Since I hadn't seen this scam before, and like any halfway decent security professional I was in a machine on a DMZ, I followed the link, which my AV promptly screamed was a virus (go AVAST!), and then I decided to look at the domain hosting it. It was registered to someone in my own city, Seattle, and after five minutes on Google I had a pic of him and his wife not to mention contact info and a home address.
Ok, so here's the moral dilemma: Do I call up the guy whose identity was obviously stolen, or do I let him learn the hard way about personal data security? It's not a quick answer as, he could just as easily say I did it since I had enough skill to perform a whois lookup. We all know how well government officials deal with the intarwebs and its tubes; so I'm not looking to see if he tries to use me to recoup his losses. So what would you do in this situation?