Your Digital Footprint Is the Scam's Raw Material

You are not the target. You are the raw material. Modern scammers do not break into your bank. They build a profile of you from your Instagram reels, your LinkedIn job title, your Twitter check-ins, your matrimonial profile, your child’s school name in a tagged photo. Then they use that profile to call your family, clone your voice, deepfake your face, or pressure your CFO into a wire transfer. The supply chain for every sophisticated scam in India starts with information you posted yourself. This post explains what is in the supply chain, how scammers use it, and how to shrink your footprint without going dark.

Who this is for

Anyone in India with a social media account or a public professional profile. Founders, CFOs, doctors, senior citizens, college students, parents posting their kids’ birthdays. The advice applies in different ways to each, but the underlying problem is the same: the information that makes you a person also makes you a target.

This is the “why” post in our scam awareness library. The other posts cover specific scams (digital arrest, sextortion, fake loans, voice cloning) and the response process (the first hour after cyber fraud, the Pause, Verify, Then Act framework). This post explains why those scams find you in the first place.

You are not the target

Indian cyber fraud has shifted from random to targeted in the last 3 years. Earlier the scammer sent a million SMS messages and waited for a few people to click. That still happens, mostly at the bottom of the food chain. The bigger losses now come from targeted scams where the scammer already knows who you are, what you do, who your family is, and what you fear losing.

This shift was driven by three things:

1. Data harvesting tools became commodities. Anyone can run OSINT (open source intelligence) tooling that scrapes social media, professional profiles, and breached data into a target profile in minutes.
2. AI generation became cheap. Voice cloning costs nothing. Deepfake video runs on consumer GPUs. Personalised phishing emails are written by ChatGPT-style models.
3. Mass-scam returns dropped. As public awareness grew, the conversion rate on spray-and-pray SMS collapsed. Targeted high-value scams replaced volume with margin.

The result: scammers spend hours researching a single target. They know your wife’s name, your child’s school, your CFO’s email pattern, your travel calendar from your Instagram stories, your speaking schedule from your LinkedIn posts. When they call, they sound like they know you. Because they do.

You are the material, not the customer. Your data is the input. The scam is the product. The mule account network is the supply chain. Your loss is the revenue.

The defence is not to disappear. It is to make yourself an unprofitable target. Shrink the footprint, lock down what stays, and stop publishing the specific information that feeds specific scams.

What is freely available about you

Most people are surprised how much. Try this audit on yourself before reading further. It takes about 20 minutes and it is uncomfortable.

The 20-minute self-audit

Open an incognito or private browser window. Do not log in to any account. Then:

1. Google your full name in quotes. “Ashok Kamat” not Ashok Kamat. Review the first 5 pages of results.
2. Google your phone number with and without country code, with and without spaces. Look for forum posts, leaked databases, classifieds.
3. Google your email address. Look for old forum posts, signed-up newsletters, leaked databases.
4. Search your email on haveibeenpwned.com. Note every breach it appears in. Read what data was leaked in each breach.
5. Open LinkedIn in incognito mode and search your name. See what shows without being logged in. Click into your profile. Note what is visible to a non-connection.
6. Open Twitter or X in incognito mode and search your handle. Review the last 30 tweets visible to the public.
7. Open Instagram in incognito mode and search your handle. If your profile is public, review what a stranger sees in the first scroll.
8. Open Facebook in incognito mode and search your name. Review profile photo, cover photo, friends list visibility.
9. Open Truecaller (download if you do not have it). Search your own phone number. Note the name tag visible to the public.
10. Search your name on matrimony sites (if you ever registered, even a decade ago, the profile may still be searchable).

Write down what you find. Most people end up with: full name, photo, employer, job title, city, partial phone number, employer email pattern, family member names, kids’ school, parents’ city, alumni info, recent travel.

That is the input file for a targeted scammer. They start from less.

