In the past, scams were often easy to spot: it can be suspicious messages, with poor grammar, or random strangers asking for money. Today, things are very different, it evolves!
Modern scammers use psychology, social engineering, AI-generated voices and videos, fake phone systems, and carefully planned trust-building strategies. Even smart, experienced people are getting tricked and losing tens or even hundreds of thousands of dollars.
This article breaks down several advanced scam techniques that are becoming increasingly common, and more importantly, how you can defend yourself and your family.
1. AI Voice & Video Impersonation Scams
One of the most dangerous new scam trends involves AI-generated faces and voices. Imagine receiving a message from a relative asking to borrow money urgently for a surgery! Naturally, you can become suspicious and decide to verify it with a video call. But during the call:
You clearly see their face
You hear their voice
They speak naturally
They say they need money to saving a life.
Everything looks real. Except it isn’t. Due to Social Networks and how careless people are using it, scammers can now:
Collect photos and videos from social media
Generate realistic facial movements from collected photos
Clone person’s voice from video sounds
Create short fake video calls or deepfake clips from AI-generated photos and sounds
This is possible because modern AI systems can now copy not only face expressions, but also eye movement, head pose, emotional tone from voice and conversational timing.
Warning signs
A major limit of AI generated content is latency. If the conversation get lagged above 300–500ms, human start feeling “off”. That’s why many “real-time” video calls from scammers are usually:
Very short conversations & Excuses to avoid longer interaction: This is happen regularlry because scammer can’t predict what you will ask and there is not enough time to generate fake videos.
Low resolution: If scammers decide to go with a long video calls and entrust AI to generate deepfake video & audio in realtime, they must have a very strong computer. Low resolution can be a solution to reduce the lag and feel “off”.
Delayed audio synchronization & Awkward facial movement: Although AI can clone person’s voice and facial expression, it takes time to process so you can feel the delay in their responses.
In some cases, tiny details reveal the truth — such as outdated clothing, old work uniforms, or backgrounds that don’t match reality.
How to protect yourself
Never trust a video call that borrow money.
Call the person back via phone number, not Social Networks video calls.
Ask unexpected questions only the real person would know.
AI impersonation technology is improving rapidly. Verification habits must improve too.
2. Relationship-Based Business Scams
Some scams are no longer random attacks. They are long-term psychological operations.
The setup
A scammer spends weeks or months building trust with someone online by:
Buying products normally
Chatting regularly
Interacting professionally
Acting friendly and reliable
Eventually, they ask for a business introduction. For example:
“I’m looking for computer equipment suppliers.”
“Can you introduce me to someone trustworthy?”
“We have a large government or school contract.”
Because the relationship already feels genuine, the referral happens naturally.
The trap
The scammer then approaches the referred person with a seemingly legitimate business deal:
Large purchase orders
Attractive profit margins
Familiar references
Official-looking invoices
Corporate or government claims
After negotiations, the scammer introduces a “secondary supplier” or “special product batch” that requires advance payment. The victim may transfers money because they believe that:
The deal is legitimate
The introduction came from a trusted person
The final customer exists
Then the scammer disappears, after receiving money.
Why this scam is so effective
This attack exploits:
Trust between family members
Professional reputation
Fear of missing business opportunities
Emotional pressure from “special deals”
Greed mixed with familiarity
This scam is carefully calculated so that every step feels reasonable.
How to protect yourself
Never rely solely on personal referrals
Verify companies independently
Refuse unusual invoice-merging requests
Be suspicious of advance payments to third parties
Confirm contracts through official business channels
Slow down when large profits appear “too easy”
Professional scammers are patient. They may spend months preparing a single attack.
3. Fake Government & Military Procurement Scams
A similar scam targets small business owners.
Typical scenario
Scammers pretend to represent: Military departments, Government agencies, Schools, Hospitals, or Large organizations. They contact vendors claiming they need bulk purchases such as: Office supplies, Furniture, Electronics, Plastic chairs, Construction materials. The order appears legitimate and valuable. Then the scammer says:
“We also need another product that you don’t sell. We found another supplier already. Can you help combine the invoice?”
Soon afterward:
A fake supplier contacts the victim
Payment is requested upfront
The victim transfers money
Then Everyone disappears
Why victims fall for it
Because:
The “customer” sounds official
The order size feels realistic
The opportunity seems profitable
The victim expects reimbursement later
This psychological manipulation is extremely effective.
Defense strategy
Government organizations rarely operate through informal personal arrangements
Never pay suppliers on behalf of customers without independent verification
Verify procurement requests using official government contact channels
Be suspicious of invoice manipulation requests
4. Caller ID Spoofing & Fake Support Calls
One of the scariest modern scams involves fake phone numbers and spoofed caller IDs.
What is caller ID spoofing?
Scammers, with tech skills, can manipulate what appears on your phone screen. You may receive a call that appears to come from: your bank, the police, tax authorities telecom providers or government agencies. But the displayed number or name is fake.
How they do it
Modern calling systems using VoIP (Voice over Internet Protocol) allow attackers to manipulate caller information. Combined with high tech attack such as Fake BTS systems, the scam can look extremely convincing.
Common scam scenarios
The caller claims:
Your bank account was hacked
Your identity is under investigation
Your SIM card will be disabled
Your tax records need updating
Suspicious transactions were detected
Then they pressure you into:
Sharing OTP codes
Installing apps
Clicking links
Sending money
Changing passwords
The golden rules
Never share OTP codes: No legitimate bank or authority should ever ask for your verification code over the phone.
Hang up and call back manually: If someone claims to represent an organization: End the call –> Visit the official website –> Call the publicly listed number yourself
Never trust incoming caller IDs alone.
Modern scams are no longer based on technical hacking alone. They rely heavily on emotional manipulation and social engineering. Scammers understand human psychology surprisingly well. Often, victims are not careless or unintelligent, they are simply manipulated under pressure.
Scams are evolving faster than ever. Artificial intelligence, voice cloning, deepfakes, caller ID spoofing, and long-term trust manipulation are making fraud far more convincing than traditional scams from the past. The most important defense today is not technology, it is awareness. A few extra minutes spent verifying information can prevent devastating financial losses. Stay skeptical. Stay informed. And most importantly, help educate the people around you, especially older family members who may be more vulnerable to these increasingly sophisticated attacks.
If you are receiving OTP via SMS for your bank transfers, logins, or reseting passwords, you must read this. This is a realistic hack happened in real life in many countries and cybercriminals has stolen a lot of money by this trick. Victims are any people who live in countries that still use 2G mobile network, use old phones with 2G network mode enabled by default, and has many things to be stolen.
1. What is 2G mobile network
2G (Second Generation) is one of the earliest digital mobile network technologies, introduced in the 1990s. Unlike the old analog 1G systems, 2G allowed phones to transmit voice calls digitally, making communication clearer and more secure than 1G. 2G was designed mainly for: Voice calls, SMS text messages and Very slow mobile internet (GPRS / EDGE).
Compared to modern networks today such as 4G and 5G, 2G has extremely limited bandwidth and weak security protections. Many security mechanisms used by 2G were created decades ago and are now considered outdated.
Why 2G Still Exists
Even today, many telecom providers still keep 2G active because:
Old feature phones still depend on it
Some IoT devices use it
Rural areas may rely on legacy infrastructure
Emergency fallback compatibility
However, this backward compatibility also creates a serious security problem.
2. What Is a Base Transceiver Station (BTS)?
A Base Transceiver Station (BTS) is the radio communication equipment that connects mobile phones to a cellular network. In simple terms, a BTS is the “cell tower” your phone talks to when you:
making calls
sending SMS
using mobile data
registering to the network
Every time your phone shows signal bars, it means your device is communicating with a nearby BTS.
MS — Mobile Station
The Mobile Station is the physical mobile phone, plus the SIM card identity inside it. Each MS has identifiers such as:
IMSI (International Mobile Subscriber Identity)
IMEI (device identifier)
These identifiers are important and fake BTS attacks often try to capture them.
