How To Disappear From People Search Sites That Sell Your Data

online privacy, data brokers, people search sites, opt-out, personal data removal, digital privacy, stalking prevention

A friend of mine found out her ex could see her new address three days after she moved. She hadn't told him. She hadn't told anyone connected to him. He found it on Spokeo — a people search site that aggregates public records and sells access for a few dollars.

This isn't rare. It's the norm.

What You're Actually Dealing With

People search sites — Spokeo, WhitePages, BeenVerified, Intelius, MyLife, FastPeopleSearch, and dozens of others — aren't doing anything technically illegal. They're harvesting public records: voter registrations, property deeds, court filings, utility hookups, and old social media data. They package it and sell it.

Your profile on these sites often includes your full name, current and past addresses, phone numbers, relatives' names, estimated income, and sometimes even a photo pulled from a social account you forgot existed.

The unsettling part: you never signed up. You were enrolled by default just by existing.

The Opt-Out Process (And Why It's Designed to Exhaust You)

Each site has its own removal process. There's no universal opt-out. You have to go site by site, fill out forms, sometimes verify your identity via email, and wait days or weeks for removal to take effect.

According to the Privacy Rights Clearinghouse, there are over 500 data broker companies operating in the United States alone. Manually opting out of all of them is genuinely a multi-day project.

The high-leverage ones to hit first:

  • Spokeo: spokeo.com/opt_out/new
  • WhitePages: whitepages.com/suppression_requests
  • BeenVerified: beenverified.com/opt-out
  • Intelius: intelius.com/opt-out
  • MyLife: mylife.com/ccpa/index.pubview
  • FastPeopleSearch: fastpeoplesearch.com/removal

Work through these manually if you have time. If you don't, tools like DeleteMe or Kanary do this for you on a subscription basis — expect to pay $10–$13/month, and understand they don't get everything.

The Counterintuitive Move Most People Skip

Here's what almost no one tells you: opting out is temporary.

Data brokers re-scrape public records continuously. If your name appears on a new lease, a new voter registration, or a business filing, you'll be back in their databases within months. Opting out doesn't fix the source — it fixes the symptom, once.

The more durable strategy is upstream suppression: minimizing what enters public records in the first place. This means using a PO box or mail forwarding service instead of your home address for anything that gets filed publicly (business registrations, professional licenses, online purchases that generate mailing list data). Some states let you redact your address from voter records if you qualify for confidential status — check your state's election office.

If you own property, a land trust or LLC can keep your name off the deed, though this has legal and financial implications worth understanding before doing.

What Google Has to Do With This

Even after you opt out of individual sites, cached Google results can surface your data for months. According to Google's own support documentation , you can request removal of outdated cached content from search results if the original page has been deleted or updated.

This matters because someone searching your name may hit a Google cache of a people-search page that no longer hosts your data. The opt-out worked; Google just hasn't caught up yet. Submit a removal request through Google's Remove Outdated Content tool — it's free and usually processes within a few weeks.

If You're in a Specific Risk Category

If you're being stalked, harassed, fleeing domestic violence, or have any reason someone actively wants to find you — standard opt-outs aren't enough and aren't fast enough.

Many states have Address Confidentiality Programs (ACPs) that provide a substitute address for public records. California's Safe at Home program is one example; most states have equivalents. These programs legally require government agencies to accept the substitute address in place of your real one for most official purposes.

For threat-level situations, manual DIY opt-outs are not your primary tool. They're a supplement to legal protections, not a replacement.

The Honest Limitation

Even a thorough, well-executed opt-out campaign leaves gaps. Data brokers that operate offshore aren't covered by U.S. opt-out requirements. Some sites are intentionally difficult to find, let alone remove yourself from. And if your information has already been downloaded and stored by someone before you opted out, there's no mechanism to reach into their copy.

Removal reduces your exposure. It doesn't achieve invisibility. Anyone determined and willing to pay for a professional background check service — the kind used by employers and lawyers, not the $5 consumer sites — will likely still find you.

The goal isn't to disappear completely. It's to make casual surveillance — the ex, the scammer, the stranger — significantly harder than moving on to an easier target.

