Cybersecurity · Sunday, 19 July 2026
01 · Briefing · what happened
A £11m con dressed as protection — and why the same trick runs your inbox
A fraudster took 115 elderly people's homes by promising to keep them safe. Plus: a Colombian energy giant is extorted after a breach, and a week of stories about who is quietly watching you.
Key takeaways
- A UK fraudster took more than £11m from 115 elderly people by promising to "protect" their homes — then selling them; the con works by dressing theft as safety, the same trick behind "verify your account now" scam emails.
- Colombia's Ecopetrol was breached and extorted, with data on about 3,300 accounts stolen — a reminder to change any password you reused elsewhere after a company you use is hacked.
- A run of stories — spying period-tracker apps, a city ordering apps pulled, a facial-recognition database lawsuit — shows how data given for one purpose gets used for another.
The most effective frauds don’t feel like theft. They feel like safety. A UK case sentenced on Friday shows the pattern in full — and it is the same shape as the scam emails already in your inbox.
The scam that came as a favour
Steven Long, 59, of Kesgrave near Ipswich, ran a company called Universal Wealth Preservation. Its pitch was reassurance: sign your home over to us, and we’ll protect it — so care-home fees can’t eat it and your family inherits it whole
Notice what the con did not do. It did not break a lock or steal a password. It got the victim to hand over his most valuable asset himself — by offering to guard him from a fear he already carried. That is the engine of the whole thing, and it runs online just as well as off. The scam email that says “unusual login detected — verify your account now” is the same machine: it names a danger, adds a clock, and asks you to hand over the keys to stay safe.
A breach, and an extortion note
Colombia’s state-controlled energy company Ecopetrol said on Friday that a cyberattack stole data tied to about 3,300 user accounts
For an ordinary person, the lesson from a breach like this is simple: if a company you use is breached, assume the password you gave it is now known, and change it anywhere you reused it. One reused password is how a single breach becomes five.
Who’s watching
Several of the week’s stories were about surveillance that runs quietly in the background. WIRED reported that many period-tracking apps behave like data brokers, gathering intimate health information; San Francisco’s City Attorney has told Apple and Google to pull certain apps that are used almost exclusively to target women and girls
A related fight is now in court. The New York Times reports that Madison Square Garden — which uses facial recognition at its venues — is suing WIRED for defamation over a July article that said the company kept a database logging some VIP guests’ gender identity and sexual orientation
If you’re hit
One calm, under-covered point to close on. When you are defrauded or mislead, it is still worth filing a formal complaint — with your bank, and with the relevant regulators and consumer watchdogs
02 · Lesson · why it matters
The con that sells you a lock
The most effective scams don't offer you a gain. They offer to guard you from a fear you already carry — so you lower your guard at the exact moment you think you're raising it.
The favour that was the theft
The Suffolk fraudster didn’t pick locks. He handed out flyers. Sign your home over to us, they said, and we’ll keep it safe from care-home fees. And an 80-year-old man, trying to do the responsible thing for his children, signed. He wasn’t careless. He was being careful — that was the whole problem.
A con that offers you a prize has to beat your suspicion. A con that offers you protection gets your suspicion working for it. You’re already scanning for danger; it just points at a danger you believe in and hands you the “solution.”
Fear is the lever, and you pull it yourself
Every good scam needs the victim to do the moving. Break in and you leave marks; get invited and you leave none. So the con looks for something the target already fears losing — a home, a savings account, a reputation, access to their own money — and offers to stand guard over it.
The fear does the work. It creates urgency (“act before the care bill comes,” “before your account is locked”). It narrows attention onto the threat and away from the person offering to help. And it reframes handing over your keys as the safe, sensible thing to do. The victim isn’t tricked into taking a risk. They’re tricked into thinking they’re avoiding one.
Why “protection” is the perfect disguise
Being careful feels like the opposite of being conned. That feeling is the vulnerability.
When you’re on guard, you’re braced for an attacker who wants to take something. You’re not braced for someone who wants to give you safety. So the shape of the con slips under the shape of your defence. The more responsible you are — the more you worry about your home, your data, your family’s future — the larger the surface a protection-scam has to land on. Your caution isn’t a wall it has to climb. It’s the door it walks through.
The same machine, in your inbox
This is not a lesson about one Suffolk fraudster. It is the design behind most of the scams that reach you online.
“Unusual login detected — verify your account now.” “We found a virus on your device; click to clean it.” “Suspicious charge on your card — confirm your details to stop it.” “Your data was in a breach; secure your account within 24 hours.” Every one of them names a fear you hold, adds a clock, and asks you to hand over the keys — a password, a code, a payment — through a channel it chose, all to keep you safe. It is Steven Long’s flyer, retyped as an email, sent to millions at no cost.
The space the real messages made
Here’s the uncomfortable part, and it isn’t anyone’s villainy. Real banks do send fraud alerts. Real security teams do ask you to reset passwords. Legitimate institutions have spent years training us to act fast when a message says it’s protecting us — to click, verify, confirm, secure. The scam doesn’t fight that training. It hides inside it. The con lives in the space that genuine security messaging built, and it wears the same uniform.
That’s why you can’t sort the real from the fake by how legitimate it feels. The feeling of “this is a responsible thing to do quickly” is exactly the feeling both are engineered to produce.
What the feeling can’t tell you
You are inside this, not above it. Everyone has something they’re afraid to lose, which means everyone has a door. The people who fall for these are not more foolish than you; they are more responsible about the thing the con named. The lawyer who never clicks a lottery email still has a mortgage, a family, an account — a fear a protection-scam can point at.
So the tell was never in how careful you feel. It’s in the structure, and the structure is always the same: a fear, a clock, and a request that you move your money, your data, or your home through a path someone else chose. When you see that shape, the safe move costs nothing — stop, and reach the bank, the company, the family, through a channel you already trust, not the one in the message. Seeing this doesn’t make you unfoolable. It just means the next time something urgent arrives wearing the uniform of your own safety, you might hold it a second longer before you open the door.
03 · Lab · your turn
Read the Shape, Not the Feeling
Rehearse spotting a protection-scam by its structure — a fear, a clock, and a request that you hand over the keys — instead of by how official it looks.
04 · Hope · carry this
The same trick that fools us is one we can learn to see — and every scam that gets named in a courtroom, or spotted by one careful person who slows down, is a warning passed to the next. We are not each defending alone; the knowledge travels faster than the con.
More from Cybersecurity
Across the beats