In a Nutshell
In 2023, the Federal Trade Commission (FTC) reported that consumers lost $330 million to text-based scams alone. By 2025, FTC Data Spotlight reports show those losses have surged to over $470 million, with total fraud losses across all methods hitting a record $12.5 billion. Whether it is a fake “unpaid highway toll” alert, a “suspicious activity” warning from your bank, or an AI-generated job offer on WhatsApp, these messages are precision-targeted. Understanding how scammers get your phone number is the first step in taking back control of your digital identity.
Scammers use data breaches because they provide millions of verified phone numbers that are impossible to guess manually. They buy these stolen databases on the dark web — a hidden part of the internet used for illegal trade — for just a few dollars. Recent 2025 breaches, such as the Odido Telco leak, have added millions of verified mobile numbers to these illicit marketplaces. A major WhatsApp data leak similarly exposed millions of Americans to potential fraud.
A leaked number is often sold alongside your billing address, allowing scammers to craft highly convincing “bank fraud” alerts that mention your specific branch. This is why breach monitoring is non-negotiable.
What to do:
Automated bots use social media scraping to pull contact info from public profiles at a scale that bypasses standard privacy filters. These programs “crawl” through platforms like Facebook and LinkedIn looking specifically for the 10-digit patterns that identify a mobile phone number. If your profile is public, it takes a bot less than a second to harvest your data.
Even a “Friends Only” post can be scraped if one of your contacts has their account compromised by a hacker, making your data vulnerable by association.
What to do:
Data brokers exploit public records because government documents provide a legal, aggregated source of personal data that is difficult for individuals to hide. These companies package your voter registration, property deeds, and marriage licenses into searchable digital profiles — then sell this information to anyone with a credit card, including malicious actors.
These profiles often link your mobile number to your home address and your relatives’ names, which makes grandparent scams — now frequently enhanced by AI voice cloning — much easier for criminals to execute.
What to do:
Manually opting out of every data broker site is incredibly time-consuming — there are hundreds of them, and they re-add your records regularly. Incogni is a personal data removal service that does this automatically on your behalf.
What Incogni does:
If you’re serious about reducing spam calls and scam texts at the source, removing your data from broker databases is the most effective long-term solution. Try Incogni here →
Scammers use number harvesting — the practice of collecting digits through fake “limited time” surveys — to trick you into volunteering your own data. They create a sense of urgency by claiming you have “won” a prize that will expire if you do not act immediately. Once you enter your number to claim the reward, your data is added to a “sucker list” for future attacks.
What to do:
Scammers use wardialing — software that automatically dials or texts every possible number combination in a specific area code — to identify which lines are currently active. In 2025 and 2026, these bots use generative AI to engage in realistic “wrong number” conversations designed to build trust before the scam begins.
According to the FCC Scam Glossary, a verified “live” number is sold for a much higher price on scammer forums than an unverified one. When you answer or reply “STOP” to a suspicious text, you confirm to the bot that your line is active.
What to do:
Many “free” utility apps — such as flashlight or simple game apps — act as data siphons that request permission to access your contacts solely to sell that information. These developers often make more money from selling user data to third-party advertisers than from the app itself. Malicious apps frequently hide these data-sharing clauses deep within their Terms of Service, assuming you will simply click “Accept” without reading.
What to do:
Getting your number is only the first step. Here is what scammers do with it once they have it:
A scammer contacts your carrier, impersonates you, and convinces a customer service agent to transfer your phone number to a SIM card they control. Once successful, they receive all your calls and texts — including one-time 2FA codes — and can take over your email, bank, and social media accounts. Learn how to spot and prevent SIM swap fraud on ScamAdviser.
Scammers send fraudulent text messages designed to look like alerts from banks, delivery companies, or government agencies. These messages contain malicious links that steal your login credentials or install malware on your device.
If a scammer controls your number through SIM swapping or call forwarding fraud, they can intercept the SMS verification codes sent by your bank, email provider, or crypto exchange. This is why security experts recommend using an authenticator app instead of SMS for 2FA wherever possible.
Using just a few seconds of audio from a voicemail or social media video, scammers can clone the voice of a family member and call their relatives claiming to be in an emergency. These AI voice cloning scams are particularly effective against older adults.
Armed with your phone number and personal details from a data broker profile, scammers can call you directly and reference your name, address, or recent transactions to appear legitimate. This is called vishing (voice phishing) and it is increasingly difficult to distinguish from a genuine customer service call.
If you receive a scam message, forward it to 7726 (SPAM) to alert your carrier and file an official report at ReportFraud.ftc.gov. Your phone number is a digital key to your life — guard it accordingly.
Frequently Asked Questions
How do scammers get your phone number in the first place?
Scammers obtain phone numbers through multiple channels: purchasing stolen data from dark web marketplaces following corporate data breaches, scraping public social media profiles with automated bots, buying packaged records from legal data broker companies, and running fake survey or prize scam websites that trick people into entering their own contact details.
What can a scammer do with just my phone number?
With your phone number, a scammer can attempt SIM swapping to take over your accounts, send targeted phishing texts (smishing), intercept 2FA verification codes, make impersonation calls using AI-cloned voices, and sell your number to other criminals on scammer forums.
How do I know if scammers have my phone number?
You can check if your number was exposed in a known data breach by entering it into Have I Been Pwned. Signs your number is already in circulation include a sudden increase in spam calls or texts, receiving targeted messages that reference your real name or location, or being notified by your carrier of suspicious account activity.
How do I stop scammers from calling me?
Enable “Silence Unknown Callers” in your phone settings, register your number with the FTC’s National Do Not Call Registry, submit opt-out requests to data broker websites (or use a service like Incogni to automate this), and never reply to suspicious texts even to say “STOP.”
Is it dangerous if a scammer has my phone number?
Yes. A phone number alone can be used as the starting point for SIM swap attacks, account takeovers, and highly targeted phishing attempts. When combined with data from broker sites — such as your address or family members’ names — it gives scammers everything they need to construct convincing fraud scenarios.
What should I do if I responded to a scam text?
Do not click any links in the message. Change the passwords on any accounts you may have accessed recently. Contact your bank if you shared any financial details. Report the message to your carrier by forwarding it to 7726 (SPAM) and file a report at ReportFraud.ftc.gov.
Adam Collins is a cybersecurity researcher at ScamAdviser who operates under a pseudonym for privacy and security. With over four years on the digital frontlines and 1,500+ days spent deconstructing thousands of fraud schemes, he specializes in translating complex threats into actionable advice. Adam’s mission is simple: exposing red flags so you can navigate the web with confidence.
Disclaimer: Some of the links in this post are affiliate links. If you click them and make a purchase, we may earn a commission at no extra cost to you.
