Breaches and Butterfly Wings: How data loss fuels further phishing

The ‘butterfly effect’ is a popular way of explaining chaotic systems to non-mathematicians—the flapping of a butterfly’s wings in one country contributes, however slightly, to a change in wind patterns that can cause a tornado in another weeks later. It’s important to be aware that our Internet-connected world is just as prone to producing these weird, unpredictable links as the weather system.

You’ve likely heard of phishing before, where scammers send out dodgy emails in bulk in the hopes of snaring even a small proportion of recipients. As people have gotten wiser to the risks of phishing, the attacks have grown in sophistication. Spear-phishing attacks are now the order of the day, targeted scam emails that are tailor-made to slip under your radar, and yours alone, whether you’re a new starter or the CEO (such high-level attacks are specifically known as ‘whaling’). Where do the scammers get this information from?

Often, they get it from you. Open-source intelligence (OSINT) is the process of finding out information about a target from publicly-available sources, like their social media accounts. Barclays have an excellent video on this—if an attacker finds out that it’s your birthday soon, that you usually shop at a certain store and the name of one of your friends, would you be suspicious about receiving a ‘discount link’ to that store, allegedly from that friend, in time for your birthday? The attacker is hoping not.

Or maybe they get it from other, legitimate sources that you never gave information to. ‘Infosec research biz’ Agari recently delivered a presentation at the Black Hat security conference about a group of Nigerian email scammers who were utilising ‘legit biz intelligence firms’ in order to gather information on their potential victims. Sites like and Pipl also hoover your details from publicly-available sources—such as your home address if you’ve ever registered to vote in the UK and didn’t opt to withhold your information from the public voter roll—and present it to the highest bidder.

And, finally, remember that data breaches do not happen in isolation. An increasingly-common email scam claims that the attacker knows your log-in details and demands a ransom. This comes with your ‘password’ as proof. The attacker, however, has done nothing of the sort—they will have gathered your log-in details from a previous data breach elsewhere, perhaps even from a company you weren’t aware had your data (as was the case for many victims of the 2017 Equifax breach), and are hoping that you, like far too many people, repeat your passwords across multiple services despite all guidance to the contrary. With a recent string of huge data breaches, from Butlin’s and British Airways to the Marriott hotel chain, we can expect these kinds of attacks to become more common.

When receiving an electronic communication, remember: even if it contains information you think a scammer couldn’t possibly know about you, don’t let your guard down. Verify the email through a separate channel, let IT take a look and remember that if it seems to good to be true, it probably is. Finally, protect yourself in advance by removing your data from online services like and Pipl*, locking down your social media profiles and avoid password re-use wherever possible—the NCSC has some guidance on that last one that might just save you some major headaches down the line.

* If you are listed on either of these sites, you can request removal of your information at and These are not the only two such services, however.

Scroll to Top