BTS — Base Transceiver Station
The BTS acts as the bridge between your phones and the telecom core network. Its responsibilities include:
transmitting radio signals
receiving signals from phones
managing communication channels
broadcasting network information
forwarding traffic to the carrier network
A BTS usually covers a geographic area called a “cell.” When you move around, your phone constantly switches between BTS towers through a process called: handover, or roaming
How MS and BTS Communicate
The communication between phone and BTS happens over radio frequencies using GSM protocols. Basic flow is like so:
Phone searches for nearby BTS signals
BTS broadcasts network identity information
Phone selects the strongest or preferred tower
Phone registers itself to the network
BTS assigns communication channels
Voice/SMS/data traffic begins
In 2G GSM, the BTS continuously broadcasts:
MCC (country code)
MNC (carrier code)
Cell ID
supported encryption modes
The problem is that early GSM protocols were designed with a dangerous assumption: The phone trusts the BTS automatically. This becomes the core weakness exploited by fake BTS devices.
3. The Security Problem in 2G GSM
In modern 4G/5G systems, both sides, BTS and MS, authenticate each other. But in classic 2G GSM:
The network authenticates the user
The user does NOT authenticate the network
That means:
A fake tower can pretend to be a legitimate carrier
Nearby phones may connect automatically
Users often receive no warning
Attackers exploit this weakness by broadcasting a stronger signal than legitimate towers. Once the phone connects, the rogue BTS can:
Request IMSI identifiers: this means attacker can know your phone number without asking.
Downgrade connections from 4G to 2G for weaker encryption: this means attacker can read your SMS.
Intercept SMS: this means attacker can even impersonate you and send SMS to your friends, under your name.
Send phishing messages: attacker can impersonate other legit phone numbers, your boss’s number for example, to send you a link and require you to fill passwords
This is the fundamental mechanism behind IMSI Catchers and Fake BTS attacks.
4. What Is a Fake BTS (IMSI Catcher)?
Mobile phones are designed to automatically search for the “best” available cellular signal. In GSM/2G networks, your phone often prioritize connecting to BTS tower that has stronger signal. Attackers exploit this behavior by broadcasting:
Stronger signals than nearby legitimate towers
with Copied carrier information
with Attractive network parameters
To the phone, the fake BTS appears to be a normal carrier tower. Because classic GSM lacks proper network authentication, the device may connect automatically without warning the user.
IMSI stands for: International Mobile Subscriber Identity. It is a unique identifier stored inside the SIM card. An IMSI Catcher is named after its ability to trick phones into revealing this identifier. Once attackers collect IMSI numbers, they can:
Identify devices
Track movement
Target specific users
This is one of the first steps in many surveillance-oriented attacks.
5. Attack Setup (High-Level, No Harmful Instructions)
A simplified Fake BTS attack flow is like so:
Attacker activates rogue BTS equipment to be a fake tower
Fake tower advertises itself as a legitimate carrier
Nearby phones detect strong signal
Devices connect automatically to the tower with stronger signal
Then Fake BTS requests device identifiers and controls the communication process.
Depend on attacker’s purpose, the fake tower can:
Downgrade your phone from 4G to 2G: this is the most common technique for stealing OTP purpose.
Disable encryption: so attacker can read SMS content, which may contains OTP code.
Forward traffic to real networks: this is so called: Man-In-The-Middle attack, where attackers keep you communicating normally, but can eavesdrop everything.
Inject phishing SMS messages: you can receive SMS from your friend numbers, but actually that SMS is delivered from fake BTS tower, your phone just display it.
Below is a confiscated fake BTS, captured in public, by police, while doing above attack:
6. How to defend
Symptoms of a Possible Fake BTS Attack
Detecting a Fake BTS in real life is extremely difficult. Modern rogue base stations are designed to look almost identical to legitimate carrier towers, and most smartphones provide very little visibility into low-level cellular behavior. Still, there are several warning signs that may indicate suspicious activity.
Sudden Drop to 2G or “E” Signal
One of the most common indicators is your phone suddenly falling back from 4G/5G to 2G, commonly with the icon “E” instead “4G” on top-right corner of the phone screen. Attackers often force devices onto 2G because:
GSM security is weaker
Phones trust the network more easily
Encryption protections are cracked easily
A downgrade becomes more suspicious when 4G/5G coverage is normally strong in the area but the signal change happens unexpectedly, and, multiple nearby devices behave similarly.
Weak or Missing Encryption Indicator
In classic GSM networks, the BTS controls whether encryption is enabled. A rogue BTS can force weaker encryption, or request no encryption at all. Historically, some phones displayed warnings such as: “unencrypted network”, “ciphering disabled”. But today, most smartphones hide these low-level network details, so users rarely receive visible warnings. As a result, users may have no obvious indication that something suspicious is happening.
Reality: Detection Is Extremely Difficult
The uncomfortable reality is: Most users cannot reliably detect a Fake BTS attack. Reasons include:
Users do not understand how phone calls and SMS work in tech.
Smartphones show very little info about radio diagnostics.
Rogue towers can imitate legitimate carrier behavior.
Even cybersecurity professionals often require specialized equipment to investigate suspicious cellular activity. Advanced detection may involve using SDR (Software Defined Radio) analysis, Baseband Monitoring tools and Carrier database comparisons. But ordinary users typically have no easy way to confirm whether a nearby tower is genuine.That is one reason Fake BTS attacks remain effective even decades after GSM was introduced.
Mitigation Strategies
Due to it is unreliable to detect a Fake BTS, it is reliable to stay away from OTP sent via SMS. Use Authenticator app such as Google Authenticator, or Authy, for OTP is highly recommended. Beside of that, make sure to disable 2G on your phone if it still support 2G. Most of today mobile phone disable 2G by default, so if you are using old phone, let search on how to disable 2G on your phone model. Last but not least, Avoid login, resetting password, or doing bank transfer on public networks, only do it in your trusted places.
Today, everyone has smart phones, from children to elders. Smart phones contains a bunch of applications that increase productivity in real life. Human today may spend time with smart phones even more than with human. Smart phones become a part of life, an accessories, and maybe secrets holder of everyone. People put almost everything in their phone, from photo, identity to bank accounts. This habit makes smart phones top priority target for hackers in hacking campaigns, to steal secrets, or simply money. These hacking campaigns usually exploit users’s low awareness or low knowledge about mobile app security factors. Android & iOS, as default, provide many mechanisms to protect users from getting hacked but the weakest point in the system is always human psychology. “Amateurs hack machine, Professionals hack people“. If you are afraid of hacking, this post is for you. This post hopefully can guard your mind up to defense against one of the highest risk factors in Internet era: cybercriminal.
Most of cyber security incidents – aka get hacked – known in public begins from a very non-technical step and can be performed by anyone, named Social Engineering. Social Engineering is a type of manipulation where someone tricks people into giving away sensitive information, access, or money—by exploiting human psychology rather than hacking systems. To steal data from your phones, 99% of time, hackers need to trick you to install malicious applications. Malicious applications, once installed, will silently steal data and send back to hackers. So, just by acknowledging which app can be malicious, you already get you safe 99%. The rest 1% is involved to Zero Day exploitations, which are real hacking, require top-notch hacking knowledge and skills, but will not be mentioned in this post. For more understanding about Zero Day exploitations, you can subscribe here then the-tech-lead.com will inform you when there is any article available.
Here we back to How to know if a mobile app is malicious!
1. Double Attention on download source
As a golden rule for mobile applications, only download from trusted store which is PlayStore and AppStore. PlayStore and AppStore is pre-installed on any Android or iOS smartphones. For any applications, only download from PlayStore app (for Android phones such as Samsung, Pixel, Nexus, etc) and AppStore app(for iPhones). Do NOT install any applications outside these 2 official stores, regardless any reasons, urgency or who tell us.
For Android world, mobile applications are written in Java and Kotlin language, exported as APK files (file has extension .apk). This .apk files then be signed with digital signature of its owner – who registered as developer on PlayStore with their legal information. This process is essential as it can tell who actually behind an application, and if we has evidence about any malicious activities, we know who to sue. The information of who develop certain application can be found at section “App Support” under its logo.
APK files can be installed directly to Android phone via user’s explicit grant. Users can tap to .apk files stored in their phone (inside Download folder, or Document folder for example), a popup will display asking installing permission. If user grant it, the .apk will be installed. This process usually is for developers to test applications before submitting to PlayStore. For regular users, this process is an absolute indicator for a malicious application. So if someone, for any reason, tell you to do these steps manually, don’t trust them and report them to police asap. Typical trick flow is like so:
You are on Social Network such as Facebook, seeing a post tell that install an application to get free 1000USD as a reward for its early users.
You click on download link, your phone download it into Download folder
You follow “installation guide” written next to download link, saying that you open Setting app, enable “installation app from unknown source”, then open Download folder, tap on APK file.