The non-obvious leaks

The obvious sources (LinkedIn, Instagram, Facebook) are not the only ones. The non-obvious leaks tend to be more dangerous because you forgot they existed:

• Old matrimonial profiles with photo, family details, salary, education, parents’ contact
• College alumni databases with batch year, hostel, degree, current city
• Resume PDFs uploaded to job sites with full address, references, prior salaries
• Conference attendee lists published online for previous events you attended
• Twitter or X profiles from 2012 to 2016 where you tweeted location, family events, work travel
• Old Instagram posts from before you had a privacy mindset, including kids’ school uniforms, your home address visible in the background
• Reddit accounts where you may have asked health, legal, or personal questions linked to your real identity
• Strava, Fitbit, Garmin profiles publishing your running routes including your home start point
• Zomato or Swiggy public reviews showing your neighbourhood and routine
• Google Maps reviews showing which dentist, salon, gym you go to
• Crunchbase, AngelList, Tracxn profiles if you are a founder, with email, phone, prior funding, employer history
• WhatsApp profile photo and status visible to anyone who has your number
• Truecaller name tagging your number to your real name or employer

The cumulative profile from these sources is often enough to run a targeted scam without ever needing to “hack” anything.

How scammers harvest, no hacking required

The word “hack” suggests someone breaking through technical defences. Almost no modern scam against an individual involves that. It is harvest, not hack. Public data, automated tooling, AI processing.

The harvest pipeline

Targeted scammers use a roughly standard pipeline:

1. Discovery. A target list is built from one of several sources: leaked databases (HR data, breached customer lists), public lists (founder rosters, conference attendees, doctor registries), or social media scraping (LinkedIn for B2B targets, Instagram for personal targets).
2. Enrichment. Each target is enriched with publicly available data: photos, voice samples, family info, employer, location, routine. Tools automate the cross-referencing.
3. Profile build. A profile is assembled: name, photo, phone, family relationships, employer, professional context, voice sample, recent activity, vulnerabilities (recent job change, recent press, recent funding, recent family event).
4. Script selection. The scammer picks the script most likely to work for this profile. Digital arrest for senior citizens with savings. CEO fraud for SMB CFOs. Pig-butchering for lonely middle-aged urban professionals. Recruiter malware for unemployed engineers.
5. Personalised execution. The scam call or message references the target’s specific situation. The CFO gets a WhatsApp from the “CEO” using the CEO’s actual photo and a voice note in the CEO’s actual voice. The senior citizen gets a call mentioning their actual bank name and an actual nearby family member. The job seeker gets a “recruiter” message about an actual job posted on the company’s careers page.

The personalisation makes the scam land. The personalisation comes from the digital footprint.

Specific attack chains

Three real-world chains from publicly reported Indian cases. Each chain starts with public data.

Chain 1: Voice sample to family fraud. A businessman posts a 90-second YouTube video introducing his company. A scammer downloads the audio, extracts 15 seconds of clean voice, generates a cloned voice using a public tool. The clone calls the businessman’s father on a Sunday afternoon. The “son” is in an accident, needs INR 2 lakh transferred immediately to a “hospital.” The father transfers. By the time the real son finds out, the money is across 4 mule accounts. This is the AI voice cloning scam pattern. The Bunty Mittal case in October 2024, reported by Business Today, used the same chain.

Chain 2: Photo to deepfake sextortion. A college student posts photos on Instagram, public profile. A scammer scrapes the photos. Uses them to generate deepfake explicit content. Sends the deepfake to the student via Instagram DM, threatening to forward to family and friends unless paid. The student panics, pays. Sometimes the scammer comes back for more. This is the deepfake variant of the sextortion scam, and the dedicated deepfake scam India 2026 post covers the response steps in detail.

Chain 3: Check-in to extortion pressure. A founder posts a check-in at their office, then later a Twitter post about a fundraise, then later an Instagram story from a foreign trip. A scammer combines these into a profile. Calls the founder’s wife claiming to know “everything about your husband, where he works, where you live, his current trip to Dubai.” Demands money under threat of harm. The “knowing where you work and live” feels intimate. It is automated. This is a pre-step that often precedes more sophisticated scams from the Karnataka citizen safety guide umbrella.

Chain 4: LinkedIn job change to recruiter malware. A developer changes their LinkedIn status to “Open to Work.” A scammer pretending to be a recruiter at a real company sends a message about a senior role with a 30% salary bump. Includes a “technical assessment” that is actually a malicious script (Trifleck, Blockstar, or similar). When the developer runs the script for the test, their browser data, crypto wallets, and saved credentials get exfiltrated. This is the fake recruiter Trifleck malware pattern.