Sources:

  • Privacy Rights Clearinghouse
  • Google Support: Remove Outdated Content

Why Turning Off Your Phone Regularly Is A Security Move

mobile security, phone privacy, zero-click exploit, NSA guidance, spyware, cybersecurity habits, Pegasus spyware

Your Phone Never Sleeps. Maybe It Should.

Picture this: you haven't turned your phone off in four months. You charge it every night, you update apps when the notification gets annoying enough, and you think of it roughly the way you think of a kitchen tap — something that just works until it doesn't. Meanwhile, something tiny and invisible has been sitting in your phone's memory since you tapped a link in a group chat three weeks ago. It's not stealing your photos. It's not draining your battery. It's waiting.

That's not a hypothetical. That's the operating model of an entire class of modern mobile threats.

The Thing Living in RAM

When a piece of malicious code gets onto your phone — whether through a suspicious link, a compromised app, or what's called a "zero-click exploit" (more on that shortly) — it often doesn't install itself the way old-school PC viruses did. It doesn't write files to your storage. It lives in RAM, the temporary working memory your phone uses to run apps. It exists only while your phone is running.

Turn your phone off, and the RAM clears. That code stops existing.

Research from Amnesty International and Citizen Lab has shown that sophisticated infection chains often rely on zero-click exploits with no persistence mechanism, meaning a regular reboot can effectively clean the device. This isn't folk wisdom from a Reddit thread. It's what forensic investigators found after examining the phones of real targets — journalists, lawyers, activists — across multiple continents. Kaspersky

What a "Zero-Click" Actually Means

You've probably heard warnings about phishing: don't click that link, don't open that attachment. Good advice. But the nastier category of attack requires nothing from you at all. No tap, no download, no mistake on your part.

A zero-click exploit uses a vulnerability in software your phone runs automatically — the image previewer, the message handler, the iMessage processor — to execute code the moment a specially crafted message reaches your device. You don't see anything unusual. Your phone just quietly processes the attack.

The Citizen Lab documented at least three distinct zero-click exploit chains deployed by NSO Group's Pegasus spyware in 2022 alone, targeting iOS 15 and iOS 16 devices, with some exploiting iMessage and HomeKit simultaneously. These weren't theoretical. They were used against real people. The Citizen Lab

The rebooting advice exists precisely because of this threat class. If an attacker can get in without you doing anything wrong, your only reliable counter is denying the code a place to live long-term.

The NSA Actually Said This Out Loud

Here's where it gets interesting: the recommendation to reboot your phone regularly didn't come from a security blogger trying to generate clicks. The NSA published this guidance in a mobile device best practices document in 2020, specifically recommending reboots as a measure that "sometimes prevents" zero-click exploits and spear phishing attacks. The agency has reiterated it multiple times since. The Cyber Express

"Sometimes prevents" is doing a lot of work in that sentence, and we'll come back to that. But when the signals intelligence arm of the U.S. government puts "turn it off once a week" in an official document, it's worth taking seriously.

The practical guidance they suggest: once a week. Not every night (though that wouldn't hurt), not a full factory reset — just a full power cycle. Off, then back on.

The Counterintuitive Part Most Articles Skip

Here's what usually gets left out: rebooting doesn't just interrupt malware that's already present. It also disrupts attacks in progress.

Many modern exploits against phones aren't single-step operations. They're chains: one vulnerability gets initial access, a second achieves deeper permissions, a third establishes whatever the attacker actually wants. These chains take time, and they require your phone to stay running throughout.

Restarting your phone forces an attacker to start the entire exploitation chain over from scratch, which can be enough disruption to cause the attack to fail entirely — especially when each stage of the chain depends on fragile, temporary conditions. CyberGuy

Think of it less like clearing out a burglar and more like resetting the locks mid-break-in. The attacker invested effort into getting halfway through a complex sequence. Your reboot just made that investment worthless.

How to Actually Do This

The mechanics are simple, but a few things are worth knowing:

A soft reset (power off → power on) is what you want. This is different from just pressing the side button to put the screen to sleep — you need a full shutdown and restart. On most iPhones, hold the side button and a volume button together until the slider appears. On most Androids, hold the power button until the menu appears and choose "Restart."

