Daylila

Cybersecurity · Sunday, 19 July 2026

01 · Briefing · what happened

A £11m con dressed as protection — and why the same trick runs your inbox

Cybersecurity 3 min 58 sources

A fraudster took 115 elderly people's homes by promising to keep them safe. Plus: a Colombian energy giant is extorted after a breach, and a week of stories about who is quietly watching you.

Key takeaways

  • A UK fraudster took more than £11m from 115 elderly people by promising to "protect" their homes — then selling them; the con works by dressing theft as safety, the same trick behind "verify your account now" scam emails.
  • Colombia's Ecopetrol was breached and extorted, with data on about 3,300 accounts stolen — a reminder to change any password you reused elsewhere after a company you use is hacked.
  • A run of stories — spying period-tracker apps, a city ordering apps pulled, a facial-recognition database lawsuit — shows how data given for one purpose gets used for another.

The most effective frauds don’t feel like theft. They feel like safety. A UK case sentenced on Friday shows the pattern in full — and it is the same shape as the scam emails already in your inbox.

The scam that came as a favour

Steven Long, 59, of Kesgrave near Ipswich, ran a company called Universal Wealth Preservation. Its pitch was reassurance: sign your home over to us, and we’ll protect it — so care-home fees can’t eat it and your family inherits it whole [3]. Donald Matthews, then 80, believed it. He paid £3,500 upfront and £211 a year, and handed over his house in 2008 [3]. After he died in 2016, the company sold the home and his children saw none of the money [3]. Long ran the same scheme on 114 other people. The combined loss was more than £11m [3].

Notice what the con did not do. It did not break a lock or steal a password. It got the victim to hand over his most valuable asset himself — by offering to guard him from a fear he already carried. That is the engine of the whole thing, and it runs online just as well as off. The scam email that says “unusual login detected — verify your account now” is the same machine: it names a danger, adds a clock, and asks you to hand over the keys to stay safe.

A breach, and an extortion note

Colombia’s state-controlled energy company Ecopetrol said on Friday that a cyberattack stole data tied to about 3,300 user accounts [2]. The attacker made extortion demands and threatened to publish the stolen information [2]. This is how most ransomware and data-theft attacks now pay off: steal or scramble the data, then charge to give it back or keep it quiet. Ecopetrol said it had found no critical disruption to operations and that no data had been published yet, but it could not guarantee the breach would carry no “material” financial harm [2]. Separately, Kenya’s government said it was investigating a cyber incident affecting the president’s website [4].

For an ordinary person, the lesson from a breach like this is simple: if a company you use is breached, assume the password you gave it is now known, and change it anywhere you reused it. One reused password is how a single breach becomes five.

Who’s watching

Several of the week’s stories were about surveillance that runs quietly in the background. WIRED reported that many period-tracking apps behave like data brokers, gathering intimate health information; San Francisco’s City Attorney has told Apple and Google to pull certain apps that are used almost exclusively to target women and girls [1]. The same roundup covered Meta’s face-recognition system and increasingly granular tracking of city life [1].

A related fight is now in court. The New York Times reports that Madison Square Garden — which uses facial recognition at its venues — is suing WIRED for defamation over a July article that said the company kept a database logging some VIP guests’ gender identity and sexual orientation [18]. MSG calls that a false narrative [18]. Whatever the courts decide, the theme is the same as the period-tracker story: data you give a company for one purpose can be held, combined, and used for another.

If you’re hit

One calm, under-covered point to close on. When you are defrauded or mislead, it is still worth filing a formal complaint — with your bank, and with the relevant regulators and consumer watchdogs [5]. It feels like shouting into a void, and often the money is gone. But complaints are how patterns like Long’s get spotted, and how the next person is warned before they sign.

02 · Lesson · why it matters

The con that sells you a lock

The most effective scams don't offer you a gain. They offer to guard you from a fear you already carry — so you lower your guard at the exact moment you think you're raising it.

The favour that was the theft

The Suffolk fraudster didn’t pick locks. He handed out flyers. Sign your home over to us, they said, and we’ll keep it safe from care-home fees. And an 80-year-old man, trying to do the responsible thing for his children, signed. He wasn’t careless. He was being careful — that was the whole problem.

A con that offers you a prize has to beat your suspicion. A con that offers you protection gets your suspicion working for it. You’re already scanning for danger; it just points at a danger you believe in and hands you the “solution.”

Fear is the lever, and you pull it yourself

Every good scam needs the victim to do the moving. Break in and you leave marks; get invited and you leave none. So the con looks for something the target already fears losing — a home, a savings account, a reputation, access to their own money — and offers to stand guard over it.

The fear does the work. It creates urgency (“act before the care bill comes,” “before your account is locked”). It narrows attention onto the threat and away from the person offering to help. And it reframes handing over your keys as the safe, sensible thing to do. The victim isn’t tricked into taking a risk. They’re tricked into thinking they’re avoiding one.

Why “protection” is the perfect disguise

Being careful feels like the opposite of being conned. That feeling is the vulnerability.

When you’re on guard, you’re braced for an attacker who wants to take something. You’re not braced for someone who wants to give you safety. So the shape of the con slips under the shape of your defence. The more responsible you are — the more you worry about your home, your data, your family’s future — the larger the surface a protection-scam has to land on. Your caution isn’t a wall it has to climb. It’s the door it walks through.

The same machine, in your inbox

This is not a lesson about one Suffolk fraudster. It is the design behind most of the scams that reach you online.

“Unusual login detected — verify your account now.” “We found a virus on your device; click to clean it.” “Suspicious charge on your card — confirm your details to stop it.” “Your data was in a breach; secure your account within 24 hours.” Every one of them names a fear you hold, adds a clock, and asks you to hand over the keys — a password, a code, a payment — through a channel it chose, all to keep you safe. It is Steven Long’s flyer, retyped as an email, sent to millions at no cost.

The space the real messages made

Here’s the uncomfortable part, and it isn’t anyone’s villainy. Real banks do send fraud alerts. Real security teams do ask you to reset passwords. Legitimate institutions have spent years training us to act fast when a message says it’s protecting us — to click, verify, confirm, secure. The scam doesn’t fight that training. It hides inside it. The con lives in the space that genuine security messaging built, and it wears the same uniform.

That’s why you can’t sort the real from the fake by how legitimate it feels. The feeling of “this is a responsible thing to do quickly” is exactly the feeling both are engineered to produce.

What the feeling can’t tell you

You are inside this, not above it. Everyone has something they’re afraid to lose, which means everyone has a door. The people who fall for these are not more foolish than you; they are more responsible about the thing the con named. The lawyer who never clicks a lottery email still has a mortgage, a family, an account — a fear a protection-scam can point at.

So the tell was never in how careful you feel. It’s in the structure, and the structure is always the same: a fear, a clock, and a request that you move your money, your data, or your home through a path someone else chose. When you see that shape, the safe move costs nothing — stop, and reach the bank, the company, the family, through a channel you already trust, not the one in the message. Seeing this doesn’t make you unfoolable. It just means the next time something urgent arrives wearing the uniform of your own safety, you might hold it a second longer before you open the door.

03 · Lab · your turn

Read the Shape, Not the Feeling

Rehearse spotting a protection-scam by its structure — a fear, a clock, and a request that you hand over the keys — instead of by how official it looks.

04 · Hope · carry this

The same trick that fools us is one we can learn to see — and every scam that gets named in a courtroom, or spotted by one careful person who slows down, is a warning passed to the next. We are not each defending alone; the knowledge travels faster than the con.

Across the beats