My grandfather was hit by this. We never determined conclusively how it happened, but putting together what they knew and what they didn't (they = the attackers), I strongly believe that an insider at the care facility my grandmother was staying at either was the attacker or provided key family information (names, etc) to the attacker, who then used Google, etc, to do additional research.
The attacker knew quite a lot about me (but all stuff publicly researchable) and was very convincing. It was quite disturbing.
You said it there. Don't be so quick to blame the caregivers. The fact that an attacker could know quite a lot about you from social media means you were an easy mark, no insider necessary.
The reason I included them is that my grandfather and I do not share a last name and he is not at all on any kind of electronic communication. So someone who just knew me could research for a long time and not find out anything about him; and vice-versa. Someone with specific knowledge had to make the link outside of social media.
Whitepages.com has a "associated with" that contains all sorts of relatives without social media accounts or Internet access and that's just public. Your name probably ended up in an obituary at some point in time They scammer surely has access to the paid private databases, same as the PIs and background check companies use. You know those "verify your identity" questions you get asked when opening a bank account or something? Those "what was your car payment for your 2005 Toyota Corolla" questions? One of them asked me who I knew and one of the choices was my ex. How we got linked in a database is beyond me. We never shared an address, bank account, credit card, last name, nothing. We weren't even all that serious. There's so much info out there in databases. No need to jump to totally unfounded conclusions.
The attacker knew quite a lot about me (but all stuff publicly researchable) and was very convincing. It was quite disturbing.