A weekly reboot also happens to fix a second security problem most people don't think about: permission creep. Apps that have been running for weeks accumulate cached data and maintain background network connections. Some of those connections are legitimate. Some are aggressively tracking your behavior. A reboot clears background processes and forces apps to re-request network access.

If you want to build the habit without thinking about it, pick a consistent time — Sunday night before you plug in to charge works well. Your phone reboots, updates install, and you start Monday with a clean state.

What Rebooting Won't Fix

Here's the honest part.

If an attacker's code has achieved persistence — meaning it's written itself to your phone's storage, not just RAM — a reboot won't remove it. Older versions of Pegasus, for instance, were explicitly designed to survive reboots by embedding themselves more deeply. The research showing reboots help is specifically about newer, stealthier variants that deliberately avoid persistence to make forensic detection harder.

Rebooting also does nothing about the underlying vulnerability that allowed the attack in the first place. If your operating system has an unpatched flaw, that flaw exists whether you've rebooted recently or not. Software updates close those holes. Rebooting just removes the code that snuck through before the update.

So: reboot weekly, yes. But also keep your OS updated, don't ignore those security patches, and be skeptical of unexpected messages even from people you know — because their accounts could be compromised too.

The reboot is one layer, not the whole defense. But it's a layer that costs you nothing and takes ninety seconds. That's a favorable trade.

Sources:

  • Kaspersky Blog — How to Protect from Pegasus and Other Advanced Spyware
  • Citizen Lab — NSO Group's Pegasus Spyware Returns in 2022
  • The Cyber Express — Reboot Your Phone: NSA's No.1 Tip
  • CyberGuy — NSA Urging Americans to Reboot Phones Once a Week

How Hackers Use AI To Make Phishing Emails Look Real

phishing, AI security, cybersecurity, social engineering, email scams, business email compromise, online safety

The Email That Almost Got My Friend Fired

My friend Sarah is sharp. She's been in finance for fifteen years, has seen every scam in the book, and rolls her eyes at people who click suspicious links. Last March, she almost wired $47,000 to a fake vendor because of an email that looked — and I mean exactly looked — like it came from her CFO.

The grammar was perfect. The tone was right. It even referenced a real internal project by name. She caught it at the last second because the CFO walked by her desk in person. That's the only reason she still has her job.

What Sarah encountered wasn't a Nigerian prince letter. It was an AI-generated spear-phishing email, and it's now the dominant threat in corporate fraud.

What AI Actually Does to a Phishing Email

Old phishing was obvious. Typos, weird phrasing, generic greetings like "Dear Valued Customer." Your brain flagged it because it felt off.

AI removes the "off." Tools like large language models can write in flawless English — or flawless Indonesian, French, or Tagalog — with zero tells. They can mimic your boss's actual writing style if they've scraped enough of their public emails, LinkedIn posts, or company communications.

According to IBM's X-Force Threat Intelligence Index, AI-assisted phishing campaigns now generate emails that are significantly more convincing than traditional ones, with open and click rates increasing substantially when messages are personalized and grammatically clean.

This isn't theoretical. The tools to do this are cheap, some are free, and they require almost no technical skill to operate.

The Personalization Problem

Here's the part most articles skip: the writing quality is only half the threat. The bigger danger is contextual accuracy.

AI doesn't just write well — it researches. A attacker can feed a model your LinkedIn profile, your company's press releases, your public Slack exports if they exist, your published interviews. The model then writes an email that references your actual job title, your real manager's name, a project you're actually working on, and a deadline that's plausible.

According to researchers at Stanford Internet Observatory, AI-enhanced social engineering attacks are particularly effective because they exploit familiarity and cognitive trust — our brains are wired to accept information that matches what we already know.

When an email knows things, we stop questioning whether the sender is legitimate. That's the exploit.

The Counterintuitive Part Nobody Talks About

Most security advice focuses on spotting bad emails. Check the sender address. Look for weird links. Don't download attachments.

That advice is mostly still useful — but here's what it misses: AI phishing is now optimized to pass exactly those checks.

The email address might be one character off (cfo@companyname.net instead of .com) but the message itself will give you no other reason to look. AI-generated emails are designed to prevent the uncomfortable pause that makes you verify. They create urgency, invoke authority, and match tone — all specifically to short-circuit your instinct to double-check.