Your Android phone show a popup telling you that APK is from unknown source, but according to the guide, it tell you just press Accept.
Then the malicious APK is installed then it steal your data.
Similarly, on iPhone world, iOS applications are written in Swift and ObjectC language, and exported as .ipa file. IPA files can be installed via the App Store or through developer tools like Xcode. Usually, we can’t freely install IPA files unless the app is signed with a valid certificate or the iPhone is registered for development. But there is still a trick that hacker can trick users to install malicious IPA files: via TestFlight abusing. TestFlight is Apple’s official tool for distributing beta (testing) versions of iOS apps before they go public on the App Store. Developers use it to invite testers, collect feedback and fix bugs before release. TestFlight is legit—but it can be abused in social engineering attacks. Typical trick flow is like so:
Someone impersonates a bank employee, call you, tell exactly your name, your address, and saying “Your bank account is in legal risk due to a transfer from criminal gang” or “Police is screening your account because they think you laundry money”, with urgent, serious, and a bit threaten.
Then they sent you a link to install their internal iOS app to prove that you are innocent.
You tap on that link, iPhone redirect you to TestFlight app because it is TestFlight invitation link and your iPhone does not have TestFlight installed
Then you are told to tap on the link again, this time the fake application is installed to your iPhone, via TestFlight
The fake app looks the same to bank’s official application so you have no doubt
But the app then steal data from your iPhone, or trick you to fill username, password, even OTP and CVV number
2. Make sense of app permissions
When users smart enough to not install app from untrusted source anymore, hackers may use level 2 of malice: Camouflage. Typical hacking plan is like so:
This time, hackers develop or purchase normal mobile application source code then publish via PlayStore and AppStore normally.
Because it is normal, PlayStore & Appstore accepts and make it available.
Then hacker send next updates for the normal application, with new features requiring some system permissions such as: read contact list, read call logs, read gallery, read GPS, etc…
Hackers advertises that app with awesome features that can make outstanding outcomes, right in need of some users.
Then with curiosity, users install the app, from PlayStore, or AppStore depends on their phone OS.
The app requires user to grant quite a lot permission but users usually don’t care and don’t understand so just accept it.
Then the app steal call logs, photos, location data, etc …, from the phone, thanks to user’s grant.
Both Android & iOS has default safeguard to protect user’s privacy. Every application, as default, can not access to sensitive data on smart phone. For example, if an application want to read some photos, developer – who is making that application – must register “Access Gallery” permission. Then whenever the application want to use this permission, the operating system (Android / iOS) will display a message asking users to grant that permission. When granted, application now can see photos in the phone. Similarly, other sensitive info such as call logs, GPS, and many more also requires user grant permission before the app can actually read data. To know an application want what permission, we can check right on PlayStore for Android app, and AppStore for iOS app.
How to check Permissions of Android application
Before installing:
Open the app page on the Google Play Store
Scroll down to “App info” → “Permissions”
Tap “See more” to view full details
Check what the app can access:
Location
Contacts
Storage
Microphone, etc.
After installing:
Go to Settings → Privacy → Permission Manager
Select a permission (e.g. Location)
See which apps are using it
You can:
Allow
Allow only while using
Deny
👉 Tip: Android also shows permissions during first use, so don’t just tap “Allow” automatically.
How to check Permissions of iOS application
Before installing:
Open the app page on the App Store
Scroll to “App Privacy” section
Review what data the app may collect:
Location
Contacts
Identifiers
Usage data
etc …
After installing:
Go to Settings → Privacy & Security
Tap a category (e.g. Location, Photos, Microphone)
Select the app
Choose access level:
Never
Ask Next Time
While Using
Always (for location)
Review these permission carefully. Anticipates which features need it. If there is too much permissions comparing to expected features, it is a red flag.
Here’s a practical mapping of common Android & iOS permissions you’ll see on the Google Play Store, AppStore and the features that legitimately use them. This helps you judge whether a request makes sense.
High Risk: these app can control screen, read inputs, commonly abused in scams Recommend: NEVER download
iOS Permissions & Legit Features use them
Permission
iOS Permission Name / Key
Common Legit Features
Suspicious If…
Contacts
Contacts (NSContactsUsageDescription)
Messaging, contact sync, invite friends
Game or simple app requests it
Location (GPS)
Location (NSLocationWhenInUse / Always)
Maps, ride-hailing, delivery, weather
App doesn’t need location
Photos / Media
Photos (NSPhotoLibraryUsageDescription)
Upload images, editing apps
App doesn’t use images/files
Camera
Camera (NSCameraUsageDescription)
Photos, video calls, QR scanning
No camera-related feature
Microphone
Microphone (NSMicrophoneUsageDescription)
Voice calls, recording, voice input
No audio-related feature
Bluetooth
Bluetooth (NSBluetoothAlwaysUsageDescription)
IoT devices, wearables, accessories
App has no hardware/device interaction
Notifications
Notifications (UNUserNotificationCenter)
Alerts, messages, reminders
Spammy or excessive notifications
Tracking
App Tracking Transparency (ATT)
Ads personalization, analytics
App unrelated to ads asks for tracking
Local Network
Local Network (NSLocalNetworkUsageDescription)
Smart home, device discovery
No local device interaction
Motion / Fitness
Motion (NSMotionUsageDescription)
Fitness apps, step tracking
App unrelated to activity tracking
Simple rule to evaluate permissions
When you are considering to install a new mobile application:
Anticipate what functions that app may have,
Check the Permissions that app requires
Then ask yourself: “Does this feature really need this permission?”
If there are permissions that is not aligned with expected functions:
Then slow down, don’t rush to install for whatever reason.
Find alternative applications, compare Permissions among them.
If you not sure but want to check the app, use Emulators to test it first. Emulators is virtual smart phones and can be created via tools such as Genymotion, VirtualBox and a few others. Emulators is isolated environment and do not contain your data.
If you know any experts in cybersecurity field, ask them for advise.
3. Monitor phone’s performance
Welcome to the level 3 of malice: Zero Day Exploitation
Thanks to strictly review process of AppStore and PlayStore, most of malicious mobile app is banned. But optimism is not a recommended character in cybersecurity field. Zero Day is vulnerabilities that is unknown by public, even among experts, and in fact, they are weaponized by many governments as a national strength.
Android & iOS itself is softwares. Softwares might have bugs and security holes. These vulnerabilities is actively hunted by experts in cybersecurity industry and sponsored by governments. Once a Zero Day is discovered, it becomes a secret weapon for cybercriminal groups to attack or infiltrate system on over the world. Mobile app is not immune. If there is some vulnerabilities in operating systems, here is Android or iOS, then it will be the target for level 3 of malice.
Although it is rare, but it still a case for us – regular users – to keep an eye on. After install an application from Google Play Store, or AppStore, pay attention on device performance:
whether it get slower,
or hotter,
or get lagged
or any abnormal behaviors.
Vulnerabilities has many forms, it is hard to explain on a single post here but many of its form create a lot workload on device, as a try to exploiting, so it may make the phone slower, hotter, or lagged.
Example: a well-known Spyware
One of the most well-known cases of this level 3 of malice involves commercial spyware: Pegasus, developed by NSO Group. This spyware has successfully stolen sensitive data on user’s phone often without any visible permission prompts. The trick flow is like so:
NSO Group Deliver Pegasus via app or link. Target users receives a message that trick them to install the app. The app looks absolutely normal since it require minimal permissions.
Once installed, Hidden zero-day exploit triggers. The app, or content inside it, exploits an unknown vulnerability in Android.
Privilege escalation: The exploit gains deeper system access than normal apps should have and bypasses Android’s sandbox protections.
Silent data access: then NSO Group can access Messages, Camera / microphone, Location without user’s awareness
This attacks are extremely expensive and used for targeted surveillance, not mass scams. Once the exploit method is discovered, it can be quickly patched by developers behind Android & iOS system. But the problem is it really hard to discover.
