Scammer-Facing False Positives: When Hackers Mess Up

Every click, every search, every post leaves a trace. Every week on “What the Hack” we explore what to do about that. 

This week’s episode features Academy Award-winning filmmaker Dan Sturman and an imperfect storm of mistaken identity, amateurish social engineering, and the real-world effects of your data being out there for anyone to grab.

This story begins with two people named Dan Sturman—one with enemies, one without–and it ends with the wrong Dan Sturman being targeted by hackers. It’s a classic false positive, where an online result seems to match a person but is actually a misidentification. In the world of personal data removal, we see it all the time.

What’s In an Email Address?

Dan Sturman’s story is a cautionary tale about digital visibility. He’s a guy who, thanks to a very sweet early-adopter friend, scored his own name as an gmail address back in the mid aughts when the email service was still in beta mode, no numbers, just his name. And there’s something to the “I got here first” vibes of a one or two name handle–otherwise hackers wouldn’t spend so much time trying to hijack them. 

Well, that beautiful OG handle is exactly what put Dan Sturman in a hacker’s sites.

When hackers decided to go after the other Dan Sturman—the one with the big title at a well known gaming company, they did what any hacker does: They Googled him. But the Dan Sturman who popped up, with his OG public-facing, early-adopter email–the kind of email address you’d expect from a tech-savvy dude was the filmmaker. 

And then these bad actors (emphasis on bad, read: inept) fell for what I’m going to call a scammer-facing false positive. Hackers and marketing people can have a similar feel, which was the case here. The first calls and emails were from real people doing real jobs making real offers—jet charters, investment opportunities. But the wrong Dan Sturman even got a call about a sapphire necklace that was ready for pickup at Tiffany’s. 

Then the messages took a turn for the darker. There were spoofed calls from his own sister’s number and texts threatening to go after his family. And just like that, Dan Sturman the filmmaker was the unwitting stand-in for someone else’s enemies.

The Power of Social Engineering and Digital Obscurity

As our resident security guru DeleteMe Reuben Moretz explained, this is a classic case of attackers who were not very good at their “job” using a form of mimicry to build trust so they could then effectively strike their victim, which brings us to the most important part of the story.

While Dan the filmmaker was out in the open, the other Dan Sturman was a digital cipher. It’s impossible to find his email, his phone number, or his address. My experience (and presumably that of his would-be attackers) began to make more sense when Dan Sturman the filmmaker reached out to Dan Sturman the tech guy’s company: Three of their executives had been swatted, but the other Dan wasn’t a target of the threats. 

The reason: His personal information wasn’t online and as I heard the other Dan Sturman tell his story I had a not-so-sneaking suspicion this was no accident. Dan Sturman the Ghost was hard to find in a way that doesn’t happen by chance. It’s the product of a ton of vigilant work, or a subscription to an effective service. 

So what’s the takeaway here? Visibility has its costs, but so does obscurity. If you disappear completely, you can’t control your own story. But if you’re too visible, you become a potential stand-in, a false positive for someone else’s problems. The only real defense is to be aware. To watch your alerts, to trust your gut when a call seems off, and to remember that the most powerful tool you have sometimes is just knowing when not to click or to hang up or not pick up at all.

Stay safe out there, and let’s keep fighting the good fight.

Take Control

While it’s impossible to completely disappear from the internet, you can take steps to manage your digital footprint:

• Audit your online presence: Search for your name on Google and other search engines to see what’s publicly available.
• Adjust privacy settings: On social media and other accounts, review and tighten your privacy settings to limit who can see your information.
• Use strong, unique passwords: A password manager can help you create and store complex passwords for all your accounts.
• Be mindful of what you share: Before posting, consider if the information could be used against you.
• Remove unwanted data: Services like DeleteMe specialize in removing your personal information from data brokers, helping you regain some control over your digital identity.

By understanding how your data is collected and used, you can make more informed decisions and protect yourself in the digital world.