Public data isn’t just public - it’s profitable. And fraudsters are cashing in on details you probably forgot you shared.
Curious how criminals turn "public" into profit?
🕵️ OSINT-powered pretexting - They mine LinkedIn, corporate sites, and news for names, roles, and projects to craft emails and voice calls that sound legit, then pressure targets to "verify" or "pay."[ref]
🔐 Credential stuffing and password reuse - Credential dumps fuel massive login attempts against banks and fintechs. Attackers bank on reused passwords, then pivot.
🧩 Account recovery abuse - Public clues about birthdays, schools, or pets make knowledge-based questions weak.
📧 Vendor and BEC fraud - Open org charts, press releases, and invoice trails help craft real-looking payment requests and vendor updates that slip past gut checks.
🍪 Stealer logs and session cookies - Malware can steal the "remember me" tickets from your browser, letting criminals log into your accounts without needing your password or code. Criminals package these tickets together with your saved passwords and sell them in bulk.
📱 SIM swapping with public PII - Crooks combine leaked data and social footprints to trick carriers, hijack numbers and intercept one-time codes, then drain accounts.
🎤 Voice and persona cloning - Public interviews and posts feed convincing deepfake voices or profiles for vishing and helpdesk takeovers that lead to MFA resets[ref].
🏠 Property and records misuse - Open land and company registries can be weaponized for title and loan fraud.
🧪 “Anonymized” open data that isn’t - Research shows even incomplete "sanitized" datasets can be re-identified when linked with public attributes, turning civic open data into targeting fuel.
📉 Shocking but true: in 2024, victims reported a record $16.6 billion in cybercrime losses to the FBI[ref]. Public and leaked data is a fraudster’s dream: it costs almost nothing, feels convincing because it uses real facts, scales easily with automation, and - worst of all - once it’s out, it never disappears. Verizon’s latest DBIR shows the human element drives 6 out of 10 breaches, and outdated tools like security questions (Knowledge-Based Authentication, KBA) are now so weak that NIST has stopped recognizing them as valid authentication. In short: assume your data is already out there, and fraudsters are ready to use it.
🚨 Advice for banks, fintechs, and risk teams:
- Treat exposure as a signal: ingest breach and stealer-log intelligence to trigger step-up auth, device binding, or temporary holds when a customer’s email or domain appears in fresh leaks.
- Patch edge systems fast: vulnerability exploitation is now 20 percent of breaches (DBIR).
- Kill Knowledge-Based Authentication (KBA): move to phishing-resistant MFA and passkeys for login and recovery; require carrier PIN checks and SIM-swap signals before high-risk actions.
- Human is the control surface: rehearse helpdesk playbooks against vishing, enforce no-reset-without-strong-proof.
🚨 Suggestions for everyone:
- Ditch the "secret questions" your first pet’s name or your mother’s maiden name are no longer secrets. Use an authenticator app or a small hardware key instead, and set up a PIN with your mobile provider to block SIM-swap tricks.
- Assume your old passwords are already floating around: because they probably are. Use a password manager to create unique logins for each site, and never reuse your bank password anywhere else.
- Share less, protect more: trim down birthdays, addresses, or holiday plans from public posts. Lock your social profiles to friends-only and opt out of people-search sites that sell your data.