Sign in
February 27, 2026

Where Scammers Really Get Your Personal Data

When a fake “bank employee” calls and correctly states your city, the last digits of your card, or a relative’s surname, it is tempting to believe they truly work inside the system. In reality, most scammers never hack your specific account. Instead, they assemble information from dozens of other sources — from leaked databases to your public social media.

Massive Database Breaches

One of the main sources of data is breaches and leaks of services where you signed up:

  • Online stores and marketplaces.
  • Banks and fintech platforms.
  • Government or municipal portals.
  • Social networks, forums, education services.

These databases may contain:

  • Full name and contact details.
  • Shipping and registration addresses.
  • Order and transaction history.
  • Masked card numbers, partial ID or passport data.

Such datasets are sold and resold on underground markets, merged with one another, and enriched with new leaks over time (see risks of centralized data storage).

Official and Semi‑Official “Data About You”

Some information about you circulates in more or less legal ways:

  • Data brokers and ad networks build profiles from your clicks, purchases, and mobile apps.
  • Banks and partners in loyalty programs exchange aggregated data about spending patterns.
  • Telecom operators store detailed connection and location logs.

Formally, these datasets are often “pseudonymized”, but in practice they are easy to relink to specific people, especially when combined with leaked databases or public profiles (see how AI amplifies user surveillance).

Social Networks and Voluntary Oversharing

Scammers harvest many details from what people publish themselves:

  • Full name, birthday, city.
  • Names of friends and relatives, relationship status.
  • Employer, job title, travel schedule.
  • Photos of documents and tickets “for the story”.
  • Receipts and parcels with sensitive data only partially obscured.

From this, it becomes easy to:

  • Guess answers to security questions (“mother’s maiden name”, “favorite team”, “school”).
  • Craft believable call scripts (“I know where you work, what you do, your child’s name”).
  • See when you are travelling and less likely to closely monitor accounts.

Phishing, “Surveys”, and Fake Support

Some information is extracted directly from victims by impersonating legitimate services:

  • Phishing sites with login forms that perfectly mimic the real ones.
  • “Surveys for a prize” asking for full name, phone, address, and card details.
  • Calls from “bank/courier/police” operators pushing you to read out codes and passwords.

Even if you do not reveal everything, small fragments still enrich existing profiles and make later attacks more accurate.

Malicious Apps and Browser Extensions

Some apps and browser extensions request excessive permissions:

  • Access to SMS and notifications (including one‑time passwords).
  • Access to contacts and call logs.
  • Access to files and photos.
  • Ability to read browser history and page contents.

The collected data may then:

  • Be uploaded to third‑party servers.
  • Be used for aggressive targeting and profiling.
  • Leak when the project is hacked or quietly sold (see dangerous apps and embedded SDKs).

Building a “Complete” Profile

Individually, each data point may look harmless. The real danger is that they are merged:

  • Phone and name from deliveries + address from utility portals + work email from social networks.
  • Purchase history + location data + likes and follows.
  • ID details from a leak + document photos from messengers.

This creates a dossier detailed enough to:

  • convincingly impersonate you in phone calls or support chats;
  • open loans or services in your name;
  • execute carefully scripted social‑engineering attacks.

What You Can Do

You cannot fully prevent leaks, but you can reduce both the volume and “usefulness” of your data:

  1. Minimize unnecessary registrations
    Avoid creating accounts “just in case” and do not fill optional fields unless strictly needed.
  2. Separate emails and phone numbers by criticality
    Use distinct addresses and numbers for banking, work services, and low‑trust sign‑ups.
  3. Review social media privacy settings
    Limit who can see your birthday, friends list, contacts, and internal conversations (see how apps collect behavioral data).
  4. Be careful what appears in photos
    Avoid posting tickets, receipts, and documents even if some fields are blurred — remaining details may still be enough.
  5. Treat surveys and promotions with suspicion
    Any form that asks for phone, address, and card data “for a small bonus” deserves serious scrutiny.
  6. Monitor for leaks and react
    When you suspect a breach, change passwords (and enable 2FA), review recent financial operations, and block cards if needed.

Scammers rarely have “secret backdoor access” to closed state databases. More often they simply know how to assemble public, leaked, and carelessly shared fragments into a powerful weapon. The less data you scatter and the more deliberately you manage it, the harder it is to mount an effective attack against you.

Useful links:

All articlesNeed help