KinKeeper research

Before the First Scam Call

Personal data does not cause fraud, but it can make someone easier to locate, classify, and approach. This evidence review explains how ordinary records become targeting intelligence, what privacy cleanup and account security can accomplish, and what remains unproven.

Free online report and PDF. No email required.

Cover of Before the First Scam Call, a KinKeeper white paper Read online · PDF available
23numbered sources
3 movesSee, Shrink, Steady
1 plana manageable household routine
Quarterlyevidence review cadence

What the evidence says

The scam can start before the message arrives

People-search sites can combine names, ages, addresses, property history, and family relationships. Commercial data can add purchasing behavior, interests, inferred traits, and response patterns. The practical response is layered: reduce high-value public exposure, stop unnecessary new sharing, and harden important accounts.

01

How the trail forms

Follow ordinary public records, forms, profiles, app signals, broker feeds, and breaches as separate sources that can be linked into one profile.

02

What removal can do

See why an opt-out can remove a current listing from one route without erasing public records, every downstream copy, or future reappearance.

03

What remains unproven

Keep the effect of broker removal on scam attempts, completed fraud, and financial loss separate from the exposure that can be observed.

A practical framework

See. Shrink. Steady.

1

See

Find the public combinations that join a contact route with age, home, property, relatives, or other useful context.

2

Shrink

Remove high-priority listings, tighten public family details, separate contact routes, and stop unnecessary sharing.

3

Steady

Strengthen important accounts, save recovery routes and confirmations, and use a light recheck schedule.

Complete online edition

Read the full report

The complete research, methodology, limitations, and source ledger are published below as readable, searchable HTML.

Prefer the PDF? Open it here

Executive brief

The scam often starts before the message arrives

Personal data does not cause fraud. It can, however, make a person easier to locate, classify, and approach. People-search sites can turn one identifier into a report containing age, addresses, property history, and family relationships. Commercial brokers can add purchasing behavior, interests, inferred traits, and response patterns.12

This is not only a theoretical privacy problem. In the Epsilon criminal case, federal prosecutors showed that employees used models built on a database of 100 million U.S. households to identify likely responders and knowingly sold targeted lists to fraud operators. One client used those lists in a scheme that defrauded more than 218,000 people of more than $23.7 million.323

Privacy cleanup is best understood as exposure reduction, not a force field. It gives unknown senders less accessible information while account security and independent verification protect against different failure points.

The practical response is layered. Remove high-value public listings, stop providing primary contact information to low-trust forms, strengthen critical accounts, and keep a consent-based family review routine. These steps reduce particular exposures. Research has not yet quantified how much broker removal changes scam attempts or financial loss.

What the evidence supportsFinding
Direct evidenceModeled consumer lists have been knowingly sold to operators of elder-fraud schemes.
Defensible actionCurrent listings can be removed, important accounts hardened, and future sharing reduced.
Open questionThe effect of broker removal on fraud incidence and loss has not been adequately measured.

Read the claims at the right strength

Privacy conversations often jump from “this information is available” to “removing it prevents fraud.” The first statement is observable. The second requires outcome evidence the field does not yet have. This report uses three evidence grades so practical guidance does not borrow more certainty than the research can support.

  1. Established. Data is collected, combined, inferred, sold, and sometimes used to select fraud targets. Strong authentication can reduce account-takeover risk.
  2. Strong inference. Less exposed information can make routine discovery and personalization harder through the specific routes that were cleaned.
  3. Unsettled. No credible population estimate shows how much data removal changes scam contact, completed fraud, or financial loss.

Fraud reports establish urgency, not the effectiveness of any privacy intervention. FTC reporting shows $2.4 billion in reported 2024 losses among older adults, about four times the amount reported in 2020. Reports of imposter-scam losses above $100,000 rose nearly sevenfold over the same broad period.911 Complaint data undercount harm and should not be treated as a full prevalence estimate.

From ordinary data to targeting intelligence

The raw material is often mundane: a deed, shopping form, donation, app permission, public post, or old breach. The power comes from linkage, inference, and reuse.124

A profile is assembled from pieces created for other reasons

  • Public records. Property, voter, license, court, marriage, and other government records may reveal age, address, ownership, or relationships.
  • Commercial activity. Purchases, subscriptions, donations, warranties, loyalty programs, and quote requests can create response and interest signals.
  • Online activity. Public profiles, posts, advertising identifiers, device signals, and browsing-related data can add context and reachability.
  • Other brokers. A broker may buy from another broker, merge records, update contact details, or append inferred categories.
  • Breaches and theft. Stolen credentials and account data enter criminal markets through a different route than lawful commercial brokerage.
  • People-search sites. Consumer-facing reports can make names, numbers, ages, addresses, properties, and relatives easy to retrieve from one place.124820

Not all data brokers do the same job. Some support marketing, fraud prevention, identity verification, analytics, or public-record search. Risk depends on the information, buyer, purpose, safeguards, and ability to correct or delete it.

