NEW YORK (Reuters) - There is a widespread sense of fear hanging over consumers in the aftermath of the data breach at credit-monitoring firm Equifax revealed in early September that approximately 143 million consumers’ personal and financial records were exposed.
It would be bad enough if people were merely worried about crooks using their Social Security numbers to empty their bank accounts or steal tax refunds. But they also have a feeling of defenselessness as they come to the realization that they cannot even trust where to go for help.
“Trust has vanished completely,” says Neal O’Farrell, executive director of the Identity Theft Council. “If you don’t know who to trust anymore, you don’t even know who to go to for help.”
A worried Chicago resident echoed this in an email after going to the Equifax website to get a credit freeze: “I received the follow-up email a few days ago and had to give the last four digits of my Social Security number and answer some credit questions from my credit history. Now I am wondering if even that email response to my filing for the freeze is even legitimate. I’ve become paranoid about giving any information over the Internet.”
While the main Equifax line (1-866-349-5191) consistently gives out a busy signal if you seek an agent, cyber security experts believe that technologically clever crooks could be creating phony emails and websites that look legit.
The emails may appear to be from the four credit bureaus - Equifax, Experian, TransUnion and Innovis - or financial institutions, credit monitoring firms and even the government.
“Scammers will use realistic-looking sites,” said John Krebs, who heads the Federal Trade Commission’s identity theft program. “Emails may create a sense of urgency so people click on a link.”
But clicking on a link can allow scammers to infiltrate your computer and get your data, if they do not have it already. To stay safe, do not answer questions in emails or phone numbers in those emails, said Krebs. Instead, look up a main number for that institution and call them directly.
You can find contacts at the Federal Trade Commissions website on identity theft (here).
In one example of vulnerability, a spoof site was created recently to look just like the actual Equifax site (equifaxsecurity2017.com) where people could ask whether their Social Security numbers were stolen. It was so convincing that at one point, an Equifax representative on Twitter mistakenly directed people to the fake site, said Brian Krebs, an investigative reporter for KrebsonSecurity.com - and no relation to the FTC’s John Krebs.
Luckily, the fake site was created by an individual simply to show the weaknesses in the system and it was taken down after making its point, Brian Krebs noted.
There are other alarming signs that you are vulnerable even when trying to protect yourself. KrebsOnSecurity.com recently reported that a credit freeze to keep crooks from opening lines of credit may not be as solid as you think.
The site found a weakness on Experian that would allow a crook to start the process of retrieving a PIN and unlocking the freeze simply by using the Social Security numbers and addresses stolen from Equifax.
Some security questions are also included, but Brian Krebs thinks answers would be easy to figure out using Internet searches. In a statement, Experian said the process of retrieving PINs goes beyond that.
Still, with trust shaken, Brian Krebs worries: “People are going to throw up their hands and say, ‘Who cares?’ But that does them no good.”
Instead, he recommends going through the steps to put the freezes on their credit at the four bureaus while keeping a vigilant eye out for the next scam.
(The opinions expressed here are those of the author, a columnist for Reuters.)
Editing by Beth Pinsker and G Crosse