Say you receive an email saying, “We have kidnapped your child. To verify that we are telling the truth, just call your child’s cellphone. To get your child back, you need to send us $10,000 within one hour. We will send instructions in a separate email. Do not tell anybody—or else.”

Chances are you’d pick up the phone and call your child. Imagine the chill along your spine when a stranger answers, “We have your child.”

And yet this is such a simple scam. Attempting it requires just two things: your email address and the online account password associated with your child’s phone number. With that information, a scammer can forward your calls to your child’s phone number to his own prepaid phone. There’s no need for him to have your child’s phone, or even know what country you or your child are in.

This frightening scenario illustrates the power of targeting, and it suggests that anyone can fall for a gambit if it’s clever enough. All it takes is for a scammer to capture a few pieces of your information, something that could happen even if you’re very careful. That’s because many companies that have your data are not careful with it.

These scams are quite different from the old “Nigerian prince scam,” which caught only one recipient in 20. Those scammers would often openly state their association with Nigeria simply to make sure they would get responses from only the most naïve potential victims. This screening avoided fruitless exchanges…

Read more…