Why Do Scammers Already Know My Personal Information? (The Real Answer Most Posts Miss)

April 23, 2026 · 9 min read

Why Do Scammers Already Know My Personal Information? (The Real Answer Most Posts Miss)

Why Do Scammers Already Know My Personal Information? (The Real Answer Most Posts Miss)

TL;DR - When a scammer calls knowing your name, address, and previous addresses before you've said anything, they didn't hack you. They bought a stitched profile of you from a data broker. The stitching is held together by one thing: the email address you have re-used across hundreds of accounts. Cut that link and the profile stops growing. The fix is unique email aliases per signup, plus a one-time cleanup of the brokers who already have you on file. Below: how the aggregation works, the simple hygiene that breaks it, and what to do if you're already in the lists.

A post on r/Scams this week described a scammer who called with a fake jury-duty story and already had the victim's full name, driver's licence number, licence plate, current address, two previous addresses, and employer. Before the victim said a single word.

If that has happened to you, you're not alone. The thread had 74 upvotes and 46 comments of people saying the same thing happened to them this month. The most common reaction was the obvious one: "How did they know all that already?"

The most common answer in the comments was the wrong one.

The right answer matters because it changes what you actually do about it. Honest answer up front: scammers did not hack you, did not buy your info "on the dark web", and did not get it from a single big breach. They bought a stitched-together profile of you from a perfectly legal data broker, and the thing holding all the stitches together is your email address.

This post explains how that works, why the email address is the linchpin, and the simple hygiene that cuts it off going forward. If you want the spam-stopping version of this story, my email aliases for Australians post covers that angle. This one is about scam-profile prevention, which is a related but distinct problem.

The wrong answer: "they bought it on the dark web"

The dark-web answer is partly true and mostly misleading.

It's true that breach data shows up on hacker forums. It's true that some scammers buy stolen credential dumps. But the data a scammer needs to call you with your licence number and previous addresses doesn't usually come from a single breach. It comes from a profile that was assembled, legally, by an industry called data brokers.

The dark-web framing sends people looking for the wrong fix (changing passwords, getting credit monitoring) when the actual fix is upstream. Your passwords being safe doesn't stop the broker industry from continuing to sell a profile of you that includes information no breach ever leaked.

What data aggregation actually is

There are roughly 4,000 data broker companies operating in the US alone, plus hundreds more in Australia, the UK, and the EU. Their business model is this:

  1. Buy data from many sources. Some of it from breaches (yes), most of it from completely legal sources: public records (property, court, voter), warranty registrations, magazine subscriptions, store loyalty programs, app permissions, ad-network tracking, credit bureau leaks, real estate transactions.
  2. Stitch the rows together by matching on common fields. Email address. Phone number. Name + DOB. Name + address. The more rows match, the higher their confidence the rows describe the same person.
  3. Sell the stitched profile to anyone who asks: marketers, debt collectors, insurance companies, lawyers, private investigators, and (legally or otherwise) scam operations posing as any of those.

The legal version of this industry is huge and powers things like targeted advertising. The semi-legal and outright illegal versions are smaller but still buy from the same upstream sources, often laundered through layers of resellers.

A profile assembled this way includes things no breach ever exposed: the previous address you registered a car at in 2019, the gym membership you cancelled in 2021, the job title you put on a LinkedIn profile you forgot you had. None of it stolen. All of it legal to collect. All of it stitched into a single record about you.

When a scammer reads off your previous address, they're not showing off elite hacking skills. They're reading off a $0.02 record they bought from a reseller.

Your email address is the stitching key

Here is the part that matters for the fix.

Brokers can't actually be sure two rows describe the same person unless they have a reliable matching field. Names are weak (lots of John Smiths). Phone numbers move. Addresses change.

Email addresses are stable. People keep the same Gmail or Outlook address for ten or fifteen years. People use the same email on hundreds of services. When a broker sees john.smith@gmail.com on a breach, on a warranty card, on a mailing list, and on a real estate transaction, they have very high confidence that all four rows describe the same person.

That's the stitching. Your email address is the linchpin of the profile.

Take it away and the broker's confidence drops. They might still be able to stitch some rows together using name + address, but the resulting profile is thinner and less reliable. Less reliable profiles sell for less. Less profitable profiles get aggregated less aggressively. The whole pipeline degrades.

The fix: unique email aliases per signup

This is the hygiene step. It works going forward, not backwards (we'll handle the backward problem in the next section).

The principle is simple: every service you sign up for gets a unique email alias instead of your real email address. The alias forwards to your real inbox, but the service only ever sees the alias. As far as the broker industry is concerned, that signup is a different person than your other signups.

When you do this:

  • A breach at one service exposes only that service's alias, not your master profile.
  • Brokers can't stitch your warranty registration to your gym membership to your real estate purchase, because each one used a different email.
  • The profile-building pipeline starves of the one field that makes stitching reliable.
  • As a bonus, you can tell exactly which company leaked or sold your data when an alias starts getting spam.

There are several services that do this. Apple's Hide My Email is built into iCloud. Firefox Relay works in any browser. SimpleLogin is open source. And SecureAlias is the one I built, because I wanted one that was simple, fast, and made for individuals rather than enterprises.

Whichever you pick, the move is the same: from now on, every new signup gets its own alias. Your real email address only goes to a small number of trusted accounts (your bank, your tax authority, your closest people). Everything else is aliased.

This is the highest-leverage privacy hygiene you can adopt as an individual in 2026, and it costs roughly zero dollars.

What to do if you're already in the brokers' lists

The above stops new exposure. It doesn't fix the profile that already exists.

The fix for existing profiles is broker opt-out. Each major data broker is legally required (in most jurisdictions) to honour a deletion request, but you have to send one. The process is tedious and per-broker.

