‘Hello Jen, we are happy to telling you that you been choosen for our special reward at Sainsburys Wood Green Local store!
‘This exclusive promo is only for few customers in N22; thanks for your loyalty.’
The grammar in this email wasn’t great, but it named the supermarket close to my house, that I stop into regularly on my way home.
A message like this would normally have gone straight to the bin, but the personal touch took me off guard.
Thankfully, it wasn’t a real attempt to scam me, but an example sent by cybercrime experts – and I’ve changed the real location.
The experts posed as scammers to see how easily they could craft a personalised attack using public information.
I thought I had been fairly careful online; I’d never post my boarding pass, my doorway, or any Rolexes I might one day acquire.
But in that short time, they found my home address, my phone number, my husband’s contact details, and even the make of his old car.
All this built up a picture of who I am, which could be used against me.
In the past, it would have taken too long for scammers to send personalised messages to thousands of people.
But now, AI tools make it easier to gather data – like your school, your interests or where you have tagged photos – and write emails tailored to your individual history.
I had heard about the new wave of scams at various tech conferences, and so I asked cybersecurity firm Trend Micro to help me see what it might look like.
An example of an AI email that was tailored to my history
Subject: Immediate Payment Required: Council Tax Account for 46 Parkside Road, N22 6HS
Dear Mr & Mrs Mills
According to our records, your current payment schedule under the London Borough of Haringey is overdue. A payment of £2260.00 is required by the 31st of July 2025. To avoid further action, including additional charges or potential enforcement notices under the Local Government Finance Act 1992, we require that you settle the outstanding balance without delay.
You can review your account details and securely make a payment via the link below.
For your convenience, payments may be made by Direct Debit, debit card, or online banking. Full details are provided on your secure portal.
Failure to comply may result in the matter being referred to the Council Tax Recovery team, which could incur court costs.
Thank you for your prompt cooperation.
Kind regards,
Council Tax Collections
London Borough of Haringey
How did they find my information?
It wasn’t hard to find out who my husband is, as I haven’t kept him a secret. Maybe I should have done, as the scammers were able to cross reference our data.
They found out exactly where we lived thanks to Instagram posts, with each of us posting clues which would not have been enough on their own.
Tagged photos revealed our general location, and the scammers managed to narrow the street address down from two posts in particular.
During the impressive northern lights display in London last year, I shared a photo of the sky with the side of our building and a sliver of roof also visible. At the time I had questioned posting it, but thought there were no major identifying features.
That turned out to be wrong, especially when taken together with a photo on my husband’s profile.
His photo showed a sunset seen through window blinds in our living room, including a glimpse of nearby flats.
Those flats could be found on Google Maps, and my earlier photo confirmed which building we were at in relation to them. So any stranger could have found out exactly where we lived.
Both of these photos have now been deleted, but I would never have thought they were so revealing. I wouldn’t just post my address on main, but I may as well have done.
Even without those photos, the scammers found our address another way anyway.
I knew that the Strava app, which shows the route you take jogging, can give away your location. Metro has even written about it, like when it revealed the site of a top secret military base in Afghanistan.
So I only shared my information with friends, and always started recording a run some distance away from home.
One of my husband’s runs had remained public, however, starting and finishing at our front door. Jackpot.
If you know someone’s address, you can find a photo of their home on Google Maps – and this is how the scammers even found out which car we used to drive, as it was parked outside.
On this occasion they were out of date, but it shows why some security experts recommend asking Google to blur your home.
Burglars could zoom in to scope it out remotely, checking out where the windows are and if there are security cameras.
Other information about us was available online from data breaches, even from sites I didn’t remember registering with.
Seeing personal information, which I had never posted publicly, found by strangers felt exposing.
It illustrated how little anonymity we have – and how much information can be found from simple sources, even if we think we’re being careful.
Sometimes we could be at risk even from things we were happy to share online.
I have taken part in Metro’s Lifeline charity challenge for the past two years, asking people to sponsor me in treks around the Jurassic Coast and Isle of Wight.
One of the fake phishing emails referenced this, saying additional checks were needed to process my donations.