The real defense isn't reading the email more carefully. It's building habits that operate outside the email entirely. When a financial request arrives by email, your policy should be to confirm it through a completely separate channel — a phone call, a walk to someone's office, a Slack message you initiate yourself. Not a reply. Not a forward. A separate, independent contact.

What You Can Actually Do

Verify out-of-band, always. Any request involving money, credentials, or sensitive data that arrives via email should be confirmed through a different communication channel before you act. This one habit breaks almost every AI phishing attempt.

Slow down on urgency. AI-generated phishing almost always creates artificial time pressure. "I need this before end of day." "Don't mention this to anyone yet." The urgency is engineered. Real emergencies can survive a two-minute phone call.

Use a passphrase system with your team. Some companies now use a verbal code word — something only internal people know — to authenticate sensitive requests over phone or video. Low-tech, effective.

  • Turn on multi-factor authentication everywhere, especially email and financial systems
  • Check full email headers on suspicious messages, not just the display name
  • Report suspected phishing to your IT team even if you didn't click — patterns matter

According to the Anti-Phishing Working Group's Phishing Activity Trends Report, phishing attacks continue to increase year-over-year, with business email compromise — the category Sarah nearly fell for — causing billions in losses annually.

The Part That Should Worry You More Than Anything

Voice cloning now exists alongside text generation. Attackers can clone your CEO's voice from a few minutes of publicly available audio — earnings calls, conference talks, YouTube interviews — and call your finance team pretending to be them.

This is already happening. It's not a future threat. If you work in a role that handles money or sensitive systems, your organization needs voice verification protocols that don't rely on "it sounds like them."

One Honest Caveat

None of these defenses are perfect. Out-of-band verification can be slow and sometimes genuinely impractical. Passphrase systems can be forgotten or inconsistently applied under pressure. The uncomfortable truth is that AI phishing is an asymmetric threat — attackers only need to succeed once, and they have unlimited attempts.

Security culture — meaning the institutional habit of slowing down for high-stakes actions — is the best available defense. But culture requires consistent reinforcement, and most organizations invest in it only after a loss. Sarah got lucky. Most people who almost fall for these don't notice in time.

Sources:

  • IBM X-Force Threat Intelligence Index 
  • Stanford Internet Observatory
  • Anti-Phishing Working Group Trends Reports

The Accounts You Need To Secure Before Everything Else

account security, password manager, SIM swap, two-factor authentication, email security, credential stuffing, online safety

A friend of mine lost access to her entire digital life in about forty minutes. She wasn't hacked by a sophisticated criminal. Someone just called her phone carrier, pretended to be her, and got her number transferred to a new SIM. From there, they reset her email. From her email, they got into her bank. It was over before she even noticed her phone had gone silent.

What she didn't realize — and what most people don't — is that a few specific accounts sit at the top of a hierarchy. Compromise one of them, and everything else falls like dominoes. Protect them well, and the rest of your digital life becomes dramatically harder to reach.

Your Email Account Is the Master Key

Every "forgot my password?" link goes to your inbox. This makes your primary email account the single most dangerous thing an attacker can own. It's not just a communication tool — it's a recovery mechanism for almost everything else you use.

The fix here is non-negotiable: turn on two-factor authentication (2FA), but use an authenticator app, not SMS. Text-message codes can be intercepted or redirected through the kind of SIM swap attack that hit my friend. Apps like Google Authenticator or Authy generate codes locally on your device, which is a meaningfully different security model.

Use a strong, unique password — one you've never used anywhere else. If you've had the same email password for five years, change it today.

Your Phone Number Is More Powerful Than You Think

Here's the counterintuitive part most articles skip entirely: your phone number is probably your weakest security link, even though it feels like a security tool.

When companies send you a verification code via text, they're treating your phone number as proof of identity. But phone numbers can be hijacked — through SIM swaps, through SS7 protocol exploits, through social engineering at a carrier store. According to the FTC, SIM swap scams have caused substantial financial losses, and carriers have been slow to implement effective safeguards.

The actionable step: call your carrier and ask if they offer a "port freeze" or a "SIM lock" that requires a PIN before any changes can be made to your account. Most carriers offer this. Almost nobody uses it.

