Email scammers would be orders of magnitude more effective if they would simply try harder.  Of course they don’t – they’re lazy – and the universe seems to have achieved a manageable stasis.

The mountain of anonymously addressed, hastily formatted pleas for money transfers are trivial to adjudicate.  It’s the more convincing ones that give pause even to someone with decades of experience dealing with this stuff.

What goes a long way toward making a scam email convincing is even the smallest bit of PII.

Think about it.  A salutation with your real name in it starts to get your attention.

“Dear Chris,”

What if it also contained your home address?

“With regard to your home loan for 240 EDGEWOOD ROAD, SYRACUSE NY”

Without question, you would start giving this email your full attention if you hadn’t yet already.

What if it also led with some reasonable looking branding from your lender?


Phishing is phishing.  You may not even have a mortgage, and if you do, it may not be with Wells Fargo.  This is the game.

But if the scammer hits the jackpot, and induces you to give up the one piece of the puzzle they’re missing – an account number, an expiration or birth date, a CVV code – they win.

This is aggregation – the sum of the parts.  Seemingly less significant pieces of data combine to form something you would certainly have opted to secure in the first place.

This is why protection of even the most basic personal information is important.  You can’t allow yourself to fall into a mindset of “well, it’s not credit card numbers” or “well, we don’t transmit any socials”.  It’s all worth protecting using reasonable measures.

Similarly, you can’t fall into the mindset of “well, I know a scam when I see one”.  Phishing is more pervasive than you may realize.  Canada asserted a few years ago that 80,000 people per day fall for a scam and divulge PII.  Certainly higher now.

I’ve written before that medical records can be obtained with no more than a full name, address, and date of birth.  That becomes a springboard for serious problems.  Think critically about whether or not you offer even the most basic protection for that kind of information, and always always always approach data protection through the lens of litigation.  An ounce of prevention is, factoring for inflation of the 1735 dollar, worth 232.64 pounds of cure.