There isn’t just one single CVE for Pegasus. It has used multiple zero-day vulnerabilities over time, often chaining several together. Here are some of the most well-known ones:
Notable CVEs linked to Pegasus campaigns
1. FORCEDENTRY exploit chain (2021)
CVE-2021-30860
Affected: iOS (Apple devices)
Type: CoreGraphics / PDF parsing vulnerability
What it did:
Delivered via iMessage (no user interaction needed)
Exploited how the system processed malicious image/PDF data
Led to full device compromise
👉 This was one of the most advanced zero-click exploits ever discovered
2. WhatsApp exploit (2019)
CVE-2019-3568
Affected: WhatsApp on Android & iOS
Type: buffer overflow in VoIP call handling
What it did:
Attacker placed a WhatsApp call
Even if you didn’t answer → exploit could trigger
Installed spyware silently
3. Chrome sandbox escape (used in chains)
CVE-2020-6418
Affected: Google Chrome (Android)
What it did:
Used as part of a chain to escape browser sandbox
Combined with other bugs to gain deeper access
4. KISMET (suspected chain, 2020)
No single confirmed CVE publicly disclosed
Targeted iMessage (iOS 13)
What it did:
Zero-click exploit (no interaction)
Predecessor to FORCEDENTRY
To understand more about these CVE in the future, please subscribe so when the-tech-lead.com post any, you will be informed. Each of CVE deserves a long post itself.
Social Networks have become a social norm today. Almost everyone tends to have at least one profile on one of platforms such as Facebook, X, Tiktok, and a few others. I was on Facebook when i was a student and honestly I did not get what actually Facebook was and why people use it. I wrote something on my wall, then I got a notification saying a friend liked my post. I also saw my friends posted something funny on their walls, but I did not hit the like button, not because it was not funny, it was because I did not aware that I should press like button if I found it funny. I left Facebook because playing games is much more engaging than this thing. Until when I came to university, my friends too, but we live in different districts and study in different universities. We lived far away and it was really hard to meet frequently like when in school. Call & SMS is costly for long conversations, and it is not fun too. Then I back to Facebook because most of friends was using it too. We got free messaging & video calls. We can share thoughts, opinions, discussions via comments and showing support via the like button. We share moments by uploading photos and videos. We did not meet in person frequently like before, but we feel that we know what others are doing. Until I saw first news about Social Network Addiction! And I did not understand. How does a tool that simply informs its users about someone about something, become addictive ?
At first glance, Facebook, X, Tiktok or any Social Networks, looks simple: “someone posted something, then you see it.” But the addictiveness doesn’t come from the information itself — it comes from how that information is delivered, timed, and socially framed. This post will reveal the real mechanism behind it, or at least the core part.
Before understand the whole mechanism, it is important to understand some artifacts that build up the mechanism: The Slot Machine Effect, Social Validation Need, FOMO, Stopping Cues, Personalization, Triggers and Social Obligation Pressure.
1. The slot machine effect
The slot machine effect is a nickname for a behavioral psychology: Variable-ratio reinforcement. Simply put, “you repeat an action because the reward is unpredictable but sometimes great.” It is likely what happens inside gamblers’s psychology. When using Social Networks, each time we open it, what we get is random. Sometimes, there is nothing interesting. Sometimes, there is a funny post, a like, or a message. Sometimes, there is something emotionally strong such as a drama, a praise or a surprise – and we feel good. This unpredictability trains human brain to try again because “maybe the next scroll will be good.” . That’s what keeps users opening the application and keep scrolling, like a hunt for emotions. And human loves go hunting, this activity is deep rooted in brain since very first day of human kind. But what we hunt is not simply food anymore.
2. Social Validation Need
Humans, as a nature, care deeply about how others see them. This is a survival factor, evolved and deeps rooted in human brain for thousand years, since Tribal Age when there is no law and what tribal members perceive you determine you alive, or die. Our brain is wired to care about Being accepted, Being noticed and Not being rejected. Social Networks do not reinvent this, it measured and amplified it. In real life, validation is subtle. It is a feeling via daily interaction between people. Each person even has their own way showing validation. Each culture has its own custom to visualize validation. Here on Social Networks, validation is visualized by number of likes, comments & shares. 1 like vs 100 likes! 0 comments vs 20 comments! 0 shares vs 10 shares! Comparison is triggered. This turns Social Validation into something closer to a score system than an natural feeling. Social Validation now becomes Social Comparison – when we evaluate our opinions, abilities, and worth by comparing us to others.
As a blending of Social Validation and Social Comparison, human brain tends to translate Likes into Approval, Comments into Attention, and Shares into Influence. It is a translation from numbers to a feeling. It is a false translation because these numbers can be manipulated by many ways: psychology tricks, ads campaign, payment or from clone accounts. But it does not easy to escape that false translation. Because of Cognitive Ease – human brain loves simple things – and here interpreting Likes as Approval is easier than real life approval which can be complex: tone, facial expression, context. This triggers dopamine (reward signaling) as well, making us want to check reactions, post again, stay engaged.
3. Stopping Cues
Social Networks, at some extents, is likely a TV shows, or books, when it also provides content. The diffs are, Social Network content is made by anyone without necessary knowledge, skills and permissions. People on Social Network can be not directors, not scholars, not professor but nothing stop them to tell stories, teaching or bragging. TV shows or books have endpoints. We know when it is end and take time to relax. Social Networks removes that, on purpose.
A common design pattern often used in Social Networks is Infinite Scroll. This design keeps users in a continuous loop with no friction to stop. Human brain relies on boundaries to end activities. End of a chapter, End of a page, End of an episode is cues for brain to stop. Infinite scroll deletes those cues. Without a clear “end,” human brain defaults to keep going on. It pairs perfectly with the Slot Machine Effect when Unpredictable rewards keep behavior going longer than predictable ones. This also exploit the Completion Bias – the psychological tendency to prioritize easy, quick tasks over more important, complex ones to gain a fleeting sense of accomplishment and a dopamine boost. This bias tricks the brain into valuing the “done” feeling, often leading to wasted time on trivial tasks rather than high-impact. And here, keep scrolling feels easier than close the app.
4. Fear of missing out (FOMO)
Fear of Missing Out (FOMO) is a psychological concept describing anxiety when other people is having rewarding experiences without their participation. Simply put, it says that: you can feel anxiety when you see others are winning. This feeling is exploited strongly on Social Networks, where people frequently & easily compare their lives to others profiles, via New Feeds, number of Like, Comments & Shares, eventually leading to feelings of inadequacy or exclusion. FOMO reflects the human need for Social Validation, and also stemming from Social Comparison – when a person must know, must do, or must have something to be belong to a group. FOMO people often experience greater dissatisfaction and impulsive decision-making.
Social Networks amplify FOMO by providing constant updates about others’ activities, achievements, and lifestyles. This can create a loop of checking, posting, and comparing to other. Users can feel anxiety when comparing to other. And then the brain want some relief when it feel anxiety. Turns out the most relieved action for this anxiety is to check if they are what they are. Checking via Social Networks app is faster, easier, even anonymous so it is the best choice for brain – Cognitive Ease again. Although feel anxiety, users do not flee away. This is classic Negative Reinforcement: a behavior sticks because it removes an unpleasant feeling. The Social Networks apps, one hand bring anxiety to users, on another hand, become a fasted way for user to relieve that anxiety. And it become addictive because it is a fasted way for user to get relief.
5. Personalization
Naturally, people don’t like people that have different opinions. If a Social Networks only shows content that contradicts user’s perspectives, they won’t use the app. To keep people using Social Network, it needs to show what users like to see. And to a human, there is nothing better than seeing what they already believe. This is Confirmation Bias – when human brain automatically filters out what not support the existing belief and only focus on what support that belief. Exploiting this bias, Social Networks analyze users’s behaviors and only show what a users tend to like. Time spent on certain post, likes, comments, shares, or even demographic info, or even avatars, is inputs to an algorithm that predicts what a user might like. For a long time watching people interacting on Internet, these algorithm seem know what its users like. And when that algorithm only show only user what they like, it makes users feel that the whole Social Network is people just like them – this is Halo Effect when humans use a small cue to judge the whole thing. Because users like something posted on a Social Network, they might like that Social Network as well. This illusion keeps user returning because no one can resist seeing what they like.
6. Triggers
Above artifacts function based on many psychological instincts of human being. Because it is instincts, it is hard to resist. But instinct does not function all the time. It needs external triggers.
Human has language, in written format. Human brain can translate symbols into meaning. Depends on what meaning is translated to, it can trigger instincts just like a deer hears sounds in a bush. Simply put, human instinct can be triggered via text. We all may have a friend that is triggered when hearing or seeing certain words. It can be any word, but depend on their experiences in the past, words can bring different feelings. Social Networks exploit these well via Notification. Notification sent to user does not simply informing some events. It’s message is designed to trigger human instincts. Example:
“You were mentioned in a comment” → triggers Social Validation (“someone is talking about me”)
“Someone liked your post” → triggers Social Validation (“people value what I shared”)
“You have 5 new notifications” → triggers FOMO (“what did I miss?”)