The risk grows when fragments become a usable story

A phone number is useful for contact. A phone number linked to age, address, family, property, interests, and past responses can support a much more specific approach. The system value comes from combining and updating fragments.

StageWhat happens
CollectRecords and signals enter public, commercial, device, or criminal datasets.
LinkNames, addresses, phones, emails, devices, and household members are matched.
InferModels assign likely interests, traits, needs, value, or response behavior.
SegmentPeople are grouped for marketing, risk, eligibility, research, or targeting.
ReachA message, call, ad, letter, or account attempt uses the selected route.

Three distinctions prevent bad conclusions:

  1. Available does not mean accurate. Brokered records may be stale, incomplete, or linked to the wrong person.
  2. Useful does not mean harmful. The same data ecosystem supports identity verification and fraud prevention as well as marketing and abuse.
  3. Removed from one site does not mean absent everywhere. Public records, relatives’ reports, new feeds, and other brokers may still surface the information.

A household cannot control every upstream record. It can reduce the easiest public combinations, limit future sharing, and harden the accounts that turn information into access.

Direct evidence: the Epsilon case

Modeled response data was knowingly sold to fraud operators

According to the Justice Department, Epsilon used transactional data and algorithms to predict “responsive buyers” across a database of 100 million U.S. households. Employees knowingly sold targeted lists to operators sending deceptive sweepstakes and astrology mailings, particularly affecting older and vulnerable people.323

Documented measureResult
Households in the modeling database100 million
Victims in one client’s schemeMore than 218,000
Loss associated with that schemeMore than $23.7 million

The case establishes that targeting data and response modeling can materially facilitate fraud operations. It also shows how legitimate customer, nonprofit, and charitable relationships can feed data later misused by bad actors. DOJ reported that more than 12,000 victims in one scheme were defrauded more than 20 times.323

The case does not establish that every broker or marketing use is fraudulent, that a particular opt-out would have prevented the scheme, or that the same mechanism explains every phone, text, social, or account-takeover scam.

An older-adult lens without stereotyping

Older adults report losing money to fraud at a lower rate than younger adults in FTC complaint data, yet report much higher median losses when a loss occurs and are overrepresented in several high-loss scam categories. Age should not be used as a shortcut for incapacity.9

The relevant differences are the information and stakes:

  • Discoverability. Longer public and commercial histories can include property, addresses, licenses, subscriptions, donations, and family links. The mix varies widely by person.
  • Credibility. Accurate names, institutions, purchases, property, and relationships can make an unexpected story feel less random and more familiar.
  • Stakes. Retirement accounts and accumulated assets may make a successful high-loss scheme especially damaging and difficult to recover from.4911

The task is to redesign exposure and verification around real conditions, not to ask whether an older adult is “good with technology.” Privacy support should reduce chores while keeping choices and account ownership with the person at the center.

For a family member or trusted person:

  1. Ask permission before searching, removing, changing, or monitoring.
  2. Help with repetitive steps without quietly becoming the owner of accounts.
  3. Use a trusted second channel when a surprising request involves money, codes, access, or secrecy.

AI changes the cost of personalization

The FBI describes generative AI being used to produce believable text, fake profiles and identification, synthetic images, cloned audio, and deceptive video. When a sender already has names, relationships, institutions, interests, or recent events, those tools can make personalization faster and more polished.10

What AI changesWhat still has to happen
More fluent drafting in many tones and languagesA channel still has to reach the person.
Faster synthesis of fragments into a plausible storyThe sender must keep the person inside the attacker’s channel.
Cheaper images, profiles, audio, and videoThe person must disclose, install, authenticate, transfer, or pay.
More variants and follow-up at lower production costIndependent verification can still break the narrative.

Reducing raw material can help upstream. Independent verification and strong authentication remain necessary downstream because convincing stories can be created from information that cannot be removed.