Your Password Manager

If you don't use a password manager, you're almost certainly reusing passwords. And password reuse is how most account takeovers actually happen in practice — not through Hollywood-style hacking, but through credential stuffing: attackers take a leaked password from one breach and try it everywhere else.

According to Have I Been Pwned, billions of credentials from past breaches are freely available to anyone who wants them. Your old LinkedIn password from 2012 is probably in a database somewhere.

A password manager like Bitwarden (free) or 1Password lets you use a unique, random password for every account without memorizing any of them. Protect the manager itself with a strong master password and an authenticator app — not SMS.

Your Apple ID or Google Account

These accounts control your phone backups, your photos, your app purchases, and often your physical device itself. If someone gets into your Apple ID, they can locate your devices, wipe them, or lock you out entirely. Google account access means access to Gmail, Drive, Photos, and potentially your Android phone.

Enable 2FA on both. For Apple, also set up a Recovery Key — it's an option in your account settings that disables the standard account recovery process, which has been abused by attackers in the past.

Your Financial Accounts — But Not the Ones You're Thinking Of

Most people worry about their bank. Banks are actually relatively well-defended, and they have fraud protection and chargebacks. The accounts that actually matter more are the ones that feed into your financial life: your primary email (already covered), your phone number (covered), and — critically — your brokerage or investment accounts.

Brokerage accounts often have weaker consumer protections than banks. Wire transfers from investment accounts can be harder to reverse. Prioritize these alongside your bank, not after.

The Honest Limitation

Here's where I have to be straight with you: even if you do all of this perfectly, you're still not immune. Some attacks target the institutions themselves rather than you individually. Data breaches happen at companies with no fault on your part. And the social engineering problem — a convincing phone call, a fake email — exploits human psychology in ways that technical controls don't fully solve.

What good security hygiene actually does is raise the cost of attacking you high enough that most opportunistic attackers move on to easier targets. It doesn't make you invincible. The goal is to not be the easiest person in the room to rob.

Sources:

  • FTC — SIM Swap Scams
  • Have I Been Pwned

What A SIM Swap Attack Is And Why It Can Destroy Your Life

SIM swap, identity theft, phone security, two-factor authentication, account takeover, cybersecurity, social engineering

Your phone goes silent. No bars, no signal — just that hollow "No Service" message sitting in the corner of your screen. You assume it's a network glitch and keep scrolling. Twenty minutes later, your email password stops working. Then your bank app locks you out. By the time you understand what's happening, someone else has already drained your account.

That's not a horror story. That's Tuesday for SIM swap victims.

Someone Talked Your Phone Company Into Handing Over Your Number

Here's the mechanics, without the textbook language: your phone number is attached to a small chip called a SIM card. That number is also the key to almost every "forgot my password" flow you've ever used. Attackers know this.

So they call your carrier — T-Mobile, AT&T, Verizon, whoever — and pretend to be you. They've already scraped your name, birthday, maybe your address from a data breach or your public social media. They tell a customer service rep that they "got a new phone" and need the number transferred. If the rep believes them, your number moves to their device in minutes.

You lose service. They get your calls and texts. Every two-factor authentication code you've ever trusted now lands in their hands.

The Real Damage Isn't Just Your Bank Account

Most people imagine the worst case is a wire transfer. It's worse than that.

Your email resets via your phone number. Your email is the master key to everything else — every subscription, every social account, every cloud backup. Once an attacker chains your phone → your email → your password manager, they can spend days methodically stripping your digital life before you even file a police report.

According to PIRG Education Fund, SIM swap victims lost more than $26,400 on average in 2024 — and that figure doesn't include lost wages, business costs, or the time spent trying to resolve the damage. PIRG

The recovery process is brutal. You'll spend weeks on hold with carriers, banks, and credit bureaus. Some people never fully recover their accounts. Credit damage can follow you for years.

The Counterintuitive Part Most Articles Miss

Here's the thing almost no one tells you: enabling two-factor authentication via SMS — the thing every security guide has told you to do for years — is exactly what makes this attack so devastating.

You turned on SMS-based 2FA to protect yourself. The attacker turned it into a master key.

The more accounts you secured with your phone number, the more power you handed to anyone who can steal that number. The security feature became the attack surface. This isn't an argument against 2FA — it's an argument for the right kind of 2FA, which we'll get to.