“Your friend just posted after a long time” → triggers FOMO (“this might matter”)
“This is getting a lot of attention” → triggers Social Validation (“this could be important or trending”)
Each message is short, but it is not neutral. It is designed to activate specific psychological responses such as curiosity, belonging, urgency, or FOMO. Over time, the brain begins to associate these phrases with emotional outcomes. This is why people feel an urge to check immediately, even when they were not planning to.
In this way, notifications function less like messages and more like triggers. They convert language into instinctive reactions, turning attention into a reflex rather than a deliberate choice.
7. Social Obligation Pressure
Social Obligation Pressure is the feeling that you owe a response, attention, or presence because of social expectations—even if you don’t actually want to engage at that moment. This obligation come from Fear of Negative Judgment. This fear is amplified by features such as: Read receipts or Typing indicators, which is commonly used in Chat Box. This is natural feeling in human when it helps to forming social. But on Social Networks, people do not see each other face, so by visualizing via indicators, Social Network ensure that Fear exists and push user engaging because no one want to be seen as impolite. It’s not just “I should reply” — it’s more like “If I don’t, people will think something bad about me.”
Social Obligation Pressure, or Fear of Negative Judgment, targets identity, not just curiosity. Humans constantly assume they are being evaluated. We predict how others might interpret our behavior. We try to avoid being seen as: rude, ignoring, ungrateful or socially incompetent. This fear is not about the action itself —it’s about your brain anticipates the meaning others might assign to your action – which may not true. Many times, when we reply to someone on Social Networks, Not because we want to — but because we want to avoid negative judgment. Read receipts removes plausible deniability, Typing indicators creates expectation of response, Online status signals availability, Notification creates urgency. All features are designed around Social Obligation Pressure.
Put It All Together
Social Networks profit from advertisement, where the more users addicted, the more revenue it earns. By combining all above artifacts, Social Network applications train human brain a behavior loops by exploiting human biases and instincts to keep users spending at much time as possible on its app, by following steps:
From a free tool that solves real life problems: Communication – such as Messenger, Chat, Video Calls, etc…
Triggers – the Notifications – is added to trigger anxiety, or FOMO
Social Obligation Pressure pushes users to engage: reply messages, check information, etc
Users Open the Social Network app (e.g. Facebook / TikTok)
Personalization algorithm shows highly relevant, easy-to-consume content to users
Slot Machine Effect: users get unpredictable rewards while scrolling
Social Validation Need: users eventually get likes/comments that give dopamine hits
No Stopping Cues: no natural point to exit leads to doom scrolling
After leaving / pausing using Social Network: anxiety, curiosity, or social pressure still lingering in brain
Social Networks introduce new trigger forms to make user urge to check again, then back to Step 2 !
And we already all heard and knew about real life harms caused by social network addictiveness — from wasted time and reduced productivity, to anxiety, low self-esteem, and constant comparison. Over time, it can lead to irritability, anger, and strained relationships, as attention is pulled away from real-world interactions. In more serious cases, the cycle of validation and comparison can deepen emotional distress, contributing to isolation and even self-harm. What makes this especially concerning is that these outcomes are not caused by a single feature, but by a system of reinforcing loops that continuously pull users back in, often without them realizing it.
Be aware about the mechanism behind Social Networks can be the first steps of escaping the addictiveness loop. If you have someone that is addicting to Social Networks, let share this post to them!
Lessons for Software Design
Although bad side effects of Social Networks is undeniable, but the high user engaging ratio of Social Networks app is also a dream to any software company. As a software creators, we all want our applications are used daily, especially when competition is getting high every day. We still have a way of applying mechanism observed in Social Networks for good purpose. It is long post here already and I will continue this part on next parts. To not be missing out, please subscribe so you can get a notification when next parts is available:
In the digital age, personal data is an extremely valuable asset. However, many people unintentionally expose their own information due to habits that seem harmless. Below are common habits that make you vulnerable to data theft—and that you should stop immediately.
1. Using Weak or Reused Passwords
This is the most common mistake in personal security. In many data breach cases, users were found using extremely simple passwords like “123456” or “password”. Others create passwords based on personal information, making them easy to guess.
There are many tools in cybersecurity designed to guess passwords using personal data by trying all possible combinations—this technique is known as brute force.
In addition, reusing the same password across multiple platforms makes things much worse. If one account is compromised, all others are at risk.
Best practice:
Use passwords with at least 10 characters
Avoid personal information
Combine letters, numbers, and special characters
2. Saving Passwords in Browsers
Browsers like Chrome and Firefox offer password-saving features for convenience. However, this habit carries risks.
If these browsers have undiscovered vulnerabilities (known as zero-day vulnerabilities), attackers could potentially steal stored passwords.
Also, when using shared computers—such as in internet cafés, print shops, or even your workplace—you should never save passwords. Others may access your accounts through stored credentials.
Safer alternatives:
Memorize important passwords
Use encrypted password managers with biometric authentication
Always log out after use, especially on shared devices
3. Connecting to Unsafe Public Wi-Fi
Free Wi-Fi at cafés or airports is often poorly secured.
Common risks include:
Weak encryption: If a network uses WEP or WPA, avoid connecting. These encryption methods are outdated and easily cracked. The minimum safe standard today is WPA2 or higher (as of 2026).
Evil Twin attacks: Attackers create fake Wi-Fi networks with the same name as legitimate ones. If you connect, they can monitor your activity or steal login data.
Unnecessary data collection: Some Wi-Fi networks request personal information through surveys—you can usually skip this step.
4. Clicking on Suspicious Links (Phishing)
Phishing is one of the most common ways attackers steal data. It relies on psychological manipulation to trick users into revealing information or installing malware.
Common phishing scenarios:
Fake banking emails that tell your account has some problems.
“You’ve won a prize” messages
Fake login pages of others popular websites
To avoid be fooled, you must always double check the domain name on the url. A simple trick is you should search the business name on google and call their customer support to confirm situation.
5. Installing Apps from Untrusted Sources
Applications downloaded from unofficial sources may contain malware designed to steal data.
Attackers often disguise malware as:
Free “useful” software
Cracked versions of paid tools
Trusting unknown sources can lead to data theft or even ransomware.
Stay safe by:
Downloading software only from official websites
Verifying sources before installing
6. Oversharing on Social Media
People today spend more time on social media platforms like Facebook, TikTok, and X than in real life.
Sharing too much personal information can be dangerous. Scammers can collect:
Your name and location
Friends and family connections
Habits and interests
This information can be used for scams, impersonation, or malware attacks.
Even more concerning, modern AI can generate fake images or sensitive videos using just a few photos of your face.
Protect yourself by:
Limiting personal information shared online
Avoiding posting sensitive content
Enabling profile privacy settings
7. Not Enabling Two-Factor Authentication (2FA)
Many popular platforms like Gmail, Facebook, and X offer two-factor authentication (2FA).
This feature adds an extra layer of security by requiring:
OTP codes sent to your phone
Biometric verification
Even if your password is compromised, attackers still cannot fully access your account.
However, 2FA is often disabled by default.
Action step: Review your accounts and enable 2FA as soon as possible.
8. Not Updating Software & Using Cracked Versions
Outdated software often contains serious unpatched vulnerabilities that attackers can exploit.
Many people think updates are only for:
New features
Better UI
Performance improvements
But the most important purpose is security patching.
Each update typically:
Fixes known vulnerabilities
Blocks new attack methods
Strengthens system defenses
Without updates, you may be using software with publicly known exploits.
In some cases, simply opening a malicious image, audio file, or website can infect your system through these vulnerabilities.
Best practice:
Always update to the latest version
Avoid cracked software—they may include hidden malware
9. Ignoring App Permissions
Many apps collect more data than necessary, but users often ignore this.
On app stores, applications must declare required permissions—but most users simply tap “Allow” without review.
This habit may result in:
Sharing personal data unnecessarily
Giving apps access to sensitive system features
Stay in control by:
Reviewing permissions before installing
Avoiding apps with excessive or unrelated access requests
Checking reviews or consulting experts if unsure
Conclusion
The habits that lead to personal data exposure are often small—but the long-term consequences can be severe.