Useful technology creates real tradeoffs

Older adults already use AI, voice assistants, home security, health tools, and connected services to support independence. The right question is not whether to reject technology. It is what the tool collects, who can access it, what is retained, and whether the benefit is worth the exposure.12131419

Before connecting a tool, ask:

  1. Data: Does it collect voice, video, location, health, activity, contacts, or home routines?
  2. Access: Can the person, family, provider, platform, contractors, advertisers, or researchers see it?
  3. Control: Can the person turn features off, delete history, export records, or revoke family access?
  4. Security: Does the account support automatic updates, strong authentication, and clear recovery?

A University of Michigan poll found that 55% of adults age 50-97 had used conversational AI and 92% wanted to know when information was AI-generated. An AARP survey found 69% of adults age 50+ were uncomfortable sharing personal health information with an AI health tool.1319 These figures come from different surveys and should not be combined.

What exposure reduction can and cannot do

Deletion, minimization, contact-route separation, and account security act at different points. The strongest plan layers them instead of treating one product or setting as the solution.

Removal is specific, not absolute

The FTC explains that people-search sites generally offer free opt-outs. A successful request can stop the site from selling its current listing, but information may remain in public records, appear inside a relative’s report, or return when new data arrives.1

Removal canRemoval cannot establish
Remove a current profile or matching record from a participating site.That public records or every downstream copy were deleted.
Reduce an easy public combination of contact, age, address, property, and relatives.That a phone number, email, or identity detail is absent from breaches.
Create a documented request and reason to recheck later.That future records will never recreate a profile.
Automate repeated requests and monitoring when a service covers the relevant brokers.That removal caused fewer scam attempts, completed frauds, or losses.

A 2025 preprint tested compliance across 543 registered California data brokers and identified request and verification problems. It helps explain implementation friction; it does not measure fraud outcomes and had not completed peer review by this report’s evidence cutoff.17

California’s DROP changes the mechanics of deletion

California residents can submit one request through the Delete Request and Opt-out Platform to more than 600 registered data brokers. Consumer requests opened in January 2026. Beginning August 1, 2026, brokers must process requests on a recurring cycle and report status. The system does not apply to every company or record.56

A careful explanation includes four limits:

  • Eligibility: DROP is for California residents; other states and companies have different rights and processes.
  • Matching: the identifiers a person provides affect whether a broker can find the record.
  • Scope: exemptions apply, and a first-party company relationship differs from covered third-party brokerage.
  • Time: status and deletion are not immediate; updated information may take longer to match and process.

DROP is a concrete 2026 example of a broader shift from hundreds of individual opt-outs toward persistent, centralized deletion instructions.

Reduce future collection

Removal addresses information already held. Data minimization addresses what is supplied next. The goal is not withdrawal from digital life; it is to stop using high-value contact and identity details where they are unnecessary.

  1. Separate contact routes. Reserve one email address and phone route for family and important accounts. Use a different route for shopping, newsletters, quotes, and public forms.
  2. Question the form. Before entering contact or identity data, ask whether the service needs it, who operates the site, and whether a less revealing route is available.
  3. Tighten public relationships. Review who can see relatives, travel, schools, employers, birthdays, pets, and other details that can make an approach feel familiar.
  4. Review device permissions. Remove unused access to location, contacts, microphone, photos, health data, and advertising identifiers where the function does not need it.
  5. Avoid lead-generation traps. Coupon, warranty, insurance-quote, sweepstakes, and similar forms may pass information to multiple marketers or callers.20

Use the minimum information needed for the transaction, and keep primary family and account routes out of low-trust forms.

Account security is a different layer

Removing a people-search listing does not invalidate a stolen password. Strong authentication does not remove a home address. Households need both exposure reduction and access control.

  1. Protect primary email first. Use a unique password, strong recovery process, and multifactor authentication for the inbox used to reset other accounts.
  2. Use a password manager. Reduce memory burden and password reuse. Save the manager’s recovery process somewhere secure and understandable.
  3. Prefer stronger MFA. An authenticator app or security key generally provides more protection than a code delivered by SMS, where supported.
  4. Consider passkeys. Passkeys can remove password memory burden and provide phishing resistance, but device transfer and recovery need a plan.1618
  5. Secure the mobile carrier. Add an account PIN or port-out protection because control of the phone number can affect recovery and texted codes.
  6. Save official routes. Use the official app, statement, or bookmarked site rather than a number or link supplied by an unexpected interaction.

NIST treats cryptographic authentication as phishing-resistant because a secret is not manually entered into an impostor site. In 2025 workshops, older adults liked the reduced memory burden of passkeys but wanted support for setup, transfer, device loss, and shared-device concerns.1618

See, Shrink, Steady

A privacy plan should end with fewer chores, not a second job. This framework prioritizes the information most useful for reach and credibility, then adds account controls and a light maintenance rhythm. It can be used by an older adult alone or with a trusted person.

