How Scammers Get Your Personal Data — And Use It Against You
The organizations behind frauds and scams use your personal data to create “shadow profiles” that fuel personalized scams.
Guest post from Jenny Li
You may be familiar with the concept of a “digital footprint”, but would you be surprised to know just how dramatically yours is growing every day? As millions of terabytes of data are created daily, the volume of available personal information continues to grow, creating a gold mine for scammers to exploit.
When pieced together, this collection of personal data can paint a picture of exactly who you are — not just your age and where you work, but whether you’re in a state of mind that scammers can use to their advantage.
Types of Personal Data and How It’s Collected
You might be well aware of the information you willingly share online in social media, but less aware of how it can be used against you. At the same time, other data points are collected less transparently, yet greatly expand the potential attack surface for cybercriminals.
Personally identifiable information, or PII, includes names, addresses, employee IDs, social security numbers, birthdates, and any other information or combination thereof that can be used to directly identify an individual. Some of it is public by nature, like your name, while more sensitive information, like the SSN you give to your mortgage company, hopefully lives in a protected environment. However, the proliferation of data breaches has made PII increasingly accessible to bad actors in recent years.
Cookies are ubiquitous online. While first-party cookies are used to improve your experience on a website by remembering where you left off, third-party cookies are persistent and track you even after you navigate away from the site. Third-party cookies record your activities across the internet and share them with owners, which are typically advertising and analytics platforms. The aggregation of all the sites you visit, the ads you click, the purchases you make, and many other interactions creates a highly personalized behavioral profile.
Biometric data refers to the unique physical elements of a human, including fingerprints, voice, or facial patterns, and is used most often for authentication purposes. While it may be convenient to unlock your phone with a quick scan of your face, it also means this information is stored somewhere. While some companies like Apple keep this data locally on your actual device, that isn’t the case for all biometric data. And even hardware devices are subject to compromise. Because these physiological traits are unique to you, biometric data is incredibly dangerous in the hands of a scammer trying to impersonate you.
Social media is nearly unavoidable in today’s world and it’s a treasure trove for targeted manipulation. According to the consultancy firm Manochi, there are over 5.79 million social media user identities as of April 2026. More people have a social media account in the world than people who don’t. Scammers often use these accounts, particularly when public, to identify potential victims and gather reconnaissance for social engineering. Even if you don’t often reveal aspects of your personal life publicly, scammers can still use your profile picture and basic information to impersonate you or gain knowledge of who you’re connected with based on your follow/followed list.
Read the recent post from Detective Brad Thorne about his own experience being impersonated on Facebook.
How Scammers Collect Your Personal Data
In the intelligence industry, OSINT (Open Source INTelligence) is a method of gathering information about a subject through public sources. While the procedure itself is legal, scammers use the same tactics to get actionable intelligence for their fraudulent schemes.
Phishing is one of the most common ways to target businesses in scams. Scammers may first conduct OSINT via the company website or LinkedIn to find information such as who the C-level executives are, who they hire as contractors, what software they use, and more, to build a convincing scam.
Social media also gives scammers a direct line of communication with their victims, often before luring them to use another messaging app with less security and moderation, like WhatsApp. This is especially true of romance scams. Scammers will tailor their strategy to an individual based on the likes, dislikes, and vulnerabilities showcased on their profile. Recent data from the U.S. Federal Trade Commission (FTC) revealed that nearly 30% of people who reported losing money to a scam in 2025 said that the interaction originated on social media, resulting in staggering reported losses of $2.1 billion.
Data Brokers Collect and Sell Your Personal Data
Beyond social media, a scammer can supplement their knowledge of a target by using data brokers, a market estimated to be worth nearly $300 billion. These companies collect, aggregate, and sell personal data, but their services currently fall into a gray area in the United States.
Although a few states have enacted laws to curtail the industry’s control over personal data, there is no comprehensive federal law regulating data brokers. These incredibly lucrative businesses can legally sell profiles containing personal data, from phone numbers to behavioral patterns. While you may be able to make individual requests to data brokers to remove your data from their systems, the process is so tedious that there are companies that exist for the sole purpose of managing this on your behalf (for a fee).
Data Breaches Expose Personal Data
Even if you manage to remove your information from data brokerage systems, there is always the risk of a data breach exposing your personal data. In January 2024, security researchers uncovered a massive data aggregation containing over 26 billion records compiled from previous breaches at major companies like Twitter, Adobe, LinkedIn, and Dropbox. Dubbed the “Mother of All Breaches,” this incident exposed approximately 2.9 billion records, including full names, historical physical addresses, and Social Security numbers.
Cybercriminals exploit this specific combination of data to commit identity theft, such as fraudulently opening new credit accounts or filing fraudulent tax returns.
Shadow Profiles: How Cybercriminals Use Personal Data in Scams
Identity fraud used to be the biggest worry when it came to having your personal data compromised. While deepfakes and AI voice cloning have added new dimensions to impersonation crimes, an even more insidious usage of this data is hyper-personalized, highly convincing social engineering.
The synthesis of all the personal data collected on an individual, whether they have consented to it or not, can be used to build a shadow profile. The true danger of shadow profiling lies in its application of advanced psychological modeling and the ways in which scammers can use this strategy to keep their victims hooked.
Shadow profiles don’t just consist of facts and numbers; they can also reveal a person’s emotional state and identify approaches scammers can use to manipulate them. For instance, they may know from a LinkedIn profile that someone is looking for a job. The same person’s Facebook posts may indicate that they are single or facing financial difficulties.
When a scammer incorporates highly specific personal details into an interaction, they seamlessly exploit the natural behaviors, including:
Confirmation bias — the tendency to seek information that confirms preexisting beliefs
Anchoring bias — the tendency to rely heavily on the first piece of information offered
Romance scams are a good example of how scammers use personal data in cybercrime. These crimes continue to rise, with devastating losses in the billions annually. An expert scammer will use information from an online profile to establish rapport with a target and gradually elicit more personal details, all while appearing genuinely interested. These so-called “pig-butchering” plots are particularly insidious because they involve the scammer gradually gaining their victim’s trust. If they already have a comprehensive profile of the individual from the outset, their job is even easier.
Protecting Yourself Against Hyper-Targeted Attacks
In the past decade, the modern scam industry has transitioned from broad, easily identifiable schemes to highly targeted, contextually flawless attacks. The explosion in volume of personal data means cybercriminals have access to a highly lucrative, infinitely renewable resource of information.
Three things you can do to protect yourself against scam attempts:
Limit the details publicly available about you online by adjusting your social media settings.
Refrain from giving out personally identifiable information like your phone number unless necessary.
When you’re contacted by someone who seems to know just a little too much, think twice about what they claim to offer.
A multi-hyphenate at heart, Jenny Li is a researcher, writer, and photographer residing in the San Francisco Bay Area. Driven by a commitment to social good, she enjoys exploring the intersection of human behavior, technology, and storytelling.
Related Stories from Our Blog