By recognizing and correcting these behaviors, you can significantly improve your cybersecurity awareness and avoid unnecessary risks on the Internet.
You wake up, check your phone, read emails, scroll through social media, and pay a few bills. Everything feels fast, familiar—almost automatic.
But within those “normal” moments, countless hidden risks quietly exist in the digital world.
Cyberattacks are not always loud or obvious. Sometimes, they begin with a careless click, a rushed login, or a misplaced trust.
Below are familiar scenarios—each representing some of the most common threats on the internet today that you could encounter at any time.
1. Phishing (Impersonation Scams)
You receive an email from your “bank” warning about suspicious activity. The message looks professional, complete with logos and branding, and includes a link asking you to log in immediately to verify your account.
Feeling concerned, you click the link and enter your information. Everything seems normal… until a few hours later, your account is compromised.
Common signs of phishing:
Urgent, well-written emails that mimic official communication
Fake login websites that look almost identical to real ones
Suspicious domain names (typos, mismatched names, or strange subdomains)
This method exploits users who are unfamiliar with how domains and links work.
If you’re not confident in identifying suspicious links, consider using tools like SafePhone, which can detect and block phishing links before you even access them.
2. Malware (Malicious Software)
You download a free tool online because it “looks useful.” Installation is quick and smooth—nothing seems wrong.
But soon after, your device becomes slower, and your data may be accessed without your knowledge.
This could be malware—software designed to secretly monitor or steal your information.
Common sources:
Email attachments
Downloads from forums or unknown websites
Cracked or pirated software
How to stay safe:
Only download apps from trusted platforms like official app stores
Install reliable antivirus software
Avoid unknown or suspicious files
3. Ransomware (Data Extortion Malware)
One day, you turn on your computer—and all your files are locked. A message appears demanding payment to restore access.
No warning. No undo.
This is ransomware, one of the most serious cyber threats today.
Once inside your system, it will:
Encrypt all your data
Demand payment for a decryption key
Often require payment in cryptocurrencies like Bitcoin or Ethereum to avoid traceability
Prevention tips:
Only install software from official sources
Use updated antivirus protection
Regularly back up your data
4. Online Scams
A friend messages you on social media, saying they’re in urgent need of money. The message feels real—the tone is familiar. Without hesitation, you transfer the money.
Later, you find out their account was hacked.
Common scam patterns:
Impersonating friends by copying profile pictures and information
Fake investment opportunities
Requesting deposits and then disappearing
Trick you into installing malware
Using your identity to scam others
How to protect yourself:
Lock your social media profiles
Be cautious with financial requests
Verify identity via video calls
Use shared private memories to confirm authenticity
5. Data Breaches
You reuse the same email and password across multiple services. One day, you receive a notification about a login from an unknown device.
It’s not necessarily your mistake—one of the services you used may have been breached.
Your data could have been exposed long ago and is now circulating on underground markets.
Risks include:
Compromised login credentials
Personal data leaks
Chain attacks across multiple accounts
Financial loss
Reduce risk by:
Using unique passwords for each service
Changing passwords regularly
Using encrypted password managers with biometric protection
6. Public Wi-Fi Attacks
You sit at a café and connect to free Wi-Fi. It’s convenient and fast.
But at the same time, someone could be monitoring your data.
Risks of public Wi-Fi:
Data interception if encryption is weak
Fake Wi-Fi networks (Evil Twin attacks)
Unauthorized access to your device
7. Social Engineering (Psychological Manipulation)
You receive a call from “technical support” asking for an OTP code to “verify your account.” They sound professional, trustworthy—even urgent.
In reality, they are not hacking systems—they are hacking you.
If you are a business owner, you are likely no stranger to news about data breaches causing millions of dollars in losses across companies in all industries. The leaked data could be your customers’ information, and sometimes even employee login credentials for your internal systems. Regardless of the type of data, assessing and reviewing vulnerabilities is always a critical step for every company—especially in today’s digital era.
However, security vulnerabilities are an extremely complex concept and not easy to grasp, which makes them difficult for business owners and their teams to identify. While it is hard to pinpoint exact vulnerabilities, it is much easier to block the sources that commonly lead to them. Therefore, this article will highlight several common sources of serious security vulnerabilities and suggest solutions to strengthen security for you, your company, and anyone working in the modern digital age.
1. Outdated Software
Every business today uses various software tools to automate and optimize workflows—such as Chrome, Word, Excel, Photoshop, PDF readers, and many specialized tools. These software products are developed by different developers, who may or may not have strong expertise in security. As a result, features may contain vulnerabilities that even the creators are unaware of.
Software is constantly updated, and many updates include patches for bugs and security flaws. However, most people tend to stick with older versions or hesitate to update—sometimes simply because they are unaware of new releases. This habit can leave systems exposed to unpatched vulnerabilities, making them easy targets for hackers.
Information about known vulnerabilities can even be bought and sold on black markets, including the dark web and deep web. This makes outdated software a highly attractive entry point for attackers. Therefore, always keep your software up to date to reduce security risks.
2. Outdated Windows Operating System
Older Windows versions such as Windows 7, Windows XP, or unsupported Windows Server editions are prime targets for hackers. This is because Windows itself is a collection of system-level software components, many of which may contain unpatched vulnerabilities over time.
Taking advantage of users’ reluctance to upgrade, many hacking campaigns successfully infiltrate systems running outdated operating systems through known exploits. The consequences can include data loss, ransomware attacks, remote surveillance, and privacy violations.
To stay safe, regularly update your Windows system and only install applications from trusted sources.
3. Cracked Software
Cracked software often contains malware or hidden backdoors that can take control of your system. Many users prefer free software, and paid software is frequently cracked by hackers to bypass licensing.
However, downloading cracked versions from the internet is extremely risky. You have no way of knowing who modified the software or whether malicious code has been injected. Many cyberattacks originate from installing cracked software embedded with viruses or backdoors.
Whenever possible, use licensed software and keep it updated to avoid both malware and vulnerabilities in outdated versions.
4. Self-Developed Websites
Most companies today maintain their own websites to establish an online presence. Many also have internal IT teams responsible for building and maintaining these systems.
Just like external software, internal development teams may lack sufficient expertise or experience in cybersecurity. This reality often leads to unnoticed vulnerabilities within company-built systems. These weaknesses may exist in the operating systems, third-party libraries, or even in the system design itself.
To mitigate these risks, companies should continuously invest in security training for their IT teams. In urgent cases, hiring professional penetration testing (pentest) teams to audit and identify vulnerabilities is highly recommended, although it can be costly.
5. Email Phishing Attacks
Phishing emails are one of the most common methods used to compromise business accounts. These attacks require minimal technical skill but are highly effective because they exploit human psychology and general lack of technical awareness.
Common tactics include impersonating banks, government agencies, or reputable companies to trick recipients into entering login credentials or sharing OTP codes. In other cases, phishing emails disguise themselves as legitimate software downloads but actually contain malware.
Many businesses have customer support staff who may lack sufficient cybersecurity awareness, making them easy targets. Simply training employees is often not enough, as phishing techniques are becoming increasingly sophisticated.
6. Weak Operational Processes
Poorly controlled internal processes can allow hackers—or even insiders—to gain access to sensitive information. Some global cybercriminal groups have even deployed insiders by infiltrating companies as employees to create internal backdoors.
Companies with weak hiring, monitoring, and access control processes are especially vulnerable. Large multinational corporations face higher risks due to their scale, but small and medium-sized businesses are not immune—especially from competitors.
To reduce these risks, companies should enforce strict access control policies, granting employees only the permissions they need—and only for a limited time.
Conclusion
Prevention is better than cure. Identifying and addressing security vulnerabilities early is essential to protecting your company’s data, finances, and reputation.
Everyone loves setting goals. New year, new plans. New week, new habits. New project, new ambitions, etc. But if looking honestly, most goals fail, isn’t it! Ironically, they don’t fail because they’re too hard, they fail because they’re vague, emotional, or just unrealistic. If you find yourself missed your goals too many times, this post is for you. But this post will not provide you motivation, this post will expose your misperceptions, and knowing these misperceptions is the first step toward your goals.
1. You are making wishes, not goals
This is the most common misperceptions can be seen when looking into people’s todo list, or new year resolutions. People usually write their wishes instead of goals and completely not aware about the diff. For example, it is easy to see these lines in someone’s todo list: “to be better at something”, “build a great app”, “be rich”, “be happy”, “be confident”, etc. These lines won’t make any outcome, they are just wishes in a world without genie. A goal must be Specific & Measurable. And because it is Measurable, it will be Achievable.
