Now this made me the think of declining to expose any other way of my KYC as this is the only way why we are being exposed from this criminals.
I do believe their data comes from many sources, not limited to KYC. A hack on an anonymous forum, your posting history, etc. They don't even check whether your e-mail is a throwaway e-mail or not before sending their phishing e-mail. Other than reducing your access to KYC platforms, strengthening your computer/internet security is a must.