Chain 5: LinkedIn intro to pig-butchering. A middle-aged professional accepts a LinkedIn connection from an “investment manager” with a polished profile. The connection moves to WhatsApp, then to a “private trading group.” Months of grooming follow, with the target shown growing fake returns on a fake trading platform. Eventually, larger and larger amounts are “invested.” When the target tries to withdraw, the platform asks for additional taxes, fees, and security deposits. This is the pig butchering investment scam chain, often grounded in initial trust built using the target’s LinkedIn-public professional standing.

All five chains share a structure: free public data, automated tooling, AI generation, personalised execution. The technical sophistication of the attack is far lower than the cost of the loss.

Practical privacy steps

You do not have to be invisible. You have to be expensive to target. Each of these steps raises the cost of researching you.

Voice and audio

• Do not post long voice samples publicly. Reels, voiceovers, podcast appearances, YouTube intros all give scammers raw material. If you do podcast or speak publicly, accept the risk and warn your immediate family that voice cloning of you is realistic.
• Set a family safe word. A pre-agreed word that any “in trouble” voice call has to use, otherwise the family member knows it is a scam. Pick a word that is not on your social media anywhere.
• For high-risk roles (CFO, finance ops, founder), tell your team that any voice-based request for a wire transfer requires in-person or video confirmation on a known number, no exceptions.

Photos

• Audit photos for what is in the background. Home interior, child’s school uniform, office whiteboard with sensitive info, vehicle number plate, government IDs visible on the desk.
• Strip metadata before posting. Most phones embed GPS coordinates and device info in photo EXIF data. Use a metadata stripper app (or “Save without metadata” on iOS) before public posts.
• Limit photos of children, especially school uniforms, ID cards, school gates, daily-route locations. The intersection of “this is my kid” plus “this is their school” plus “this is their pickup time” is exactly the information used in family pretext scams.
• For founders and public professionals, separate the public-persona photo set from the personal photo set. Public LinkedIn photos are fine. Personal beach vacations and home interiors should not be public.

Location and routine

• Stop real-time location sharing. Post the holiday photos after you are back, not while you are there.
• Disable location services on the camera roll of your phone.
• Do not check in at home, office, gym, or family member’s home. The intersection of locations plus times plus people is a routine map.
• Strava, Fitbit, Garmin: set workouts to “Followers only” or “Private.” Remove the home-area starting point from public routes.
• Google Maps reviews: switch the profile to private if it shows your salon, dentist, school, parents’ home.

Family and relationships

• Reduce family tagging on Facebook and Instagram. The graph of your relationships is the input file for emergency-money fraud and family pretext scams.
• Brief older parents and family members on the scam landscape, especially the first hour response and the Pause, Verify, Then Act rule. They are the highest-value targets after you.
• Set up a family safe word for emergency money requests.
• Do not post about parents’ or family members’ health events publicly. Health-event posts trigger scam follow-ups within days.

Employer and professional info

• LinkedIn: limit work history visible to non-connections. Hide email and phone from non-connections.
• Do not post the company structure, reporting lines, or specific colleague names in public posts. This information makes CEO fraud and WhatsApp boss impersonation easier.
• For finance and HR roles, treat your LinkedIn profile as a higher-risk surface. Limit visibility, do not display your direct email, set the profile to require approval for connections.
• Founders raising rounds: lock down personal accounts for the 4 weeks around the announcement. Press coverage triggers scam attention. Be ready for spike in fake recruiter, fake investor, and fake government-official contact attempts.

Phone numbers and contact

• Use a secondary number for marketplaces, classifieds, public forums, and matrimonial profiles. Reserve your primary number for known contacts and KYC.
• On Truecaller, change your displayed name to your first name only or use the “Hide my number” option (paid). The Truecaller name tag is one of the easiest scam lookups.
• Do not put your phone number in your social media bios. Use a contact form or email instead.
• Be selective about WhatsApp display picture visibility. Set it to “My Contacts” not “Everyone.”

Email addresses

• Use a primary email only for important accounts. Use a secondary email for newsletters, signups, ecommerce.
• Check your primary email on haveibeenpwned.com regularly. Every breach exposure raises your phishing risk.
• Enable 2-factor authentication on your primary email. Email compromise is the doorway to almost every other account.

Account hygiene

• Use a password manager. Unique strong passwords on every site.
• Enable 2FA on every important account. App-based 2FA (Google Authenticator, Authy) is much stronger than SMS-based, which is exposed to SIM swap scams.
• Review app permissions on your phone quarterly. Revoke anything that has microphone, contacts, or storage access it does not need.
• Periodically log out all sessions on Gmail, WhatsApp, Instagram, LinkedIn, Facebook. Unfamiliar sessions are early warnings of account compromise.