To be Specific & Measurable, each goal must be written in a simple sentence using 1 number, 1 noun & 1 verb and a deadline. Example:
deliver 1 feature every 3 days
publish 10 blog posts in quarter 1
run total 15km each week
save 50% of salary each month
read 1 page of any book each day
…
If you can’t measure your actions, you can’t achieve the outcome. Focus on number, be familiar with scoring yourself. Be a project manager of your life, avoid saying vague words, be specific! Writing todo in this format will be the first step of realizing any goal. When all metrics are met, you goal! When metric is not met, at least you will know why.
2. You expect outcome happen over night
Good things take time. It is one rule for any goal. Outcome comes from concentrate, commitment and consistency, not from your commands. Outcome is compounded from tiny results each day.
Setting goals make illusions of fast results. When you set a goal, your brain immediately imagines the outcome, especially if you have an imaginative brain, you might lock yourself in your imaginary world without notice the boundary with your reality. Although the outcome is imaginary, it somehow triggers dopamine in your brain and you “feel” success. That mental picture feels real but you skips the process entirely. You likely borrow dopamine from your future but any borrowing need to be paid. And when life pull you back to its reality, when someone or something reminds you about your goals, which are not completed yet, a crack appears inside your world and that crack hurts a lot. It triggers other toxic hormones as well. And this might explain symptoms that many people avoid to mention again their goals, or go outrage if someone mentions it.
Expecting fast outcomes creates a dangerous loop: You start strong, You don’t see results quickly, You feel discouraged then You quit or switch goals. This loop waste your time, energy and mind a lot and it is harmful than you think. Not because the goal was wrong, but because your timeline was unrealistic. Treat your goals as seeds. It will grow slowly but for sure. Most meaningful outcomes come lates because it requires many many suitable conditions. They usually come after weeks or months of invisible effort. So, when making goals, at the deadline part, give it time, count in month is a good starting point.
3. You depend on emotions, not habits
Motivation! yeah it is the emotion everyone love. People even pay significantly to just attend some meetings that “sell” motivation. But then that motivation expired right after you left the meeting. It’s expensive, and smell like scam. Your brain don’t need that external motivation. You don’t need fake motivation.
Motivation is unreliable. At the beginning of any goal, motivation feels strong. You’re excited, focused, ready to act. But motivation is temporary. Some days you’ll feel tired, distracted or simply won’t feel like doing anything. You can burn out. No one gonna compliment you every time, everywhere. Not everyone understand your goals evenly. If your actions depend on how you feel, your progress will always be dependent on external conditions, aka you lose the control of your life.
Habits solve this problem by removing the need to decide what to do every day. Build a daily routine that make you harder to fail than succeed. No debate. No negotiation. You don’t rely on energy—you rely on structure of a day you will spend. Remember sleepy days, rainy days, hot as hell days but you still have to complete 5 classes before go to bed. That is a sample of how to complete a goal. Structure your timeline and turn it into habit. Sciences proved that any your actions can turn into habits after 3 weeks. After that threshold, you will act unconsciously toward your goal.
Habits are not just actions—they shape your identity. You don’t “try to work out”, you just run every morning at 5AM. You don’t “try to learn” , you just studies every night at 8PM, etc. Be specific about when you do what and repeat it daily. You can spend 1 month to test this theory and see (not feel) the result.
4. You review other too much instead of yourself
Comparison! It is not easy feeling but everyone unconsciously does that, at least for a while when they were younger. This is normal behavior and is a source of motivation. But because we learn to not depend on motivation here, comparison is unnecessary too. Comparison slows you down more than you think.
It’s easy to spend time analyzing others on what they’re doing, how fast they’re growing, what strategies they use. It feels like learning, even productive when you absorb new information. At some extent, this gives you hints on how to do a stuff and keep you moving, but if too much, it counter attack you by wasting your time. Your progress stands still while you make comparison with other. In the worst part, when you focus too much on others, two things may happen: You feel behind too far – then you feel discouraged, or You copy blindly – then you lack of direction. You might give up or try doing too many things, all at once, which is a fail-for-sure strategy. You end up reacting instead of building. You’re measuring your progress against someone else’s timeline, resources, and starting point—which you don’t fully see.
Progress doesn’t come from observing others. It comes from observing yourself. If you don’t review your own actions, you miss: what worked, what didn’t, where you wasted time, where you improved. Without this loop, you are doomed to repeat the same mistakes. Never expect that same methods would produce different results. Ignore others, focus on yourself. Track your progress toward your goals. Update the progress daily. Do not care about what other post on their social profiles such as LinkedIn or Facebook, many times they lies, or just exaggerate about themself. Real professional shows their result, not lines on their CV.
5. You work hard, but not deep
Given that you already have Specific & Measurable goals, with right habits that serve the goals, and completely ignore other people on social networks. Now you are going to be busy: each day, you answering messages, switching tasks, reacting to notifications, reading a few articles, check some news, write some code, draw something, and repeat that routine for 10 days already. You got busy all the time but your none of metric you set are met. What is wrong ? Is the right goal not just enough ? This busy seems not productive. It is distraction actually. It is not “deep” enough. Deep work is something like: You spend 7 continuous days to make a first version of your app then you spend 8 hours to complete a drawing, then you spend 8 hours to collect relevant information from articles and news, then you spend 2 hours to reply and react to messages and notifications. Same 10 days spent, but the result will be different.
Deep work is to focus in one goal in a long timespan, long enough to deliver a meaningful result. Don’t switch tasks too much because your brain is a single-threaded machine, not a multi-threaded one. Switching tasks can make you feel busy, productive, and do more but in fact, it creates movement, not meaningful progress. You waste time and energy when switching tasks because your brain has to switch the context, and lose the short-term-memory that is important for resolving difficult issues.
People has tendency to choose working hard instead of deep working. Working hard is easy to see, has small wins and human brain loves that feel. Deep work requires patience, honesty and creativity. Deep work does not gives instant satisfaction by small wins like hard work, but it forces you to confront what you don’t know, where you struggle and accept that how slow a progress can be – which is not an easy feel to most of people. And human brain has a default mode to choose the easy one. Working hard is good, but it is not enough to complete goals, meaningful ones!
6. You sense, but not score
How do you know you are doing a good work?
Let say you already spent 1 months focusing on one goal such as making a simple software, or building a website, or learning a new language. You barely switch tasks in 1 month. You focused on one goal. Good job, you are very close. Now it is the time to scoring yourself. And score is a number. For example for above sample goals, let gather data about: how many users want to use your new software, or, how many people go to your website, or, can you take an official language test yet, etc. Does that number met the metric you set ? If yes, wonderful, if no, lets find out!
It is completely okay to not be 10/10 per goal. It is not even matter. Thehonesty to yourself is matter and it will adjust your strategy when it sees that scores. Those scores act as feedbacks from reality. It measures the gap between your assumption and reality and can tell you whether you are on the right track. If the goal is not met even you escaped above 5 misperceptions, the wrong part is in your method, your approach, aka, in how you work on specific tasks. There must be some missing steps, or overdo steps, or wrong assumptions, or underrated steps.
This scoring habit is to calculate effectiveness. If it is not effective yet, let experiment other methods and again gather scores. After a few try, scores can tell you what works, what do not, and what you feel it work. Focus on what actually work only!
Scoring yourself has another psychological effects. It can train your brain to be open minded, flexible when you willing to adapt multiple methods for same goal, and get rid of some cognitive biases. Human brain has many cognitive biases, the common ones that can be fixed by scoring yourself are:
Confirmation bias: You notice only evidence that supports what you already believe and ignore what contradicts it.
Self-serving bias: You naturally credit yourself for what works and blame external factors for what do not work.
Effort justification: You assume that because you put in effort, you’re making progress.
Recency bias: You overvalue what happened recently.
Optimism bias: You overestimate how well things are going, or will go.
Availability bias: You judge based on what’s easiest to remember.
Consistency bias: You resist admitting that your current approach isn’t working because you’ve already committed to it.
Escaping those biases, you can be stronger than ever!
7. You put yourself in wrong environment
Now your are strong, the goal is right, but progress is slow. What’s wrong now ?
Goals are like seeds. Good seeds can grow slowly due to wrong environment. Your progress is also, it speeds up or slows down depend a lot on where you are sitting, what you eat and who you collaborate with. Place, Food and Supporters is the environment that effect your goals the most.