See the trail

Search a name, phone, email, and address safely. Record the profiles that combine contact information with age, property, or relatives. Choose the one listing that reveals the most useful bundle.

Shrink exposure

Complete high-priority opt-outs, tighten public family details, separate contact routes, and remove unnecessary app permissions. Finish one real removal or save its exact next action.

Steady the plan

Harden primary email and financial accounts, save official routes, document recovery, and schedule a light recheck. Set a 30-day follow-up and quarterly review.

Do the highest-value work first. A household does not need perfect invisibility; it needs less easy exposure, stronger access controls, and a reliable way to verify surprises.

The person at the center should know what is being searched, removed, shared, and monitored. Families, institutions, and technology providers can reduce repetitive work without converting support into surveillance.

  • Older adults: choose the public details, accounts, and devices that matter most. Keep ownership and recovery routes under your control.
  • Trusted people: ask permission, help with repetitive steps, save confirmations, and verify surprising requests through an independent route.
  • Institutions: minimize collection, restrict reuse, make privacy choices understandable, and test whether deletion and suppression persist.
  • Product teams: separate exposure found, records removed, unwanted contact, account compromise, and fraud loss. Do not combine them into one protection claim.

Measures worth publishing include:

  1. Coverage: which brokers, record types, and identifiers were checked?
  2. Completion: which requests were submitted, matched, deleted, opted out, rejected, or unresolved?
  3. Durability: how many records reappeared, and after how long?
  4. Outcomes: did contact volume, account compromise, or reported fraud change, and compared with what?

“Removed from 60 broker sites” is a removal result. It is not proof of fewer scams or lower loss unless those outcomes were separately measured.

Put the research into practice

KinKeeper’s free Personal Data & Privacy Playbook follows the same See, Shrink, Steady structure. It helps an older adult or trusted person complete or prepare one removal, strengthen or prepare one important-account action, and save a lightweight maintenance plan.

  • Chapters 1-3: See the trail. Run a safe exposure check and identify the combinations that matter most.
  • Chapters 4-6: Shrink exposure. Remove a high-priority listing, protect family details, and separate contact routes.
  • Chapters 7-8: Secure the next step. Strengthen a critical account and stop unnecessary new collection.
  • Chapters 9-10: Steady the plan. Agree on consent, support, and a review schedule without taking over.

KinKeeper’s free data-broker opt-out guides support do-it-yourself removal. Families who do not want to repeat every request by hand can also consider privacy tools that combine exposure scanning with recurring automated removal, including KinKeeper Privacy.

Availability as of July 15, 2026: KinKeeper Data Removal is rolling out. The public Exposure Scan is pre-launch.2122

Research method and limitations

How this evidence review was assembled

  1. Evidence window. Research and official guidance were reviewed through July 15, 2026, with priority given to current regulator, law-enforcement, policy, and peer-reviewed sources.
  2. Source hierarchy. Primary government sources and original research were preferred. A 2025 preprint was retained only for emerging compliance evidence and is labeled as such.
  3. Scope. The review addresses data exposure, targeting, unwanted contact, account security, and reported fraud. It is not a prevalence study or product-effectiveness trial.
  4. Synthesis. This is a narrative evidence review. It does not estimate a causal effect for broker removal, automated removal, or any KinKeeper product.

Limitations

  • The data-broker ecosystem is heterogeneous and changes quickly; a practice documented for one company cannot be generalized to every broker.
  • Fraud complaint systems undercount harm and are affected by awareness, reporting access, classification, and missing age information.
  • Direct evidence of broker data facilitating fraud comes from enforcement cases and may overrepresent the worst conduct.
  • Removal studies focus mainly on compliance and process, not randomized or quasi-experimental fraud outcomes.
  • Older-adult technology and privacy studies use different populations, countries, methods, and definitions. Small qualitative studies inform themes, not rates.
  • No educational resource, exposure scan, opt-out, or removal service can guarantee protection from fraud, identity theft, scam attempts, or financial loss.

The next scheduled review is October 15, 2026, or earlier if DROP implementation, federal data-broker policy, major enforcement, outcome research, or KinKeeper Privacy availability materially changes.