How Attackers Get Your Information First

A SIM swap doesn't start with a phone call. It starts weeks or months earlier.

Attackers gather your personal details from data breaches (your information has almost certainly been in one), LinkedIn, Instagram, and public records. They're looking for answers to carrier security questions: your birthdate, mother's maiden name, last four of your SSN, billing zip code.

A 2020 Princeton University study found that five major carriers — AT&T, T-Mobile, TracFone, US Mobile, and Verizon — used insecure authentication challenges to verify customers, and that in every successful SIM swap attempt, the attacker passed at most one authentication scheme. Meaning: a partial picture of your life was enough. PIRG

What You Should Actually Do

Vague advice like "be careful online" helps no one. Here's what moves the needle:

Call your carrier today and set a port freeze or account lock. Most major carriers now offer this — it blocks any SIM transfer or number port until you explicitly unlock it. This is your single highest-leverage action. Ask specifically for a "SIM lock" or "number lock," not just a PIN.

Set a strong, unique carrier PIN. Then use a password manager to remember it, because you'll forget it. The PIN only helps if your carrier actually requires it for SIM change requests — ask them directly whether it's enforced at the account-change level, not just for billing calls.

Move your 2FA off SMS. Use an authenticator app like Authy or Google Authenticator for your email, bank, and any crypto accounts. Better yet, get a physical security key (like a YubiKey) for your most critical accounts. These are immune to SIM swaps because they're not tied to your phone number at all.

Search your email for "verification code" and "confirm your number." Every account you find that uses SMS-based verification is a liability. Spend an afternoon switching them to app-based 2FA. It's tedious. Do it anyway.

The Regulatory Response (And Why It's Not Enough)

In November 2023, the FCC adopted new rules requiring wireless providers to use secure authentication methods before completing any SIM swap or port-out request, and to immediately notify customers when such changes are made to their accounts. This was a real improvement. Carriers can no longer verify you using just your mother's maiden name or billing ZIP code. Federal Communications Commission

But the rules don't eliminate the human element. Customer service reps can still be socially engineered. Insider threats — carrier employees bribed by criminal networks — remain a documented problem. Regulation sets a floor; it doesn't seal the ceiling.

One Honest Caveat

Even if you do everything right — port freeze, authenticator app, strong PIN, account lock — you're not immune. A determined attacker with an insider contact at your carrier, or one who has compromised your email through an entirely separate attack, can still work around most of these defenses.

The goal isn't perfect security. It's making yourself a harder target than the next person. Most SIM swap attacks are opportunistic, not targeted. The defenses above will stop most of them. For the targeted kind — the attacks on crypto holders, executives, or people with public profiles — the threat model is more serious and the countermeasures need to match.

That's not a comfortable ending, but it's the accurate one.

Sources:

  • FBI Internet Crime Complaint Center (IC3)
  • PIRG Education Fund – SIM Swap Scams Can Be Devastating
  • FCC Report and Order FCC 23-95

How To Know If A Website Is Stealing Your Information

cybersecurity, phishing, online privacy, data theft, website safety, identity theft, digital scams

Is That Website Stealing From You Right Now?

My neighbor once spent forty minutes on what she thought was her bank's login page. The URL looked right. The logo looked right. The login form looked right. What wasn't right: she'd clicked a link from an email, and the site was a clone built to harvest her credentials. She only found out when her real bank called about unusual login attempts from another country.

That story isn't rare. And the uncomfortable truth is that most of the advice you've heard — "just look for the padlock" — is dangerously outdated.

The Padlock Lie

Here's the counterintuitive part almost no one tells you: the padlock means nothing about whether a site is trustworthy. It only means the connection between your browser and the site is encrypted. A scam site can have a padlock. A phishing site designed to steal your login can have a padlock. According to the FBI's Internet Crime Complaint Center, nearly half of all phishing sites use HTTPS — meaning they have the padlock — specifically because people have been trained to trust it.

The padlock tells you nobody is eavesdropping on your data in transit. It says nothing about who's waiting for it at the other end.

What Actually Signals a Dangerous Site

Start with the URL — not the logo, not the design. Your eyes are easy to fool; the address bar is harder to fake if you know what to look for.

