Equifax isn’t doing much to help its own cause.
On top of compromising the personal information for 143 million Americans, Equifax offered a fake website to victims so they could check if their information was exposed in the breach.
The credit bureau had been sending victims the domain securityequifax2017.com, a phishing website set up by a hacking activist, instead of the correct website equifaxsecurity2017.com.
“If it was a malicious website they could've stolen a lot of people's information even more,” said Ajay Menendez of the SecuritySet, a cybersecurity vocational school in Downtown Denver.
Directing consumers to that site — as opposed to a page on its standard equifax.com — raised red flags, because it increased the chances that consumers hunting for, or being lured to, to the safe breach site would be misdirected to a malicious site with a similar address.
The hacking activist that created it did so as a way to expose how easily people can be fooled. The person who tweeted the link from the Equifax Twitter account didn’t realize their mistake.
The sentiment can be extended to emails as well.
“Instead of clicking on emails; if somebody says something bad actually log into the website directly, never just go off the emails,” Menendez said.
What the hacking activist did is a fairly common tactic among hackers. They'll take common domains like Google or Facebook, for example, and insert small changes, maybe a comma, dash or extra letter.
The change is small and seemingly insignificant, so those who make typos are unknowingly led to a separate, fake, site.
“I really don't know where we go from here,” Menendez said of the entire Equifax situation. “We need a new paradigm.”
The bottom line is to be skeptical of links you’re clicking on, even from sources that look official.
If you're concerned that your information was misused in the hack, experts suggest freezing your credit until you absolutely need it.