The full chain, step by step
The leak
A hospital system, a university, a sports organization or a hotel chain gets breached. You didn't do anything wrong — the failure sits with the third party that held your data. See the US data breaches dossier for documented, dated US cases.
Circulation
Stolen data gets listed for sale or dumped for free, often on specialized forums and Telegram channels. A complete identity package — name, address, date of birth, sometimes a Social Security number — can trade for as little as a few dollars once a breach is a few months old; exact prices vary a lot by data type and freshness, but the underlying mechanic is the same: it's a market, with supply and demand.
Privacy Affairs, Dark Web Price Index; Flashpoint, dark web marketplace research.Building the script
This is the least visible and most decisive step. A scammer doesn't work at random — they cross-reference multiple leaks or sources to build a coherent script: your bank, your branch, your employer, sometimes your university or your last hotel stay. Social engineering exploits human psychology, not a technical flaw — these attacks are built in layers, with perceived legitimacy increasing with every accurate detail supplied.
Proofpoint · KnowBe4 — social engineering research.Cross-channel execution
Contact arrives by phone, text, sometimes a follow-up email — with manufactured urgency ("there's fraudulent activity on your account," "your benefits need to be re-verified"). The FTC's own case data describes the costliest version of this: a fake security alert, often posing as a bank, that convinces someone to move money to "protect" it. Reports of older adults losing $10,000 or more to this kind of scam rose more than fourfold between 2020 and 2024; combined losses among those losing $100,000 or more rose eightfold, from $55 million in 2020 to $445 million in 2024.
FTC, Data Spotlight, August 2025.The final ask
A wire transfer to a "secure account," a verification code to read aloud, cash physically handed to a courier, or a redirect to a fake site. Americans reported losing $3.5 billion to imposter scams in 2025 alone — nearly one in three fraud reports to the FTC that year.
FTC, press release, June 2026.What the official numbers confirm
Two federal data sources — the FTC's Consumer Sentinel Network and the FBI's Internet Crime Complaint Center (IC3) — independently document the same acceleration, specifically in the categories of fraud that rely on personalized, believable detail:
The FTC and FBI/IC3 figures for government impersonation differ ($920M vs. roughly $798M) because the two agencies collect reports through different channels and count them differently — another reminder that even official statistics should be read with their source and methodology attached, not merged into a single number.
A testimony that illustrates the mechanism
"They already know everything about me." … "I totally believed it." … Asked how she was supposed to hand over the money: "Well, how do you do that?" Between mid-November and mid-December, Judith Boivin — a retired nurse — handed over "$595,000 and 98 cents" to callers posing as FBI agents investigating a fake drug cartel case built around her own bank accounts.
Judith Boivin, quoted in AARP's "'FBI Agent' Stole My $600K…Then Vanished," AARP Fraud Watch Network video series.Boivin now volunteers with the AARP Fraud Watch Network's victim support group — a reminder that these cases aren't rare outliers covered once and forgotten, but part of an ongoing, tracked pattern.
Who gets targeted
People aged 60 and older remain overrepresented in the loss data, though not always for the reasons assumed:
201,000+
Victims aged 60+ who reported losses to the FBI's IC3 in 2025, totaling $7.75 billion — up 59% year over year.
$38,000+
Average reported loss per senior victim in 2025, more than double the median for younger age brackets in most federal fraud categories.
Compounding factors
Sometimes lower digital familiarity, social isolation, cognitive decline over time — but also accumulated assets (savings, home equity, stable pensions) that make the target more lucrative.
An important nuance
The agencies tracking this data are explicit: "anyone can be targeted." Personalization built from stolen data erodes the usual protective advantage of being tech-savvy or well-informed.
Frequently asked questions
Does a data breach automatically lead to a scam?
Not automatically and not immediately — stolen data circulates and gets resold, sometimes used months after the original breach. But the statistical link is clear: reported imposter-scam losses have nearly tripled since 2020, tracking the same years that breach volumes hit record highs.
Why would a scam caller know real details about my bank or my medical provider?
Because that information likely leaked in a breach affecting your bank, employer, university or health plan. Scammers buy these data sets specifically to build a script that feels impossible to have guessed at random.
Why are older adults targeted more often?
A combination of factors: sometimes lower digital familiarity, social isolation, and accumulated assets (savings, home equity, stable pensions) that make the target more lucrative. But the agencies that track this data are clear: anyone can be targeted — personalization from stolen data erodes the usual advantage of being tech-savvy.