Receiving a data breach notice may have once been a rare event. With data breaches hitting record numbers, however, these notifications are no longer as surprising as they once were. In the US alone, there were 3,322 such breaches reported last year, resulting in nearly 280 million notices being emailed to victims. In Europe, daily incidents grew by 22% annually in 2025 to reach 443 on average per day.
This represents a growing opportunity for fraudsters. They know that many people may be on the lookout for these notifications. And when they receive one, they may be more predisposed to follow the advice contained in it.
To be clear: real breaches happen every day, and ignoring a legitimate notice could be as dangerous as clicking a fake one. The goal is to stop reacting on autopilot and being able to tell a genuine alert from a fake one. Take a minute to familiarize yourself with data breach-themed scams, and you’ll be better prepared the next time one lands in your inbox.
What do fake breach notification scams look like?
There are two basic tactics at play here. Either:
- The scammers wait for a real breach, and piggyback on the news to send out a fake notification. In this scenario, the victims are more likely to believe the scam as they’ll be expecting a notification
- The fraudsters invent a breach and a fake notification providing details of the non-existent event. It’s most likely to be spoofed as if sent from a well-known and popular brand, in order to make it both relevant to the recipient and likely to be trusted. However, scammers could also impersonate the victim’s IT department at work
In both cases, scammers are increasingly using phishing kits and AI tools to automate and enhance the creation of fake notifications. AI is particularly good at crafting lookalike lures in perfect local languages, copying the wording and tone of real notices. Relevant branding and logos will also be included to add further legitimacy. All of this can be done in minutes, meaning fake notifications can be emailed out rapidly at scale after an incident.
The end goal may be to trick you into clicking on a malicious link or opening a malicious attachment, which might trigger installation of infostealing malware, for example. Or it could be a pretext to get hold of your personal and financial information and/or passwords.
Spotting the red flags
Fake breach notifications should be easy to spot if you know what to look out for. Consider the following tell-tale signs:
- Immediate action required: Scammers will use classic social engineering techniques to trick you into handing over your personal information (like Social Security number) or clicking on a malicious link. Often, this involves creating a sense of urgency to rush you into acting – e.g., by saying your data is at risk if you don’t update your password or confirm your personal details.
- Unusual sender email: Scammers will often try to spoof the sender email to make it look as if it came from the organization they’re impersonating. So look out for typos in the name (a sign of typosquatting) and hover your cursor over it in case the display name is hiding a random (and unconnected) sender domain.
- Poor spelling and grammar: As mentioned, this is less likely the more threat actors embrace generative AI (GenAI) to enhance their phishing campaigns. But it’s still a useful first check to run
- Links and attachments: Many of these missives are crammed full of links to phishing sites designed to steal your personal/financial information and passwords. They might also contain attachments masquerading as notices which covertly install malware.
- A lack of specificity: If you get a legitimate letter from a breached company, it will usually include some of your personal details, such as account number and username. But the scammers don’t have these, so their outreach will be vague and lacking detail.
Staying safe
Understanding what to look out for is the first step to staying safe from breach notification scams. If something feels off, don’t be rushed into making a hasty decision on what to do next. Take a deep breath, and slow down.
If you receive a notice, always check directly with the apparent source – but not by replying to the sender or using any contact details in the notice itself. Log into your real account and/or call or email the company to check whether the breach event is real or not. Identity protection features that often come with reputable security software, as well as services like HaveIBeenPwned.com, can provide a useful secondary way of checking whether your details have been compromised.
Mitigate risk further by using strong, unique passwords stored in a password manager, and complemented by multi–factor authentication (MFA). That means, even if hackers get hold of your credentials, they won’t be able to access your accounts.
Make sure you have robust email security installed from a reputable provider. This will ideally leverage AI to help spot and block phishing attempts and malware.
Victims: do this now
If you think you’ve been taken in by a scam, it’s important to act fast. Do the following:
- Change any passwords you might have shared with your hackers (across all the sites you use them for). A password manager is best for storing unique credentials across numerous sites and apps
- Switch on MFA for all sensitive accounts, so that even if the bad guys have your passwords they can’t get in
- Run a malware scan using reputable security software
- If you’ve shared financial information, contact your bank and tell them. Freeze credit/debit cards if applicable
- Keep an eye on your financial accounts to check for suspicious activity
- Report the incident to the FTC (US), Report Fraud (UK), the ASD (Australia), or your local equivalent
As the world becomes saturated in data breach notifications, there’s a risk that we become so inured to them we automatically believe the latest notices that hit our inbox. As tiresome as it is, careful vetting of such notices is essential. This won’t just help you avoid fraud. It will also ensure you take legitimate notifications more seriously.