When this matters most

Your digital footprint risk is not constant. It spikes at specific life moments. The week of a job change, the month around a wedding, the days after a parent’s death, the launch week of a funding round. Each of these is a moment when:

• Public information about you spikes (press coverage, social media activity, family tagging)
• Your emotional state is heightened (which scammers exploit)
• Your routine changes (which makes pretext claims plausible)

The right move is to do a footprint review every time one of these triggers happens. Spend 30 minutes reviewing what is new and public about you. Lock down what does not need to be there. Brief family members and finance teams who will be the targets of any follow-up scams.

High-risk life moments

• New job, especially senior role: target for fake recruiter follow-ups, CEO fraud against your team, congratulatory phishing
• Promotion or visible role change: target for boss-impersonation fraud, fake LinkedIn endorsement scams
• Funding round announcement: target for fake investor follow-ups, fake government grant offers, recruiter malware
• Wedding or major family event: target for family pretext fraud, emergency-money scams, photo-based deepfake misuse
• Birth of a child: target for fake government scheme registrations, school-admission scams
• Death in family: target for pretexting using the deceased’s identity, fake insurance follow-ups, fake “settle the case” fraud
• Press coverage: target for fake media follow-ups, fake speaking invitation scams, fake award scams
• Travel abroad: target for “stuck at airport, send money” scams against family members back home
• Public speaking events: voice samples published, target for voice-cloning fraud
• Board appointment or government adviser role: target for sophisticated impersonation, lobbyist fraud, fake regulatory pressure

In each of these moments, the cost of a 30-minute footprint check is much lower than the cost of being scammed during a high-vulnerability week.

When to escalate

If you find that significant personal data is leaked or being misused:

• Run a haveibeenpwned check and change passwords on all exposed accounts
• File a complaint at cybercrime.gov.in if specific data is being used in active scams against you or your family
• Contact the platform where the data is exposed and request takedown (LinkedIn, Facebook, Instagram all have grievance officers under the IT Rules)
• For deepfakes or impersonation accounts, the IT Rules 2021 grievance redressal process requires platforms to act within 24 hours of a complaint
• For severe pretexting or extortion using your identity, contact 1930 immediately

The escalation paths exist. They work better when you are prepared, with screenshots, complaint numbers, and a clear timeline.

What to do this week

Three small steps that materially reduce your scam exposure:

1. Run the 20-minute self-audit. See what is public about you. Note the most surprising or sensitive items.
2. Lock down 3 things. Pick the top 3 high-risk items from the audit. Make Instagram private, hide LinkedIn email and phone, set WhatsApp display picture to contacts-only, delete an old matrimonial profile. Whatever your top 3 are.
3. Brief one family member. Pick the most likely target in your family (senior parent, college-age child, spouse who handles family finance). Send them the Pause, Verify, Then Act post and the first hour after cyber fraud guide. Walk through one scenario with them.

This week’s effort prevents next year’s scam call.

Got something to verify? Send it to us, we verify free

If you find content using your name, your voice, your photo, or your identity in a suspicious way, send it to us privately.

WhatsApp / Call: +91 99644 43350

Send the screenshot, the link, the audio, whatever you have. We tell you whether it is a real contact, a deepfake, an impersonation account, or part of a known scam pattern. Verification is free.

What we do:

• Cross-check the contact, account, or content against public records
• Identify scam patterns and known impersonation networks
• Walk you through the platform takedown process if needed
• Walk you through the 1930 and cybercrime.gov.in process if needed

What we do not do:

• Charge for verification
• Ask for OTPs, bank passwords, or UPI PINs
• Pretend to be a law enforcement agency

You only pay if you want hands-on investigation, takedown coordination, or ongoing OSINT footprint reduction beyond verification.