Subject: Urgent: Verification Required under UK Money Laundering Regulations
Dear Jen,
As part of our statutory obligations under the UK Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, we are conducting enhanced compliance checks on selected individual fundraisers.
Your recent fundraising activity for the 25km charity walk has been flagged due to a discrepancy.
Failure to complete this process may result in a temporary suspension of your JustGiving account to ensure full compliance with UK Proceeds of Crime Act 2002 (POCA) obligations.
To avoid any disruption and ensure your donations continue to be processed without delay, please complete the secure verification form below.
Please note, under MLR 2017, we may be required to escalate matters to HM Revenue & Customs (HMRC) or the National Crime Agency (NCA) if sufficient verification is not provided.
Thank you for your prompt cooperation.
Kind regards,
JustGiving Compliance & AML Team
Another attempt targeted my husband, taking advantage of social media post where he said he was annoying when his name was spelled wrong.
They claimed to be checking information for a database of alumni profiles, but addressed him with a misspelling, trying to draw him to correct them.
Scammers reasoned that we likely shared networks, and if one of us was compromised, it could provide access to both of us.
The scariest part of this exercise was seeing how exposed we are by other people’s actions, which we have no control over.
Robert McArdle, who acted as a ‘scammer’ for the exercise, told me: ‘Even when people decide to become more aware of what they post, past activity is actually quite difficult to scrub for a lot of people.’
In the past, only a stalker or someone targeting you specifically would have gone to this effort, but it is now becoming something we all need to take more seriously.
Robert, the director of forward-looking threat research at Trend Micro, said there are definitely already criminals using automation.
AI tools can help search social media and create phishing emails: ‘stuff that they have to do every day as part of their – quote unquote – job’.
He said that unfortunately, almost all of us have to live with the fact that some of our personal data will be accessible online.
‘Even massive sites like LinkedIn have been breached, and then your data is wide open,’ he said.
This is not just a problem for individuals, but for businesses. Marks and Spencer confirmed hackers breached their systems using ‘social engineering’, where they pretended to be someone trustworthy to trick an employee into providing access.
What can I do to be safer?
Aside from thinking carefully about if you really want to post that ‘new home’ photo dangling your keys by the door, there are some steps you can take.
It’s not at all an exhaustive list, as that would take much more space than this article, but a few ways to start.
Hover over links to see where they will take you before clicking on them, and don’t click if you are not sure.
Do an audit of your previous public social media posts. Do they show the outside of your home, views from the window, or tag specific personal locations rather than a wide area?
You can opt to approve tags before they appear in feeds on services like Facebook, which is a good idea if your friends and family are not as discreet.
Data broker removal services like Incogni will send legal letters on your behalf asking for your information to be removed. This is a paid service, but could be worth doing – though Robert warns that removing data is not a one-time thing, but ‘like tending a garden’.
He said: ‘A key advice I normally give is when you’re signing up for any service and they ask “where do you live and what’s your phone number” etc, think “wait a minute, why do they need to know?”
‘If there’s never going to be a time they will send something to your house, just put in fake details.
‘It can be something blatantly obvious like Buckingham Palace; it doesn’t matter. Just try to use the same details because you’ll forget.’
He suggests you could also set up a separate email address just for signing up to things, so in a breach scammers would not access your main details.
Use a password manager, so you have a different strong password for every service.
There is software available to help you detect scams: Trend Micro’s offerings are ScamCheck, an app that instantly checks texts, emails and websites, and Scam Radar, which looks at suspicious patterns of communication.
Overall, think carefully about messages you receive, even if they claim to be from someone who knows you. This even applies to voice calls and video calls, now that deepfakes can be so convincing, even in real time.
Does the email address match the real one of that organisation?
You may need to confirm details another way, such as with a phone call, before giving any information or money.
If you believe you’re the victim of a scam, contact Action Fraud on 0300 123 2040 or use their online reporting tool, available at www.actionfraud.police.uk.
Get in touch with our news team by emailing us at [email protected].
For more stories like this, check our news page.
MORE: Parents of missing seven-month-old Emmanuel Haro arrested on murder charges
MORE: British Airways flight attendant caught naked and high on drugs in plane toilet
MORE: Four men arrested after teenage girl raped in London park
