The most dangerous hacker these days probably isn’t a hoodie-clad coder hunched in a basement, furiously typing to break through firewalls. It’s the scammer who sent you a friendly text: “Are you coming to my BBQ tonight?” A simple reply could lead to your savings or identity being stolen.

As tech companies have fortified their systems, cybercriminals have changed tactics, realizing they don’t need to break in if they can manipulate someone into letting them in. That shift has fueled a surge in fraud, with more than $16 billion drained from bank accounts last year in the U.S. alone, skyrocketing from $3 billion five years earlier. Given vast underreporting, the amount stolen through fraud crimes is likely far higher.

One way Microsoft is countering these threats is by partnering user experience (UX) designers with threat analysts, helping make protection intuitive so people don’t have to be experts to stay safe online. Its new Secure by Design UX Toolkit, tested across 20 product teams, is now available to other companies and organizations, too, to help them build safer digital experiences. 

Cybercriminals “have been taking advantage of how our brains work” through social engineering — manipulating people into believing and acting on something that isn’t true, says Kathy Stokes, the director of fraud prevention programs for AARP, a nonprofit that advocates for older adults in the U.S.

“Education is an important part of solving the fraud crisis, but guess what else is an important part? Technology that comes to us secure by design and safe by default,” Stokes says. “We put so much of the onus on the end user to be safe, and it’s not a fair battle.”

That’s exactly the imbalance Margaret Price set out to fix. As a senior director of strategy at Microsoft, Price says she made it her mission last year to change how the company’s tens of thousands of product managers, user researchers, designers and others think about security — by seeing design as a first line of defense.

“Most security issues are caused by human error,” Price says. “Whether it’s a stolen credential, a confusing privacy setting or accidentally exposed data, these are often outcomes of poor design.”

Price’s efforts stemmed from the company-wide Secure Future Initiative that rolled out in 2023 and made security every employee’s top priority. Price gathered a team and interviewed more than 70 security experts to understand common vulnerabilities and learn how cybercriminals exploit design gaps. The result: a toolkit that helps product teams bake security into the user experience from the start, instead of retrofitting for it later. The toolkit has rolled out to 22,000 employees, and now other companies are starting to use it to help them design safer, more intuitive experiences using Microsoft products. 

It’s a distinct approach and a new way of thinking about both security and product development.

UX has usually been an afterthought in security, says David Weston, Microsoft’s corporate vice president of enterprise and OS security. Product teams didn’t realize for quite some time that if users were flooded with yes-or-no prompts, for example, they’d be habituated to clicking through without really reading risk alerts.

“Sometimes the impact was catastrophic,” he recalls, noting the recent shift toward seeing designers as “our most important defenders” has made a “night and day” difference.

This design-first approach is already showing up in Microsoft products, says Marcus Ash, who leads design and research for Windows.

Smart App Control uses AI to block unknown or suspicious apps from running. It not only stops the threat but explains why and suggests safer alternatives from Microsoft’s app store, effectively extending the reach of security professionals to everyday users.

Microsoft Teams phishing alerts now display full email addresses, rather than just a name, to expose impersonators and flag when a domain doesn’t match a sender’s claimed company.

And passkeys are replacing passwords with more secure authentication methods that are simpler to use as well, like facial recognition or a PIN through the Windows Hello sign-in experience that only works on your machine and can’t be shared or stolen. As of May 1, all new Microsoft accounts have gone password-free.

That new technology is a great example of how good design goes hand-in-hand with communication to help users make better security decisions, Weston says. Powerful advances in security can’t protect users if they don’t understand them or how to adopt them — something that’s even more important since Windows is an open platform that gives users more choice than other operating systems do, he says.

“A lot of our recent security work is about simplifying,” Ash says, “making it easier for our users to understand when they need to jump into something and correct it.”

Trust and clarity are especially important, says Alistair Kilpatrick, principal design director for Windows, as technology moves toward an agentic future — a world where AI-powered agents can act on users’ behalf, with their permission, and access to their personal data and credit card information.

“These foundations need to be there in place to build customer trust,” Kilpatrick says.

The right amount of friction is key — making security features less complicated and easier to enact so people aren’t loathe to adopt them, while also alerting users to danger in a way that forces them to take notice.

Tech companies can help users understand that friction “is not a four-letter word,” AARP’s Stokes says. “Friction is a protection.”

Even small design choices as simple as where a button is placed, how a pop-up alert is worded, or whether the look of a page or program is consistent with others can help users recognize when something is off and avoid danger.

“You’re a gamer, you’re someone that’s a creative, you’re someone that’s trying to be productive, we don’t want you to worry about these things,” Ash says. “We design a simple user experience that is secure by default. This helps our users understand the protection we put in place and the risks if they decide to make changes.”

Cybercrime isn’t just a tech issue — it’s a public safety crisis, Stokes says. Scams are draining retirement funds, eroding trust and leaving people vulnerable and dependent on social safety nets. To help people resist the emotional manipulation behind modern tech scams, AARP has launched a national campaign with an easy-to-remember mantra meant to help users in the same way broad seatbelt or fire-drill campaigns have done in the past: “Pause. Reflect. Protect.”

That’s why Microsoft is innovating to make security feel less like a burden and more like a built-in benefit, Price says.

“We want security to be woven into everyday products to make experiences safer for everyone,” Price says. “That would mean fewer scams, fewer account breaches, more confidence and more trust in the digital tools people use every day.”

Illustrations by Nicolas Smud. Story published on July 16, 2025 .