Save these numbers now

• 1930 (National Cybercrime Helpline, 24/7)
• +91 99644 43350 (Cybersecify, free verification, 50 citizens at a time)
• 100 / 112 (Police / Emergency)
• cybercrime.gov.in (browser bookmark)
• haveibeenpwned.com (browser bookmark, check quarterly)

Related reading

The companion flagship posts:

• The First Hour After Cyber Fraud in India for the response side when a targeted scam has already worked
• Pause, Verify, Then Act for the prevention framework that stops the action even after the call has come

Specific scam deep-dives related to digital footprint exploitation:

• AI voice cloning scam in India for the voice harvesting chain
• Deepfake scam India 2026 for the photo and video harvesting chain
• Pig butchering investment scam for the long-grooming chain that starts with LinkedIn
• SIM swap scam India 2026 for the phone-number compromise chain
• Fake recruiter Trifleck malware for the LinkedIn job-status exploitation chain
• WhatsApp boss impersonation for the employer-info exploitation chain
• Phone call impersonation scams for the family-pretext exploitation chain

Frequently asked questions

What is a digital footprint in the context of scams?

Your digital footprint is every piece of information about you that is freely available online. Voice samples in your Instagram reels and YouTube videos. Photos on LinkedIn, Facebook, and matrimonial profiles. Location check-ins on Twitter, X, or Foursquare. Routine information from your fitness app sharing. Employer, designation, and team from LinkedIn. Family relationships from Facebook tags. Phone number from WhatsApp display picture leaks. None of this is hacked. It is harvested from places you posted it yourself.

Are scammers really targeting individuals personally?

Yes, increasingly so. The early phase of Indian cyber fraud was mass scam: spray-and-pray SMS, generic phishing emails, random WhatsApp messages. The current phase is targeted: scammers research your specific situation before they call. The Anil Kapoor and Sachin Tendulkar AI deepfake cases in 2024 are the high-profile version. The targeted boss-impersonation cases in Hyderabad and Mumbai SMBs are the everyday version. Your job change, your child’s school, your parents’ city, your CFO’s name, all of this is in scope.

How do scammers clone a voice from social media?

Modern voice cloning tools need as little as 3 to 15 seconds of clean voice to generate a convincing clone. Your Instagram reel where you talk over a recipe. Your YouTube introduction video. Your LinkedIn voice note in a post. Your podcast interview. Any of these provide enough sample. The clone can then be used to call your family member in an emergency-money scam, your colleague in a CEO-fraud, or to bypass voice authentication systems. The Bunty Mittal case in October 2024, reported by Business Today, used voice samples scraped from publicly available speeches.

What public information about me is the most dangerous?

In rough order of risk: your voice in any audio or video format, your real-time location and routine, your family relationships and their names, your employer and team structure, photos of you in vulnerable or compromising contexts, your phone number, and your physical address. Each one feeds a specific scam pattern. Voice feeds AI voice cloning. Location and routine feed extortion threats. Family info feeds emergency-money scams. Employer info feeds CEO fraud. Photos feed deepfake sextortion. Number feeds spam targeting. Address feeds in-person follow-ups.

Do I have to delete all my social media?

No. Deletion is one extreme, oversharing is the other. The middle path is intentional sharing. Lock down your accounts to known contacts only. Strip metadata from photos before posting. Stop sharing real-time location, post location after you have left the place. Do not post voice samples that include silent gaps useful for cloning. Reduce family tagging. Use a separate email for matrimonial and dating platforms. The goal is to make the cost of scamming you higher than the expected payoff. You do not have to be invisible. You have to be expensive to target.

How do I find out what information about me is already public?

Do an audit on yourself. Search your name on Google with quotes. Search your phone number on Google. Search your email on haveibeenpwned.com. Open every social media profile in incognito mode and see what a stranger sees. Check Truecaller for what name and tag your number shows publicly. Look up your professional profile on LinkedIn, then check who can see your full work history. Check Facebook and Instagram for old posts that include your home, your kids’ school, your office. Then start removing what does not need to be there.

When is locking down my profile most important?

When something changes that makes you more valuable as a target. New job, promotion, raising a funding round, getting married, having a child, family member going through public events, parent passing, getting press coverage, joining the board of a company, becoming a government adviser. Each of these triggers scammer attention. The week of a press release is the week to lock down. The week of an obituary is when family pretext scams spike.

---

Disclaimer: This guide is for public awareness only. Cyber Secify is an independent cybersecurity consultancy and is not affiliated with or endorsed by any platform, government agency, or regulator. Privacy guidance is best effort, not legal advice. For emergencies and legal reporting, always contact 1930 and file at cybercrime.gov.in.

Ashok Kamat Co-founder, Cybersecify