Sources

  1. Federal Trade Commission, What To Know About People Search Sites That Sell Your InformationJuly 2022. Data sources, profile contents, opt-outs, verification, reappearance, and limits of removing current listings. Accessed July 15, 2026.
  2. Federal Trade Commission, Data Brokers: A Call for Transparency and AccountabilityMay 2014. Study of nine data brokers, their sources, products, inferred segments, benefits, risks, and transparency gaps.
  3. U.S. Department of Justice, Epsilon Senior Executive and Sales Manager Both SentencedSeptember 30, 2024; updated February 6, 2025. Enforcement evidence that modeled consumer lists were knowingly sold to fraud schemes.
  4. U.S. Government Accountability Office, Retirement Plans: Department of Labor Guidance Could Mitigate Privacy Risks for ParticipantsMarch 2026. Review of retirement-plan data use and sharing, privacy gaps, broker risks, and oversight limitations.
  5. California Privacy Protection Agency, Delete Request and Opt-out Platform (DROP)Current July 2026 guidance. Eligibility, request mechanics, identifiers, timing, scope, and limitations.
  6. California Privacy Protection Agency, Processing DROP RequestsCurrent July 2026 guidance. Broker requirements beginning August 1, 2026, including recurring matching and deletion cycles.
  7. U.S. Department of Justice, National Security Division, Data Security ProgramEffective April 8, 2025. Restrictions covering access to bulk sensitive U.S. personal data.
  8. Federal Trade Commission, FTC Takes Action Against MobilewallaDecember 3, 2024. Enforcement concerning collection and sale of precise location information, home identification, consent, and deletion.
  9. Federal Trade Commission, Protecting Older Consumers 2024-2025December 2025. Reported older-adult fraud losses, high-loss patterns, contact methods, and complaint-data limitations.
  10. FBI Internet Crime Complaint Center, Criminals Use Generative Artificial Intelligence to Facilitate Financial FraudDecember 3, 2024. AI-enabled text, image, audio, and video fraud mechanisms.
  11. Federal Trade Commission, False Alarm, Real ScamAugust 7, 2025. High-loss imposter patterns, starting channels, payment methods, and population-normalized comparisons.
  12. AARP Research, 2026 Tech Trends and Adults 50-PlusDecember 2025. National survey context on technology use, age-inclusive design, privacy, trust, and security.
  13. University of Michigan National Poll on Healthy Aging, How Older Adults Use and Think About AIJuly 2025. National poll of adults age 50-97 on AI use, trust, disclosure, and risk education.
  14. NIST, Survey on Smart Home Users' Security and Privacy Perceptions and ActionsDecember 19, 2025. Survey of 401 U.S. smart-home users.
  15. Akar C, Kocak O, Solmaz U, and Batur Basar T, Exploring Older Adults' Perceptions of Online Security and PrivacySeptember 20, 2025. Small qualitative study useful for themes, not prevalence.
  16. Willis-Arnold B, Vickers P, and Nicholson J, Are Passkeys the Key?September 10, 2025. Peer-reviewed workshops with 23 older adults on passwordless authentication.
  17. Khandelwal S, Pavur J, and Wang A, Consumer Beware! Exploring Data Brokers' CCPA ComplianceJune 27, 2025. Emerging preprint covering 543 registered brokers; used only for compliance and verification friction.
  18. NIST SP 800-63B-4, Digital Identity GuidelinesAugust 1, 2025. Authentication, phishing resistance, recovery, and authenticator management.
  19. AARP Research, Adults Age 50-Plus and AI-Powered Health Tools SurveyJune 11, 2026. National survey on AI health use, privacy concerns, data sharing, and trust.
  20. Federal Trade Commission, When Sharing Your Info Online Leads to Unwanted and Unlawful Telemarketing CallsSeptember 2025. Guidance on resale and unwanted contact from online forms.
  21. KinKeeper, Data Broker Opt-Out GuidesCurrent July 2026 resource collection. Companion manual-removal guides; not external evidence.
  22. KinKeeper, PrivacyCurrent July 2026 product page. Data Removal is rolling out and Exposure Scan is pre-launch as of the evidence cutoff; not proof of external outcomes.
  23. U.S. Department of Justice, Marketing Company Agrees to Pay $150 Million for Facilitating Elder Fraud SchemesJanuary 27, 2021. Epsilon deferred-prosecution agreement and admitted sale of consumer data to fraudulent schemes.
KinKeeper Privacy concept showing exposed listings and removal progress

Companion Playbook

Turn the evidence into one household privacy plan

The free Personal Data & Privacy Playbook helps an older adult or trusted helper run a safe exposure check, complete or prepare one removal, strengthen an important account, and save a manageable maintenance plan.

  • 20–25 minutes
  • One real action
  • No account required
Start the free Playbook

Keep going

Practice the next step, or bring KinKeeper into your circle.