Look at the domain itself, not just what comes before the slash. A site at paypa1.com or amazon-secure-login.net is not PayPal or Amazon. Scammers buy domains that look similar, swap letters for numbers, or add words like "secure" or "official" to seem legitimate.

Then ask yourself: how did you get here? If you arrived by clicking a link in an email, a text message, or a social media ad, be suspicious regardless of how normal the site looks. Directly typing a URL into your browser is meaningfully safer than following links. This habit alone cuts your exposure dramatically.

Three Checks Anyone Can Do in 30 Seconds

1. Paste the URL into Google's Safe Browsing checker. Go to https://transparencyreport.google.com/safe-browsing/search and enter the URL. Google flags sites known for malware and phishing. It's not perfect, but it catches the obvious offenders.

2. Check who owns the domain. Go to https://lookup.icann.org and search the domain. If a site claiming to be a well-known company was registered two weeks ago, that's a serious red flag. Legitimate businesses have domain history.

3. Look at what the site is asking for. A site that requests your Social Security number, full date of birth, and credit card number to "verify your identity" for something routine is overreaching. Data thieves don't just steal — they collect. The more a site asks for, the more it can sell or exploit.

The Slow Leak You Don't Notice

Not all data theft is dramatic. Some sites don't steal your passwords — they quietly sell your behavior. They embed trackers that follow you across the web, log what you search, what you buy, what you read, and package that into a profile sold to data brokers.

According to Mozilla's Privacy Not Included guide, many apps and websites with friendly interfaces have privacy policies that explicitly allow them to share your data with "partners" — a word that means virtually anyone willing to pay.

You don't have to be hacked to have your information stolen. You just have to click "agree" without reading.

To slow this down: use a browser extension like uBlock Origin (free, widely trusted) which blocks many trackers by default. It won't stop everything, but it removes the easiest collection mechanisms.

When Something Feels Off, Trust That

Legitimate sites don't pressure you. They don't pop up countdowns saying your account will be deleted in ten minutes. They don't send urgent emails that can only be resolved by clicking a link. They don't offer prizes that require your banking details to claim.

Urgency is a manipulation tool. The moment a site makes you feel you must act right now, slow down instead.

If you've already entered information on a site you're now suspicious of, change your password immediately on that site and anywhere you use the same one. If you entered payment information, call your bank directly — not via a number on the suspicious site — and report it.

One Honest Caveat

All of this helps, but it doesn't make you immune. Professional phishing operations now use AI to generate convincing fake sites at scale, sometimes indistinguishable from the real thing even to technically literate people. According to Verizon's Data Breach Investigations Report, phishing remains the leading initial attack vector in data breaches, which means the problem is getting more sophisticated, not less.

The tools above reduce your risk significantly. They don't eliminate it. The only honest advice is: be skeptical by default, not just when something looks suspicious.

Sources:

  • FBI Internet Crime Complaint Center
  • Mozilla Privacy Not Included
  • Verizon Data Breach Investigations Report

The Real Reason Hackers Want Your Old Backup Phone

old phone security, SIM card theft, SIM swapping, factory reset data recovery, two-factor authentication, identity theft, phone data privacy

Your sister upgraded last spring and handed you her old Samsung "just in case." You threw it in a drawer. Then your phone cracked, you used it for two weeks, logged into your email, your bank app, your Google account — and then your new phone arrived, so you shoved the backup back in the drawer. It still has your SIM card in it. You haven't thought about it since.

That phone in the drawer is not a paperweight. To the right person, it's a master key.

It's Not About the Phone. It's About the Number.

Most people assume hackers want your device for what's on it — photos, saved passwords, that kind of thing. That's not wrong, but it misses the bigger threat. What's actually valuable is your phone number, and specifically, its role as a trust signal.

Think about the last time you logged into your bank from a new device. It probably sent a text to verify it was really you. That text went to your phone number. Your phone number is your identity for dozens of services that don't know any better way to confirm who you are.

