Not really any differently than a company keeps info of their customers in databases and uses it to systematically contact them.

When such a company has a security breach and gets their data stolen, the info usually ends up for sale through darkweb channels, and a scammer can buy it from there to do some systematic contacting of their own. Particularly enterprising groups might cut out the middle man and do the breaching themselves.