Three approaches, in order of effort:

1. Manual opt-out for the top 10 brokers. Spokeo, BeenVerified, Whitepages, MyLife, Intelius, PeopleFinder, Radaris, FastPeopleSearch, TruthFinder, and Pipl. Twenty minutes per broker, mostly boilerplate forms. The "[broker name] opt out" search returns each broker's form directly.

2. Use a paid removal service like DeleteMe, Privacy Bee, or Optery. They sweep dozens of brokers per quarter. $100-200/year. Worth it if you're a public figure, journalist, lawyer, or anyone who's been targeted before.

3. Australian-specific: if you're in Australia, the Privacy Act 1988 gives you the right to request access to and correction of personal information held by any entity. Most data brokers operating here will respond to a formal Privacy Act request faster than a generic web form. Format the request as "I am requesting access to all personal information you hold about me, and the deletion of any information not subject to a legal retention requirement."

In all three cases, the goal is to thin out the existing profile while you also stop feeding new data into it via aliases.

The hardest part: this is hygiene, not a one-time fix

People want privacy to be a setup-once-and-done thing. It isn't. The brokers will rebuild your profile if you go back to using your real email everywhere, the same way a kitchen will get dirty again after you wipe it down.

The aliases hygiene is the equivalent of "wash your hands after the bathroom". You do it without thinking, every time, for the rest of your life. Once it's automatic, the cost is zero. The first three months feel slightly tedious because you're noticing the change.

If you only do one thing differently after reading this, set up an aliases service today and use it for the very next signup you make. Not tomorrow's signup. The next one. The change happens at the margin and the margin is your next click.

FAQ

How did the scammer specifically know my driver's licence number though?

In most US states, driver's licence and licence plate data is sold by the state motor vehicle registry to a cottage industry of resellers, who stitch it into broker profiles. In Australia, it's harder for brokers to legally obtain licence data, but rego data is partially public and licence-number leaks happen via courts, insurance, or breach. In the UK and EU, licence data is more strongly protected but still appears in some broker profiles via overseas data flow.

Will using aliases break my account recovery if I lose access?

No, as long as the alias forwards to your real email, account recovery works exactly as before. The recovery email goes to the alias, the alias forwards to you. The only thing that changes is what the service sees on file.

What about my phone number? Won't scammers still call?

Phone is the next stitching key after email and harder to alias because most countries don't have a clean phone-aliasing equivalent. Mitigations: don't list your phone number on social media, use carrier-level spam blocking, register on the Do Not Call register if available in your country (Australia has one). The aliases play breaks email-based stitching specifically; phone stitching is a related but separate hygiene.

How is this different from a password manager?

A password manager protects you from credential reuse (one breach doesn't compromise all accounts). An aliases service protects you from data aggregation (one breach doesn't add to a stitched profile of you). They solve different problems, and you should ideally have both. Most people have neither, then a password manager, then both. The third stage is where the real privacy gains land.

Is SecureAlias free?

There's a free tier (limited number of aliases). Paid tiers add unlimited aliases and custom domains. Other alias services have similar pricing models. The cost difference between providers is small; the cost difference between using one and not using one is large.

What if I already use the same email for everything and it's been leaked in dozens of breaches?

Don't change your real email. That's a years-long migration with email-recovery risk. Instead: keep your real email for the small number of accounts you trust (bank, tax authority, primary identity), and start using aliases for everything else from today onwards. Over the next year or two, gradually update older accounts to use aliases too, prioritising the ones most likely to leak. The profile thins out as fewer new signups feed your real email into broker databases.

Can I check if I'm already in broker databases?

Yes. The free site haveibeenpwned.com tells you which breaches your email appears in (a proxy for broker exposure). Many brokers also have free "search yourself" pages on their own sites. Be warned that searching for yourself on a broker site sometimes adds you as a confirmed match if you weren't already - use the Optery free scan instead, which queries multiple brokers without exposing your search activity.

If this was useful, the Secure In Seconds newsletter covers one specific story like this every Thursday. Practical, calm, no fear-mongering. Just the thing to do this week.

And if you want to start cutting off the stitching key today, SecureAlias is the simple version of what's described above. I built it for individuals, not enterprises, because the existing tools all felt like they were made for security teams rather than humans.

Stay safe out there.

Tagged:data privacyscamsemail aliasesdata brokersidentity protectionsecure alias
Share:

You might also like

How Social Engineering Actually Works in 2026 (Two Breaches This Week, Neither Needed a Hacker)

April 25, 2026 · 10 min read

How Social Engineering Actually Works in 2026 (Two Breaches This Week, Neither Needed a Hacker)

Vercel got compromised through a Roblox cheat download. Microsoft confirmed attackers are using Teams chat to impersonate IT helpdesk staff. Both attacks took advantage of trust, not technology. Here's what's actually going on, and the four checks that stop most of it.

Read more →
How to Detect Hidden Cameras in a Hotel Room (the 4-Minute Sweep, and What to Do if You Find One)

April 24, 2026 · 11 min read

How to Detect Hidden Cameras in a Hotel Room (the 4-Minute Sweep, and What to Do if You Find One)

Someone found a Wi-Fi camera hidden in a hotel power adapter this week, streaming live footage to an overseas server. Here's the 4-minute sweep that would have caught it, and the right way to handle it if you find one.

Read more →
The Claude Code Leak: Your npm Pipeline Is Next

April 14, 2026 · 14 min read

The Claude Code Leak: Your npm Pipeline Is Next

Anthropic shipped Claude Code's source to npm by accident. 1,884 files, hardcoded keys, safety-bypass flags. Here's what every IT team should fix now.

Read more →