Egidio
Dossier · mechanism · 2026

The leak is only step one

A name and a phone number leaking somewhere doesn't turn into a scam by itself. There's a chain — with specific, documented steps — between the moment your data leaves a hacked database and the moment your phone rings with a script that seems to know everything about you.

The full chain, step by step

1

The leak

A hospital system, a university, a sports organization or a hotel chain gets breached. You didn't do anything wrong — the failure sits with the third party that held your data. See the US data breaches dossier for documented, dated US cases.

2

Circulation

Stolen data gets listed for sale or dumped for free, often on specialized forums and Telegram channels. A complete identity package — name, address, date of birth, sometimes a Social Security number — can trade for as little as a few dollars once a breach is a few months old; exact prices vary a lot by data type and freshness, but the underlying mechanic is the same: it's a market, with supply and demand.

Privacy Affairs, Dark Web Price Index; Flashpoint, dark web marketplace research.
3

Building the script

This is the least visible and most decisive step. A scammer doesn't work at random — they cross-reference multiple leaks or sources to build a coherent script: your bank, your branch, your employer, sometimes your university or your last hotel stay. Social engineering exploits human psychology, not a technical flaw — these attacks are built in layers, with perceived legitimacy increasing with every accurate detail supplied.

Proofpoint · KnowBe4 — social engineering research.
4

Cross-channel execution

Contact arrives by phone, text, sometimes a follow-up email — with manufactured urgency ("there's fraudulent activity on your account," "your benefits need to be re-verified"). The FTC's own case data describes the costliest version of this: a fake security alert, often posing as a bank, that convinces someone to move money to "protect" it. Reports of older adults losing $10,000 or more to this kind of scam rose more than fourfold between 2020 and 2024; combined losses among those losing $100,000 or more rose eightfold, from $55 million in 2020 to $445 million in 2024.

FTC, Data Spotlight, August 2025.
5

The final ask

A wire transfer to a "secure account," a verification code to read aloud, cash physically handed to a courier, or a redirect to a fake site. Americans reported losing $3.5 billion to imposter scams in 2025 alone — nearly one in three fraud reports to the FTC that year.

FTC, press release, June 2026.

What the official numbers confirm

Two federal data sources — the FTC's Consumer Sentinel Network and the FBI's Internet Crime Complaint Center (IC3) — independently document the same acceleration, specifically in the categories of fraud that rely on personalized, believable detail:

$3.5B
Reported losses to imposter scams in 2025 — the top fraud category reported to the FTC for the fifth straight year, up nearly threefold since 2020.
FTC, Consumer Sentinel Network data, June 2026.
$920M
Losses to government impersonators in 2025, up from $789 million in 2024. Bank impersonators drove the largest share of the nearly $1 billion lost to business impersonation.
FTC, Consumer Sentinel Network data, June 2026.
$7.75B
Losses reported by victims aged 60+ in 2025, a 59% jump over 2024, across more than 201,000 complaints. Average loss per senior victim exceeded $38,000.
FBI, IC3 2025 Annual Report / Elder Fraud Report.
32,400
Government-impersonation complaints logged by IC3 across all ages in 2025, totaling close to $798 million in reported losses — over 8,600 of those complaints came from victims 60 and older.
FBI, IC3 2025 Annual Report.

The FTC and FBI/IC3 figures for government impersonation differ ($920M vs. roughly $798M) because the two agencies collect reports through different channels and count them differently — another reminder that even official statistics should be read with their source and methodology attached, not merged into a single number.

A testimony that illustrates the mechanism

"They already know everything about me." … "I totally believed it." … Asked how she was supposed to hand over the money: "Well, how do you do that?" Between mid-November and mid-December, Judith Boivin — a retired nurse — handed over "$595,000 and 98 cents" to callers posing as FBI agents investigating a fake drug cartel case built around her own bank accounts.

Judith Boivin, quoted in AARP's "'FBI Agent' Stole My $600K…Then Vanished," AARP Fraud Watch Network video series.

Boivin now volunteers with the AARP Fraud Watch Network's victim support group — a reminder that these cases aren't rare outliers covered once and forgotten, but part of an ongoing, tracked pattern.

Who gets targeted

People aged 60 and older remain overrepresented in the loss data, though not always for the reasons assumed:

201,000+

Victims aged 60+ who reported losses to the FBI's IC3 in 2025, totaling $7.75 billion — up 59% year over year.

$38,000+

Average reported loss per senior victim in 2025, more than double the median for younger age brackets in most federal fraud categories.

Compounding factors

Sometimes lower digital familiarity, social isolation, cognitive decline over time — but also accumulated assets (savings, home equity, stable pensions) that make the target more lucrative.

An important nuance

The agencies tracking this data are explicit: "anyone can be targeted." Personalization built from stolen data erodes the usual protective advantage of being tech-savvy or well-informed.

🔒 It's precisely because these attacks use real information that static protection — a blacklist of known numbers, a filter for suspicious keywords — is structurally blind: the number isn't on any known blacklist, the message doesn't contain any classic red-flag phrase. What gives the pattern away is the constellation of behavior across channels — a contact that shifts from a call to a text to a follow-up email, with financial urgency introduced gradually — exactly what Medusa is built to recognize. See how Medusa works.

Frequently asked questions

Does a data breach automatically lead to a scam?

Not automatically and not immediately — stolen data circulates and gets resold, sometimes used months after the original breach. But the statistical link is clear: reported imposter-scam losses have nearly tripled since 2020, tracking the same years that breach volumes hit record highs.

Why would a scam caller know real details about my bank or my medical provider?

Because that information likely leaked in a breach affecting your bank, employer, university or health plan. Scammers buy these data sets specifically to build a script that feels impossible to have guessed at random.

Why are older adults targeted more often?

A combination of factors: sometimes lower digital familiarity, social isolation, and accumulated assets (savings, home equity, stable pensions) that make the target more lucrative. But the agencies that track this data are clear: anyone can be targeted — personalization from stolen data erodes the usual advantage of being tech-savvy.

Go further