SIM swapping — also called SIM hijacking — is a form of identity theft where attackers deceive or bribe mobile carriers into transferring a victim's phone number to a SIM card they control, giving them the ability to intercept calls, text messages, one-time passcodes, and other multi-factor authentication methods. And if your old SIM card is sitting in that drawer phone, still active, without a PIN lock? They may not even need to call your carrier. Bitsight

The "Factory Reset" Trap

Here's the counterintuitive part that almost no one talks about: wiping a phone doesn't actually wipe it.

When you tap "Factory Reset," your phone marks that storage space as available — but the data itself often stays physically on the chip until something overwrites it. From a forensic perspective, a factory reset removes user access to data and restores default settings, but residual files can persist in unallocated storage sectors, low-level system partitions, and as recoverable fragments of photos, videos, and documents — especially if storage blocks haven't been reused. Salvation DATA

This isn't theoretical. Researchers investigating modern Android devices running Android 11 and 12 found that user data has reportedly been recovered after a factory reset by applying forensic data recovery techniques. The software to do this is commercially available. It's the same tooling used by phone repair shops. ScienceDirect

Some of those shops are not trustworthy.

What "Backup Phone" Actually Means to a Thief

You've used that phone as a backup at least once, which means it likely has:

  • Login sessions that weren't explicitly signed out
  • Cached messages that synced before you logged off
  • Your carrier's SIM still seated inside, possibly still active
  • Saved Wi-Fi passwords — which can reveal where you live and work
  • Fragments of app data that survived the reset

A functional old SIM can expose your contacts and message history, enable impersonation, and make you vulnerable to targeted fraud — and if it doesn't have a SIM PIN enabled, someone who gets hold of it can use it in another device. Saily

The SIM card is the worst overlooked piece. It's not glued in. It takes three seconds to remove and slip into another phone. No password required.

What You Actually Need to Do

This is the part most articles get soft on. Here's what matters specifically:

Before you give away, sell, or store any old phone:

  1. Remove the SIM card first. Don't reset, don't sign out — do this before anything else. Cut the SIM with scissors if you're not transferring the number. If the card is still active, call your carrier and deactivate it.
  2. Enable full-disk encryption before resetting (Android users especially). On Android, go to Settings → Security → Encryption, run it, then factory reset. This means any residual data left over is scrambled without the key. iPhones encrypt by default when you have a passcode set.
  3. Sign out of every account manually before resetting — Google, Apple ID, Samsung account, banking apps, anything. Don't rely on the reset to do this.
  4. After reset, run a data-overwriting app like iShredder (Android/iOS) or use the "Erase All Content" option on iPhone, which properly destroys the encryption key rather than just clearing the index.
  5. Never store an active-SIM phone in a drawer. If you want to keep a backup phone, use it with a fresh SIM or no SIM at all.

The Thing Nobody Mentions About Two-Factor Authentication

Here's the insight that gets buried: SMS-based two-factor authentication — the kind where a code gets texted to you — is the weakest form of 2FA, but it's the default for most banks, email providers, and social platforms.

Threat actors can bypass common security questions by researching personal information shared online, and can also access your mobile account on the provider's website to initiate and authorize a SIM swap using credential stuffing — plugging in stolen usernames and passwords to answer security questions during authentication. The fact that you enabled 2FA doesn't protect you if someone can hijack the number receiving those codes. Canadian Centre for Cyber Security

The real fix, where your accounts allow it: switch from SMS codes to an authenticator app like Google Authenticator, Authy, or a hardware key like a YubiKey. These are tied to a physical device you control, not a phone number that can be transferred by a customer service rep who got socially engineered.

The Honest Limitation

Here's what this article can't fix: most people won't do all of this, and some of it is genuinely complicated on older Android phones where encryption isn't automatic. If you have a very old device — anything running Android 6 or earlier — full encryption may not be available or effective, and even an encrypted reset may leave recoverable traces. In that case, the safest option is physical destruction of the storage chip, which is extreme advice that most people reasonably won't take. The risk isn't zero even if you do everything right; it's just significantly lower. Know that going in.

Sources:

  • Bitsight: What is SIM Swapping 
  • Saily: What to Do With an Old SIM Card 
  • Salvation Data: Factory Reset and Data Security 
  • Canadian Centre for Cyber Security: Security Considerations for SIMs 
  • ScienceDirect / Forensic Science International: Assessing Data Remnants in Modern Smartphones After Factory Reset