Threatcare

Clear, practical help to spot scams, avoid fraud, and recover if you've been caught out.

Spot the scam, protect your money, recover if it happens.

How Scammers Find and Target You: Where They Get Your Details

By David Mercer  |  Reviewed by Dana Whitaker, CFE

Published · Last reviewed

Key takeaways

  • Scammers rarely pick you personally; they buy and harvest contact details in bulk from data breaches, leaked lists, and public social media, then test who responds.
  • Being targeted is not a sign of carelessness: your number or email is almost certainly already on a list somewhere, and everyone gets the same fishing messages.
  • Social engineering turns small public facts (your employer, your pet, a recent purchase) into a believable, personalised approach.
  • You cannot disappear, but you can shrink your exposure: lock down privacy settings, limit what you share, and treat every out-of-the-blue contact as unverified.

Scammers almost never choose you personally: they harvest contact details in bulk, from data breaches, lists bought and sold between criminals, and what you post publicly, then send the same approach to thousands and wait to see who responds. Understanding where your details come from is the first step to cutting your exposure. For the wider picture, start with our guide to online scams and fraud.

Where scammers get your details

Most of your contact details reach scammers in bulk, long before any individual message arrives. The main sources are data breaches, traded lists, public information, and details you hand over without realising. A single approach, a phishing text say, may have been sent to a list of hundreds of thousands of numbers at once. The scale is enormous: the FTC’s Consumer Sentinel Network logged about 2.6 million fraud reports in 2023, and that captures only the fraction of people who report.

The point worth holding on to: a flood of scam contact almost always means your number or email is circulating on a list, not that a person has studied you and picked you out.

Data breaches and leaked lists

Data breaches are the biggest single feed of personal data to fraudsters. When a company you used is hacked, your name, email, phone number, and sometimes passwords can end up dumped online or sold. Because criminals trade these dumps, details from a breach years ago can still be in active use today, which is why a number you have had for a decade still attracts scam texts.

These details are then sold as ready-made lists. Stolen email and phone lists circulate cheaply, and the same record can be resold many times. Reusing one password across sites makes a breach far worse: one leaked password becomes a key tried against your other accounts, so strong, unique passwords and two-factor authentication genuinely contain the damage.

Social media and public information

Social media is where bulk data becomes personal. A public profile can reveal your full name, location, employer, family members, pets, holidays, and recent purchases, which is exactly the material a scammer needs to sound like they know you. Romance and investment scammers in particular study a target’s profile before the first message. The FTC reported that people lost about 1.14 billion dollars to romance scams in 2023, much of it built on details lifted straight from social media before any approach was made.

I learned this from the inside. The investment scam that took most of my savings did not start with money. It started with a friendly message from someone who already seemed to know my line of work, the city I lived in, and a hobby I had posted about for years. None of it was secret, and none of it felt like an attack. It felt like a coincidence, which is precisely the point: every detail that made him credible came straight off my own public profiles.

Random dialling and sucker lists

Not every approach needs your data at all. Automated systems dial and text numbers in sequence or at random, so you can be contacted even if your number was never leaked; the FTC notes that scam callers often spoof a local or trusted number to raise the odds you pick up. Caller ID proves nothing, because the displayed number is trivially faked. Text messages now lead the field: the FTC reported that fraud starting with a text cost people about 330 million dollars in 2022, the most of any contact method that year.

What turns a random hit into sustained targeting is responding. Once you reply, click, or pay, your details are often flagged as a known-responsive contact, a so-called sucker list, and resold at a premium. That is why one scam frequently leads to several more, including recovery scams that promise to claw back what you lost for an upfront fee. The safest reply to an unsolicited approach is no reply.

Social engineering: turning details into trust

Social engineering is the craft of using what they know to make you act. Scammers stitch together small, true facts (your bank, a recent delivery, your employer) into a story that feels verified, then add the universal scam levers: manufactured urgency or fear, a borrowed identity, and a push toward an unusual, hard-to-reverse payment such as gift cards, crypto, a wire transfer, or moving money to a “safe account.” The payment method is no accident: the FTC reported that bank transfers and crypto accounted for the highest reported fraud losses in 2023, precisely because both are fast and hard to reverse.

The defence does not depend on spotting every trick. It depends on a habit: pause and verify independently. Contact the organisation using a number or website you find yourself, never the details in the message, because a few accurate facts about you do not prove the contact is genuine.

Why anyone can be targeted

Anyone can be targeted, because targeting is a numbers game played at scale, not a judgement about you. Lists are vast, messages are automated, and the same approach lands in millions of inboxes. Younger, tech-confident people are scammed too: the FTC reported that adults aged 20 to 29 were more likely to report losing money to fraud than those aged 70 to 79, because confidence can make you quicker to click. Being contacted is not a sign of carelessness, and being deceived is not a sign of stupidity.

How to reduce your exposure

You cannot vanish from every list, but you can shrink your footprint and make any approach easier to recognise. Practical steps:

  • Lock down privacy settings. Set social profiles to private and limit what is publicly visible.
  • Share less publicly. Holidays, purchases, and family details are raw material for a tailored approach.
  • Separate your sign-up email. Use a distinct address for forms, prize draws, and shopping so a breach there does not expose your main account.
  • Decline optional fields. The less data you give, the less can leak.
  • Check for breaches and freeze your credit. A credit freeze is free and blocks new accounts in your name. For more, see protecting your online privacy.
  • Treat every out-of-the-blue contact as unverified, however much it seems to know about you.

This is general information, not individual legal, financial, or security advice. If you have been targeted or scammed, report it to the proper authorities: in the US via ReportFraud.ftc.gov and the FBI’s IC3, and in the UK via Action Fraud.

References

  1. How To Recognize and Avoid Phishing Scams, US Federal Trade Commission.
  2. Internet Crime Complaint Center (IC3), Federal Bureau of Investigation.
  3. How To Know if a Caller Is a Scammer, FTC Consumer Advice.
  4. AARP Fraud Watch Network, AARP.
  5. Nearly $8.8 billion lost to fraud in 2022, and more in 2023, FTC Consumer Protection Data Spotlight.

Frequently asked questions

How do scammers get my phone number and email?

Most come from bulk sources, not from singling you out: data breaches of companies you used, lists bought and sold between criminals, sign-up forms and prize draws, and details you have posted publicly. Phone numbers are also dialled at random by automated systems, so you can be contacted even if your number was never leaked.

Why am I being targeted by scammers?

Usually you are not, personally. Scammers send the same message to huge lists and wait to see who replies; the ones who respond get the focused follow-up. So a flood of scam texts or calls is a sign your details are on a circulating list, not that someone has chosen you.

Can scammers find me through social media?

Yes. Public profiles reveal your name, location, employer, family, pets, and recent events, which is exactly the raw material for a convincing, personalised approach. Romance and investment scammers in particular study profiles before making contact. Tightening privacy settings and limiting public detail reduces this.

Does being on a 'sucker list' make me a bigger target?

Yes. Once you respond to or pay a scam, your details are often resold as a known-responsive contact, sometimes called a sucker list, and you receive more approaches, including recovery scams that promise to get your money back for a fee. Reporting fraud and ignoring follow-ups is the safer response.

How can I reduce how much scammers can find out about me?

Set social profiles to private, share less publicly, use a separate email for sign-ups, decline optional data fields, and check whether your details appear in known breaches. None of this makes you invisible, but it lowers your exposure and makes any approach easier to recognise as suspicious.

Written by David Mercer. Reviewed by Dana Whitaker, CFE.

Our guides are written from personal experience and reviewed by a qualified fraud and security professional for accuracy. Read our editorial policy.

Related articles