Place – where you actually do the work. It can be an office, at home, or at certain kind of coffee shop. If your space is full of distractions, noise, or easy escapes, your focus will always be fragile. You’ll need constant willpower just to do basic work. Know yourself, measure yourself to understand where is the place gives you most productive work. Some people love work at office, some people love work at home, some love work at a coffee shop, some want to be near the sea, etc. Each person has different soul that decide where is their productive places. Some person has unique fear that decide where is not an easy escape environment. This is likely give you no retreat option so the only choice is moving forward.
Food — your hidden performance system. What you eat doesn’t just affect your health, it affects your energy, clarity, and consistency. Low-quality fuel brain can leads to: energy crashes, brain fog, inconsistent output. You might think you lack discipline, but sometimes you’re just under-fueled. You don’t need a perfect diet, but if your goal requires focus and long term effort, your body needs stable energy supply. So, always feed yourself well, then work.
Supporters — who shapes your standards. You don’t gonna need a big network but you do need the right people. The people around you influence: what you consider “normal”, how high you should aim and how you respond to feedbacks. If your environment tolerates excuses, you’ll make them. If it values growth, you’ll feel pressure to improve. Support doesn’t always mean encouragement or compliments. Most of time they don’t understand what you are doing. It is just their personality. It can be accountability, it can be honesty. Sometimes it’s just being around people who take things seriously. And the best person will be the one already make it, the one already achieve whatever goals you set. Learn from them is the best.
8. You have too many goals
Now you are super strong, your mind can focus, your body is full of energy, your environment is fit. The goal is close than ever. But not just too many goals!
Now here some other cognitive biases emerge! You need to fix them too:
Shiny Object Syndrome: You’re attracted to new ideas simply because they’re new then you back to switching tasks.
Opportunity Cost Neglect: You focus on what you gain from a new goal—but ignore what it costs then You overload yourself without realizing what you sacrificed.
Overconfidence Bias: Because things are going well, you assume you can handle more. But you underestimate the cognitive load and split your attention.
Planning Fallacy: You underestimate how long things actually take then you stack multiple goals on unrealistic timelines.
FOMO (Fear of Missing Out): You get more excitement from starting than finishing, so you have a bunch of half-completed goals rather than completed goals.
Identity Expansion Bias: You want to become multiple versions of yourself at once, but then no one can identify who you really are, and eventually you lose opportunities because people don’t remember complex things.
Less is more! At this level, what you need to notice is not about adding goals, but about filtering goals. When everything is working, your biggest risk is not failure, it’s dilution. Time and energy is limited resources, and most of time, life provide you just enough to complete one goal – the one that give you identity
9. You don’t collaborate
Teamwork ? . No, it is not mandatory here.
People often use collaboration and teamwork as if they’re the same. They overlap—but they solve different problems.
Teamwork is about shared execution. Teamwork is about working as a unit toward a shared outcome. Roles are defined, responsibility is distributed, success or failure is collective. No single person owns everything. The team does, and team members might be changed.
Collaboration is combining strengths. Collaboration is about bringing different people with different skills together to have solve a problem. You still stay responsible for your goal. You only involve others when it adds value, aka solve what you can’t. It’s flexible method and often temporary. You can hire, or consult, many experts in short term to help you overcome somethings out of your expertise. For example, when building a software, you can hire a designer in a few months for a final UI design instead of draw yourself. Or when you’re writing, you can have some friends reviews and challenges your ideas. You’re still the owner. Others enhance your work. And don’t forget to pay them, or help them back!
If you’ve already chosen one goal, you don’t necessarily need a full team. What you likely need is targeted collaboration. Jumping straight into teamwork can actually slow you down because teamwork might require more coordination, more dependencies, less flexibility. Stay owner, but don’t stay isolated.
Smart Contract is a contract but instead of written in human language, it is written in a programing language. Like a contract, a Smart Contract defines conditions and financial obligations among participants. Unlike a contract, with a Smart Contract, financial obligations can be executed automatically if conditions are met, without underwriters, lawyers or law enforcement entities.
A contract can protect financial rights of participants only if there is a government enforce and operate. Financial obligations in contracts is money. Money is managed and operated by banks. A Smart Contract is a program and only execute on Blockchain. Blockchain is a network of computers, obey to a protocol that provide services similar to a bank such as : holding balances, transferring value, recording ownership, enforcing rules automatically, and keeping an immutable transaction history.
What Conditions can be added to a Smart Contract ?
Not every statement in contract can be converted to Smart Contract. Smart Contract is a program so it works well with precise numbers and clearly defined if-else conditions such as: money amount, date time, vote counting, temperature.
For example that a company is using Smart Contract to pay employees salary. The Smart Contract can easily implement the agreement that, at every 1st of each month, a fixed amount of money is automatically transferred from the company’s wallet to each employee’s wallets, provided that sufficient funds have been deposited in advance.
Once deployed, the smart contract does not rely on the company’s willingness to pay or on any manual action from accountants or banks. If the date condition is met, the payment is executed exactly as written. If the funds are not available, the payment simply does not occur, making the failure transparent and verifiable to all parties.
In this way, the smart contract replaces trust in the employer or intermediaries with trust in predefined rules and automated execution, ensuring predictable and timely salary payments without human discretion.
However, the smart contract cannot determine whether the employee actually worked, worked well, or should be fired. Those human decisions must be made outside the system. The smart contract only enforces what was clearly defined in advance: who gets paid, how much, and when.
What Conditions can NOT be added to a Smart Contract ?
Smart Contract can not work with Emotions, Quality Judgements, Real Life Events.
For example that a company hires a developer under this agreement:
“The developer will build a high-quality mobile app that meets business needs. Payment will be made if the work is satisfactory.”
This is where Smart Contract can not replace contract. A smart contract, as a program, can not decide:
Whether the app is “high-quality”
Whether it “meets business needs”
Whether the work is “satisfactory”
These require:
Human judgment
Discussion
Interpretation
Sometimes negotiation or compromise
Smart contracts are excellent at enforcing clear rules, but they cannot replace contracts that rely on human judgment, quality assessment, or trust.
If $99 per year is dust to you then this post is not for you 🙂
If it is not, then please take a look !
A fact is that it will cost $99 per year to be able to publish mobile applications to AppStore. For any indie developers that is at the first step of publishing their app, this cost might cause some hesitation.
In case that your application is simple, which is not depends system level APIs such as GPS, File System, Bluetooth, Background Activities or Push Notification, it is possible to make use of PWA feature that is supported by Safari browser which always available on iOS and MacOS.
PWA stands for Progressive Web App. It is a web app, but can be installed into smart phones like a mobile app. Simply put, instead of accessing via a web browser like Safari or Chrome, users can find an icon on their phone, tap it and open the app. This experience makes it feel like it is a mobile app, but under beneath, it opens a browser session and render HTML, JS, CSS code. Although the feel when using PWA app is not as smooth and optimized as when on mobile app, it is acceptable for simple tools, content-first applications, or admin dashboards.
I will take one of my favorite PWA application, Meme Express, as an example. Meme Express is a meme editor that I am using on my Macbook and iPhone whenever I want to make a meme. This meme editor is built with Flutter framework. It has a native app on PlayStore for Android, and a PWA version for the rest of OS including: iOS, MacOS, Window and Linux, essentially, any device can run a browser.
How is PWA version of Meme Express made ?
Framework
Align with mobile first design, Flutter is in used. For simple tools, Flutter is a perfect cross-platform solution, when we can write code once then port to iOS, Android, WebApp, Window and Linux application.
Deploy
For Android version, it is published via Playstore normally, at here: https://play.google.com/store/apps/details?id=com.ease_studio.meme. Unlike other cross-platform framework that utilize in-app web view to mimic mobile app, Flutter ports application to a native Android app.
For iOS version, Flutter can port app to native iOS code as well. But because 99$/year is not an option here, PWA version comes as a rescue.
To publish a PWA version, a hosting server is required. A hosting server requires monthly cost. Luckily, Github Page allow us to deploy a web app from a repository for free and it can be accessed via URL username.github.io/app-name , for example with Meme Express, it is https://ease-studio.github.io/meme-pwa/ . Github Page also allows to map a domain name to it. For example here, https://meme-express.io.vn/ actually points to https://ease-studio.github.io/meme-pwa/ .
The Tech Lead 