver Sild? Check out the latest 🎙️ Osom to Know podcast.

You can also watch us on our YouTube – don’t forget to hit subscribe! 📩

We specialize in custom websites which are secure and optimized. If you need a help with your web service or online store reach us out.