If the Equifax data breach wasn't bad enough, it could expose you to risks that have nothing to do with the breach itself, or the culprits behind it. Other criminals are eager to exploit valid concerns over identity theft, and to use them as leverage for stealing personal information.
The Federal Trade Commission is warning that people are already getting bogus phone calls from scammers claiming to be from Equifax. Any day now, you can expect breach-specific variations on perennial phishing scams to land in your email inbox or to show up in your text messages. They'll promise to help you protect your personal data, then try to trick you into giving it up.
These ploys may have a higher chance of success than ordinary phishing schemes for several reasons:
- They're timely. Unlike a Nigerian prince's random plea for cash, these messages arrive at a time when we're hungry for answers, and even expecting useful information in our inboxes. (For some of that useful information, see: Data Breach: Five Things to Do After Your Information Has Been Stolen)
- They're in good company. You'll be receiving plenty of legitimate messages about the data breach, offering genuinely helpful advice. That ironically makes the bogus messages less conspicuous.
- They appear to come from trusted sources. Phishing scammers are great mimics and fairly good psychologists. They know the kinds of resources people turn to for advice about personal finances, so that's what they'll likely pretend to be—with messages that contain the logos, letterhead, and maybe even the same fonts used by those sources. Financial institutions, news outlets, government agencies, and popular national organizations are all candidates. Some bogus communications will likely try to look as if they come from Equifax as well.
- Credit monitoring does require personal information. Legitimate companies that track financial activity made in your name do in fact need detailed information about you, including your Social Security number. Those services can do you a lot of good, but make sure they're who they claim to be before giving up your information.
Guidance found here on avoiding phishing scams is all relevant, but these are a few top-line reminders about avoiding criminal attempts to benefit from the Equifax hack:
- Never fill out and submit forms that appear in the bodies of email messages. Email forms are fine for surveys and quizzes, but they're not secure. Legit organizations will direct you to a secure website to collect any data they need.
- Triple-check the address of any website requesting personal information. Pull up the organization's real website and compare the text that appears before the first "slash" (/) in its address. Look for slight anomalies such as .co instead of .com, "typos" or extra "dots" in the main name, etc. Also make sure the address begins with https://; the "s" indicates it's encrypting your data.
- Beware of requests for information the sender should already have. Your bank already knows your account number, the IRS knows your Social Security number, etc. Sometimes legitimate organizations ask for partial numbers to ensure you're who you say you are—but be careful: Giving even that to a thief can help them pose as you.
If you're concerned whether a message is genuine, forward it for verification to a trusted contact, such as a customer-service rep at the organization that claims to have sent it. It never hurts to ask. And if you've receive a call or email you think is a scam, report it to the FTC.