28.10.2025 - The National Cyber Security Centre (NCSC) regularly receives questions from concerned members of the public such as: "How do the scammers know my name, my bank, or even my address?" It's a fair question. Fraudulent calls and emails often seem convincing precisely because they contain personal details we assume are private. The answer is complex and demonstrates just how methodical modern cybercriminals have become.
Essentially, criminals employ two primary strategies to obtain personal information. This week's review examines both strategies and reveals that personal data has become the key resource in modern fraud. Scammers act much like analysts in that they gather seemingly unrelated fragments of information from many different sources and combine them to create detailed profiles. These profiles enable them to carry out attacks that are highly convincing – and therefore difficult to detect.
Criminals use two main approaches to obtain personal information:
- Passive collection: Scammers harvest vast amounts of data from data leaks. This data is then used to plan future attacks.
- Active collection: Scammers trick people into voluntarily revealing their data through targeted deception – a kind of phishing. This doesn't just concern passwords, but other personal identifiers too.
Passive collection: Data from leaks and breaches
A data leak is a security incident involving the unintentional exposure of sensitive or confidential data by an organisation. Unlike a data breach, which usually results from a deliberate hacker attack, a data leak often occurs due to internal weaknesses, human error, or technical misconfigurations.
A wide range of information can be exposed in such incidents. Typically, this includes names, email addresses, telephone numbers, home addresses, dates of birth and, in many cases, passwords (which are fortunately often stored in encrypted form). In more serious cases, financial details such as credit card numbers or order histories from online shops may also be compromised.
Once these large data sets are leaked and become public, they effectively turn into a commodity. Cybercriminals collect and trade them, and these data sets are a valuable resource for other criminal groups. For the people affected, the immediate consequence is often an increase in spam and phishing emails, as their contact details appear on widely circulated lists.
A data leak is just the start of an attack chain, not the end. For example, a scammer who purchases a list of names and email addresses from customers of a specific online retailer now has a qualified list of potential targets. Rather than sending out random emails, they can launch a phishing campaign that specifically targets those customers. An email that appears to come from a familiar company is far more likely to be believed – and therefore far more effective.
More on this topic: Week 29: Protect your digital access
Active collection: When scammers go fishing for information
In addition to using leaked data, the NCSC has recently observed an increasing number of attacks in which scammers actively gather information. While classic phishing mainly aims to steal passwords and login credentials for online banking or email accounts, these newer campaigns focus on collecting a broader range of personal data. The aim is not to take over an account straight away, but rather to fill in the gaps and build a complete profile of the victim.
A particularly common tactic at the moment is to create fake websites that closely mimic trusted institutions, such as banks, insurance companies, health insurers and payment providers.
The pretext is almost always the same: targets are asked to verify or update their details. These requests play on people's desire to keep their accounts secure. Often, the message creates a sense of urgency by threatening to block the account or impose other consequences if you do not acgt immediately.
Scammers operating fake sites specifically request personal information that can later be used for fraud. In a recent case, for example, the supposed reason was a refund – but, in addition to personal details, victims were also asked to provide a digital signature. The requested data included:
- Full name and address
- Telephone number
- IBAN
- Contract number / policy number
- Copies of identity documents (ID or passport)
- Digital signature
Recommendations
- Be cautious of unsolicited messages that request personal data or create a sense of urgency. A healthy dose of scepticism is your best defence, however legitimate the message may seem.
- Use a unique, strong password for each of your online accounts. Strong passwords should be at least 12 characters long and combine uppercase and lowercase letters, numbers, and special characters. Activate multi-factor authentication (MFA), also known as two-factor authentication (2FA), wherever possible. This adds an extra layer of protection and is one of the most effective ways to prevent account takeovers, even if your password has been stolen.
- Never click on links or call numbers provided in suspicious messages. Instead, go directly to the company's official website or open its official app to log in and check for notifications. Use an online directory such as TelSearch or the contact information on the company's official website to verify phone numbers.
- Be mindful of the data you share. When filling in online forms, only provide the information that is absolutely necessary (often marked with an asterisk).
- If you have already been affected, act quickly. Contact your bank or credit card provider immediately to block the affected cards or accounts. If you have suffered financial loss, report it to your cantonal police. You can find your nearest police station on the Suisse ePolice website (available in German, French and Italian).
- Report phishing attempts. Use the official reporting form on the NCSC website or the NCSC's antiphishing.ch website.
Current statistics
Last week's reports by category:
Last modification 28.10.2025
